Assessment tool: What to include in your IT policy
Work through each section to identify what your IT policy needs to cover. Select everything that applies to your organisation, and the relevant policy requirements will appear as you go.
Section 1
Data Sensitivity
Does your organisation handle any of the following types of data?
What your policy needs to cover
Your policy should clearly define how each type of sensitive data is classified, where it may be stored and accessed, who is authorised to handle it, and what steps must be taken if that data is ever compromised or shared without authorisation.
Section 2
Internal Information
Does your organisation store any of the following internally?
What your policy needs to cover
Your policy should define clearly who has access to this information, under what circumstances access is permitted, where this data can be saved or shared, and which tools or platforms are approved for storing it. Access permissions should be reviewed when staff roles change.
Section 3
Tools and Systems
Which best describes the technology your organisation relies on? Select all that apply.
For paid generally available platforms
Your policy should include a schedule for regularly reviewing your organisation-level settings on each platform. This includes permissions, data sharing configurations, user access levels, and any third-party app integrations connected to your accounts.
For dedicated or self-hosted systems
Your policy should establish regular reviews of technical security standards, including software version management, access controls, backup integrity, and any vulnerabilities in custom code or infrastructure. These reviews should be conducted by someone with the appropriate technical expertise.
For free tools
Your policy should specify which free tools are permitted and for what purposes. It should explain how each tool processes the information entered into it, so staff understand what is and is not appropriate to type in. As a general principle, no sensitive, confidential, or personally identifiable information should ever be entered into a consumer-grade free tool.
Section 4
Devices
Which best describes how your team accesses organisational accounts and information? Select all that apply.
For organisation-provided devices
Your policy should name the person or role responsible for setting up each device to a consistent standard before it is handed over, and for keeping devices up to date over time. The setup standard itself should be documented and cover operating system settings, security configurations, approved applications, screen lock and encryption requirements, and any monitoring or management tools installed. The policy should also define which personal activities are permitted on organisational devices, whether that is none at all or a defined set of acceptable uses such as personal browsing during breaks.
For personal devices
Your policy should provide clear guidance on how staff should separate their personal and organisational accounts on shared devices. This includes which apps or browsers to use for work, how to ensure work accounts are not connected to personal backups or storage, and what to do if a device is lost, stolen, or compromised while holding access to organisational data. It should also define a minimum security standard for any personal device used for work, covering operating system updates, screen lock settings, storage encryption, and any required security applications, so that the organisation can be confident its data is not exposed through an unsecured personal device.
Applies to every organisation
What every IT policy needs to include
- Regular training with your team A commitment to ongoing digital security awareness for all staff and volunteers, not just at onboarding. This includes recognising phishing attempts, handling data safely, and knowing what to do when something goes wrong.
- Clear ownership of information Every piece of information your organisation holds should have a named role responsible for keeping it safe. Your policy should map out who looks after what, so there is no ambiguity about accountability when a question or incident arises.
- Generative AI use Your policy should set out clearly what staff and volunteers may and may not use generative AI tools for, which specific tools are approved by the organisation, and what types of information must never be entered into an AI system. This is particularly important where sensitive or confidential data is involved, as many tools process and store inputs by default.
Tecer Digital offers free IT policy templates designed specifically for nonprofits and social impact organisations. We also offer support for organisations in need of assistance to develop and update them, together with training frameworks to ensure the team is comfortable with the newest technology available, especially AI-based tools. If you want to know more, get in touch with us.
