Digital Security Policy Template for Nonprofits

Assessing Risk

Choosing Security Objectives

Sample Security Objectives:

  • Use paid versions of off-the-shelf productivity tools that allow for control over data retention and access management
  • Always adopt end-to-end encryption if it’s available.
  • Adopt more user-friendly collaboration tools for most communication, and more secure collaboration tools for communication that needs to be explicitly private and protected.
  • Invest time and effort training staff to protect themselves from phishing attacks
  • Protect member personal identifying information in all systems
  • Use the principle of least privilege to grant access to data and systems. Instead of by default granting everyone access to everything, be intentional about what data, systems, and strategic communication access is granted to staff and allies.

Sample Digital Security Policies

Sample Security Checklist For Staff

  • Password protect your phone and computer
  • Enable Multi-Factor Authentication or 2-Step Verification on email
  • Enable Login Verification or Multi Factor Authentication on all social media accounts including Facebook, Twitter, and Instagram
  • Audit Account Recovery settings, especially for email: confirm that you can access your email’s ‘account recovery’ phone / email, and that the account recovery email address is also protected with Multi Factor Authentication
  • If you use gmail, perform a “Security Checkup” on your google account to recent access locations and authorized apps are legitimate:
  • Call your cell phone provider and put a pin on your cell phone account, to protect from SIM swap attacks
  • Be vigilant about the ongoing risk of email phishing
  • Be vigilant about social media impersonation attacks: verify all connection requests and direct messages and only share personal information with verified accounts
  • Use a password manager to store passwords
  • Use only strong passwords (longer is better), and never reuse passwords across accounts
  • Keep all devices including phone and laptop up to date with software updates

Sample Personal Data Access Policy

  • Do not share any staff personal identifying information internally or externally without consent of the staff member
  • Do not forward email between organization’s email and your personal email. Do not use your personal email to manage, edit, or share the organization’s documents.
  • Require permission to bulk download member email personal identifying information
  • Delete all user data files after using
  • Do not store lists of members or staff private information outside of approved document storage systems

Sample Retention Policies

  • Retain organizational email for 6 month window, and auto-delete email older than 6 months
  • Retain chat messages for 90 days, and auto-delete chat older than 90 days
  • Retain documents for a 6 month window, and auto-delete documents older than 6 months

Sample Credential Management Policy

  • Use a password manager to store personal credentials, team credentials, to generate random strong passwords, and to safely copy and paste passwords when in public environments, like working from a coffee shop.
  • When possible, teams should grant each user their own account, and avoid sharing accounts whenever possible.
  • Use a password manager vaults for sharing credentials, and do not share passwords via google docs, email, chat, wiki, SMS.
  • Avoid using listservs or groups for account usernames when possible. For example, if your organization’s Twitter account’s username is then anyone subscribed to this group can change your org’s twitter password using Twitter’s “forgot password” feature.
  • Always use 2 factor authentication when it’s available for accounts, including email, social media, and web-based services.
  • Never reuse passwords.
  • Always use strong passwords. All systems and data are only as safe as the weakest staff password.

Sample device policy:

  • Password protected
  • Enable disk encryption
  • Enable firewall
  • Keep current with its software updates
  • Use privacy screens and webcam covers

Sample email administration policy:

  • Enable multi-factor enforcement org-wide.
  • Disallow auto-forwarding to external accounts, because you can’t control whether these external accounts have multi-factor enforcement enabled, and your org assets and data accessible via email are only as secure as the least secure account.
  • Disallow any 3rd party email integrations that request deep access to staff email accounts. Explicitly whitelist approved integrations.
  • New accounts should be created with temporary passwords that force a password change on first login.
  • Disable POP and IMAP access.

Examples of most secure tools

Sample Emergency Guidance for Staff

  • If there’s any suspicion or doubt, change your password immediately
  • Go through your email provider’s security audit processes, check for any access that appears to be someone other than you, also verify your account recovery methods
  • Ask an email admin to run administrative reports on document access and email history to better understand what data (if any) was leaked
  • Identify which other accounts had this email address specified as the backup email (like social media or bank accounts), and change all the passwords on those accounts too
  • If you are at all unsure about whether the email is a phishing email, do not click on any of the links in this email, do not forward the email to others, and do not open any attachments.
  • Submit untrusted links and files to VirusTotal, an online service that checks files and links against several different anti-virus engines and reports the results.
  • Take a screenshot and ask for advice but please do not mass forward the email.
  • If there’s any suspicion or doubt about what you clicked on or what you typed your email and password into, change your password immediately, and follow the steps listed above




Mission-driven tech exec, CTO, formerly senior advisor SBA, CTO MoveOn

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cross-Site Request Forgery (CSRF)

#Patnership🤝 #Razor Network partners with Matic Network.Razor

Good article on possible Russian cyber organization

Decentralized communications and security solutions.

WaterLoan launching the first official public beta

Get the password removed and we’ll see something very nice


Microsoft released an update to address a zero-day exploit used to propagate Emotet malware

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ann Lewis

Ann Lewis

Mission-driven tech exec, CTO, formerly senior advisor SBA, CTO MoveOn

More from Medium

Zero trust security, sensor agnosticism — expert insights from VentureBeat commentator Louis…

Navigating the Cyber Security Landscape: The Fight Against Ransomware in 2022

How IoT architecture enhances profitability?

IoT architecture

Automating Cisco IOS updates with Unimus — Part 1