5 Must-Have Security Policies

You’ve put firewalls in place and installed antivirus software on every computer in your office. None of it matters if your staffers are engaging in risky habits. Your organization is not protected.

Written policies and regular training are critical because they empower staffers to take action to protect your data against malicious software. Here are the five data security policies that you need to write this year.

  • Acceptable Use: This is a big catchall category where you can establish the basics — who can access what information where and when. It’s also a chance to outline the various devices and systems your organization uses and how to stay safe while using them.Under this category you might also want to explain some of the ways well-meaning people can accidentally expose the organization to risk, such as social engineering scams where staffers are tricked into releasing data or providing access to a system.
  • Email: This is a common way malicious software gets into a system. You can help your staffers detect suspicious emails and train them in what to do when a risky email appears in their inbox.
  • Mobile Devices and Working Remotely: Are staff members working from home? Do they use their personal computers, tablets, or phones to carry out your nonprofit’s business? Outline how much of the acceptable use policy applies to personal devices and provide additional guidance for how they can stay safe when they’re outside the office.This policy might also include requirements such as the use of a VPN or specific antivirus software. If you require software to be used, you’ll need to provide it for free and detail how to install and maintain these tools.
  • Password Protection: An alarming number of people still use weak passwords such as “123456.” This policy should provide guidance on the length of passwords, how frequently to change them, and a warning not to share or reuse them.
  • Security Response: What will you do if a breach occurs? Use this policy to outline the steps needed to shut down the attack, preserve or recover data, clean up systems, manage the potential PR issues, and get operations back up and running.