Today, almost everything your nonprofit does is accumulated within information technology, computers. There is personally identifiable information related to your donors, employees, and customers. Processes and plans that give your nonprofit a strategic advantage are stored within IT. Documentation of compliance with grants and laws is also stored within IT.
Knowing how much of your nonprofit’s vital information is held on computers, having internal controls over information technology is just as important as having internal controls over cash. IT controls need to cover both accidental loss of information, such as a crashed hard drive, and purposeful theft of information, such as ransomware attacks. Controls should cover the following areas:
- Access to the computers, both physical and virtual, including how it is granted and removed
- Limiting access to information to only what is applicable for a person’s job; this means different people have different access
- Training on information technology security; people are the weakest link in IT security
- Strong passwords, multi-factor authentication, and policies to prevent sharing them
- Software updates, including antivirus
- Spam filtering
- Cyber insurance
- Evaluating service organization controls (third parties you rely on to accumulate, store, or analyze your data)
- Backups, including testing
- Compliance with laws, especially those regarding personally identifiable information
There are many different information technology controls to implement, and above are just a few. Consider which pieces of your information technology your nonprofit couldn’t survive without, and how to ensure continuity of that information.