Cybersecurity Education Series for Nonprofits – Policies and Training
In the final installment of the Cybersecurity Education Series for Nonprofits, we discuss the policies and processes that should be in place for a robust information security program as well as activities that should be performed for security awareness training.
IT Policies and Standards
To help protect an organization and employees from exposure to potential risks within the organization, IT policies as well as information security standards should be established and adhered to. Policies are documents of intent, while standards generally act as the rules in place to enforce compliance to policies. As a common practice, nonprofits should consider establishing an information security program that includes the following policies (where applicable):
Data Management and Classification Policy
- This policy should define the management and use of data across an organization as well as define data labeling methods (confidential, public, or internal).
Mobile Device Policy
- This policy should define how mobile devices are to be used and secured within your organization.
Network and Remote Access Policy
- This policy should establish criteria that designates who is authorized to connect to the internal network as well as the remote network and under what conditions, and it should also define acceptable use by employees.
Change Management Policy
- This policy should define the process and approvals required to make scheduled and unscheduled changes in the environment. This process should include communication, workflows, approvals, and exceptions.
Vendor Management Policy
- This policy should act as a roadmap for the evaluation (due-diligence and risk ranking) and onboarding of potential third-party vendors.
In addition, the following policies should be established and may be included in the information security program, or they may stand alone:
Business Continuity and Disaster Recovery Policy
Incident Response Policy
- A policy should be in place that establishes how to prepare, detect, and respond to security incidents.
Security Awareness Training
Having savvy and well-trained users helps mitigate risk in the nonprofit space. IT and security awareness training for end-users should include information security topics through formalized training channels so it can be performed annually and tracked for compliance. Topics should include:
- Password strength and confidentiality
- Locking and logging off of computers
- Document destruction
- Data loss risks (removable media, email, third-party storage sites, social media posts)
- Acceptable use
- Social engineering and phishing
- Social engineering testing should be conducted periodically to test employee understanding of social engineering practices and employee actions to prevent successful social engineering attempts. Regular phishing testing should occur to test employee response and training to reduce the likelihood an employee allows an attacker to compromise access through employee actions, such as clicking on spoofed links or entering login credentials on malicious websites.
This content was written by Javier Young, CLA’s Cybersecurity Principal.
How CLA Can Help?
CLA’s cybersecurity team has a deep understanding of the current threat landscape and can help with vulnerability assessments, awareness training, and/or other cybersecurity concerns/needs. Don’t go it alone. Learn more here, and reach out if you have any questions.
If interested in more cybersecurity content and thought leadership, be sure to check out and subscribe to CLA’s Cybersecurity Blog.
Keep Pace with Our Cybersecurity Education Series for Nonprofits
Credit Card and Online Donations
Comments are closed.