Blog: Free Resources for Building IT Policy at Nonprofits

Where do I find free templates to adapt to my organization’s needs and other resources and frameworks?    

The Take Home Message 

If you are stuck knowing that you need to create or update IT policies at your nonprofit but not knowing where to start, you are not alone. Crafting robust IT governance documents can feel daunting, and that difficulty getting started may be a barrier.

• While the perfect free nonprofit IT policy template doesn’t exist out of the box, templates do exist so you don’t have to start from a blank page.

• If you only have time to prioritize one document, start with an Acceptable Use Policy, then add on the other policies below as appropriate.

• Make sure you identify stakeholders and executive champions at your nonprofit, consult your legal team on these foundational documents, and get buy-in for rolling out your updates.

• The most important tip is to start from somewhere, and work in small steps that are less likely to be overwhelming.

• Finally, create calendar reminders to review IT policies annually, or more often as appropriate, to prevent them from going out of date and becoming a big project again.

Free Resources for Building Strong IT Policy in Nonprofits

Crafting robust IT governance documents can feel daunting, and that difficulty getting started may be a barrier to creating or updating these policies at your nonprofit. That can leave your organization vulnerable to honest mistakes, disgruntled staff, or a lack of security. Having no policy at all may leave your staff not knowing what to do in the event of a cybersecurity incident or a stolen laptop. 

Fortunately, several free resources can empower nonprofits to establish strong IT policies. This article explores readily available templates and guides to streamline policy creation.

First, what IT policies are essential to nonprofits? 

Essential IT Policies for Nonprofits

• Acceptable Use Policy
  • This is the bedrock of your IT policy, governing what staff are allowed – and not allowed – to do with their devices and software, and laying out security expectations. This document should define acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization’s corporate resources and proprietary information.
• Data Retention/Security Policy
  • Data retention regulation largely follows the California and EU laws on GDPR (General Data Protection Regulation) including the right to be forgotten.
  • Website Privacy Policies. Does your website spell out your data retention policy? Is your marketing email platform in compliance?
• Document Retention
  • Document retention policies for nonprofits include legal regulations for the US and the EU.
• Disaster Response Plan
  • A functional policy document; should define the requirement for a baseline disaster recovery plan to be developed and implemented by the company, which describes the process to recover IT Systems, Applications and Data from any type of disaster that causes a major outage.
• AI Acceptable Use Policy/Tool Specific Policies
  • As your organization makes use of specific IT tools or Software as a Service (SaaS), each tool may require your staff to safeguard data, users, or utilize the ethics and values of your nonprofit. As AI tools and AI features on existing platforms have risen to prominence, your organization may want to create policies governing considerations you want staff to make.
  • Specific tools may have specific security risks that your policy should address.
• Other/Non IT
  • If your organization deals with minors, healthcare, education, and other issue areas, you may need to create policies to comply with legal issues such as HIPAA. Consult your legal team to list these requirements. These requirements may impact your IT platforms, strategy, documentation, and policy. 
  
  
  • As you apply for cybersecurity insurance, your broker may share with you cybersecurity controls that you need to implement. Documenting these requirements and updating your Acceptable Use Policy is good practice to help comply with insurance requirements.
  
  
  • DEI policy. Your organization may have legal requirements to ensure compliance with employment laws; you may want to publicize your DEI policies.
  
  
  • Other policies.

Free Templates: Nonprofit-Specific Resources

• Community IT developed this AI Acceptable Use policy template to be less generic and more adaptable to nonprofit environments. All or parts of this policy can be freely used by your organization. There is no prior approval required. 

• Council of Nonprofits has data retention and document retention policy advice here. Each nonprofit needs to investigate and learn what its own state law requires as well as seek to retain only those documents that are relevant to activities of that particular nonprofit. Not only do state laws differ as to what must be retained, but nonprofits vary in the types of documents they generate. However, it is possible to identify a handful of documents that every charitable nonprofit should save permanently, as well as others that should be saved for a certain length of time by most nonprofits.

• Forbes published an article with resources on complying with US (California) and EU (GDPR) data retention and governance regulations.  And more resources from the National Council of Nonprofits on data privacy compliance: https://www.councilofnonprofits.org/articles/earning-trust-imperative-data-privacy-nonprofits

• The National Council of Nonprofits has some templates for data security and cybersecurity policies at nonprofits. They also provide resources on website security, an often-overlooked area of risk for cyber-attacks and ransomware, even at small nonprofits. https://www.councilofnonprofits.org/running-nonprofit/administration-and-financial-management/cybersecurity-nonprofits

• The National Council of Nonprofits also offers extensive resources on nonprofit Board development and professionalization, including free policy templates for Nonprofit Board policy documentation. They also provide further resources on strengthening Board Governance practices. https://www.councilofnonprofits.org/running-nonprofit/governance-leadership/good-governance-policies-nonprofits

Frameworks:

The following links are not templates per se, but free frameworks to follow to develop policies for Artificial Intelligence (AI). As AI tools and ethical issues develop rapidly, these frameworks can help your leadership and staff understand the issues as you use readily available AI tools to work more efficiently and pursue novel approaches to your nonprofit mission. 

• TAG: https://www.tagtech.org/page/AI Serving as a starting point for decision-makers, the framework provides a catalog of considerations in three key areas when exploring or expanding the use of AI – Organizational, Ethical, and Technical.

• NTEN: https://www.nten.org/publications/artificial-intelligence-framework-for-an-equitable-world This framework is a guide and tool for surfacing questions, identifying areas of evaluation or investigation, and embedding equity and transparency values into every AI-related project.

Free Templates: General Policy Templates that Nonprofits Can Adapt

SANS

Websites like SANS: https://www.sans.org/information-security-policy/ provide general policy templates, which can be adapted for an IT context. Remember to tailor generic templates to your specific technologies and workflows. Community IT often recommends the SANS policy template library as a first stop in creating your IT policies, particularly the foundational Acceptable Use Policy.

Perhaps the most important policy you need is an Acceptable Use Policy. This policy defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization’s corporate resources and proprietary information. This policy is usually part of the Employee Handbook – but don’t let it be something that new staff read on their first day and then forget about. The Acceptable Use Policy is important to keep updated and utilized by staff as technology and workplaces change.

If you haven’t updated your Acceptable Use Policy since the advent of remote work and Artificial Intelligence tools (AI) then it’s time to update it now.

The SANS website Security Policy Template library has dozens of IT-specific policy templates for many issues your nonprofit will encounter. These policy templates can easily be updated for your situation. SANS provides valuable resources for building IT policy.

Delinea

Additional free security policy templates can be found at Delinea (formerly Thycotic), and can be adapted to your nonprofit needs. This template focuses on securing privileged accounts: https://delinea.com/resources/free-privileged-account-management-pam-policy-template

And this one can help you develop an incident response plan: https://delinea.com/resources/free-incident-response-plan-template. For more information on developing a nonprofit incident response plan and why you need one, Community IT also has this guide: https://communityit.com/how-to-create-a-nonprofit-incident-response-plan/.

Lockton Group: Cyberliability Insurance Guide

Cyber Insurance Controls: Lockton Group created a guide for cyber insurance that is very valuable for nonprofits. This guide has definitions and explanations of what a Cyberliability policy can require. It is not a policy template per se but so valuable when creating IT and cyber policies that help your organization comply with insurance requirements. https://global.lockton.com/us/en/news-insights/a-guide-to-basic-controls-demonstrating-cyber-preparedness

Beyond Templates: Best Practices

While templates serve as a valuable starting point, remember these key points:

• Customize, Don’t Copy: Templates are foundational, but don’t simply copy-paste. Adapt the content to reflect your organization’s size, technology infrastructure, local regulations, and internal culture.

• Seek Legal Counsel: IT policies often have legal implications. While free templates provide a framework, consult with your own legal counsel to ensure compliance and mitigate risks.

• Collaboration is Key: Involve stakeholders across the organization – board members, IT staff, and program personnel – in developing and reviewing the policies. This fosters collective understanding and ownership. These resources for building IT policy have valuable tips to help start.

• Start Small: This project can seem overwhelming. Pick one policy to start and keep your tasks manageable.

• Keep Your Policies Updated: Set reminders to update your policies annually, every six months, or whenever is appropriate for your nonprofit. Now that you’ve put the effort in, don’t let this project get overwhelming in the future.

Consider your organization’s internal culture and management style. If your nonprofit is fairly hierarchical and responds well to having rules to follow, it may be most effective for a leadership team to develop the policy and release it to staff. If your culture is more entrepreneurial and participatory, you may want to create a committee from the various stakeholders (HR, management, leadership, IT, staff) to adapt a template for your own use. 

Resources for Building IT Policy Conclusion

By leveraging free resources and best practices, nonprofits can develop effective IT policy documents that safeguard their data, ensure responsible technology use, and empower staff to fulfill their missions effectively. 

A lack of policies makes well-managed IT difficult to enact and can leave your nonprofit vulnerable to multiple threats. But it’s not enough simply to create or update the policies – if your staff don’t know what policy they need to follow, no one benefits and risks remain. When rolling out new or updated IT policies make sure to implement a thoughtful training program to get existing and new staff up to speed on what you expect and how they will use IT at your nonprofit. These resources for building IT policy at nonprofits will help you get started.

Remember, strong IT governance fosters trust with donors and stakeholders, allowing nonprofits to know how to quickly respond to IT issues and be able to focus on their core mission – creating positive change in the world.

Ready to get strategic about your IT?

Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap, if you don’t have an in-house IT Director. 

We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand.

We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.

If you need outsourced IT assistance and could use help creating or revising your IT Governance policies as part of that partnership, let’s talk. We can keep you on track and help you prioritize policy updating with your stakeholders with these resources for building IT policy.