What You’ll Learn
- Why IT Policies Matter for Nonprofits
- The 7 Essential IT Policies Every Nonprofit Needs
- Password Policy Best Practices
- Acceptable Use Policy
- BYOD (Bring Your Own Device) Policy
- Data Handling and Privacy Policy
- How to Implement IT Policies on a Nonprofit Budget
- Pros and Cons of Formal IT Policies
- Frequently Asked Questions
- Your Next Steps
Why IT Policies Matter for Nonprofits
A staff member clicks a phishing link. A volunteer connects to your donor database from an unsecured coffee shop network. A departing employee still has access to your cloud storage three months after leaving. These scenarios happen at nonprofits every day, and without written IT policies, your organization has no consistent way to prevent or respond to them.
According to Verizon’s 2025 Data Breach Investigations Report, 37% of successful attacks against web applications used brute force, up from 21% the prior year. Nonprofits are not exempt. In Q1 2026, nonprofits and NGOs were among the sectors most affected by the 486 reported data breach events in the U.S.
An IT policy is a written document that defines how your organization uses, manages, and protects its technology. It is not a technical manual. It is a set of clear expectations for every person who touches your systems, from executive directors to part-time volunteers.
At Scottship Solutions, we help nonprofits build practical technology policies that fit real-world budgets. The goal is not a 200-page binder that nobody reads. It is a set of focused, enforceable guidelines that protect your mission.
The 7 Essential IT Policies Every Nonprofit Needs
Not every nonprofit needs a Fortune 500 IT handbook. But every organization that handles donor data, financial records, or client information should have these seven policies documented and communicated to staff.
| Policy | What It Covers | Who It Applies To |
|---|---|---|
| Acceptable Use Policy (AUP) | Rules for using organization devices, email, internet, and software | All staff and volunteers |
| Password Policy | Password creation, storage, rotation, and multi-factor authentication | All staff and volunteers |
| BYOD Policy | Rules for personal devices accessing work systems | Staff using personal phones/laptops |
| Data Handling & Privacy | How donor, client, and financial data is collected, stored, and shared | All staff |
| Incident Response | Steps to take when a breach or security event occurs | IT team, leadership |
| Backup & Disaster Recovery | How data is backed up, tested, and restored after an incident | IT team, leadership |
| AI Acceptable Use | Guidelines for staff using AI tools like ChatGPT, Copilot, or Claude | All staff |
If you can only tackle one document this quarter, start with the Acceptable Use Policy. It sets the foundation for everything else.
Password Policy Best Practices for Nonprofits
A password policy is a written set of rules governing how your organization creates, stores, and manages login credentials. It is the single most impactful security policy a nonprofit can implement because weak passwords remain the top attack vector for small organizations.
An estimated 80-85% of people reuse passwords across multiple sites, and roughly half of employees admit to reusing credentials at work. For nonprofits handling sensitive donor and client data, this is a serious liability.
What Your Password Policy Should Include
- Minimum length of 14 characters (NIST’s current recommendation over complexity rules)
- Mandatory multi-factor authentication (MFA) on all accounts that support it, especially email, CRM, and financial systems
- Password manager requirement for all staff – tools like 1Password for nonprofits offer discounted or free plans for qualifying organizations
- Ban on password reuse across work and personal accounts
- No password sharing via email, sticky notes, or shared documents
- Annual review of the policy and a quarterly check on MFA enrollment
Free and Discounted Password Managers for Nonprofits
One of the easiest wins for any nonprofit is deploying a password manager across the team. Several providers offer nonprofit pricing:
| Tool | Nonprofit Offer | Best For |
|---|---|---|
| 1Password | Free Teams plan for nonprofits through TechSoup | Teams needing shared vaults and admin controls |
| LastPass | Discounted Teams plan for nonprofits | Organizations already in the LastPass ecosystem |
| Bitwarden | Free for personal use; affordable Teams plan | Budget-conscious orgs wanting open-source security |
| Dashlane | Nonprofit pricing available on request | Teams that want built-in VPN and dark web monitoring |
Why is a password policy important? Because stolen credentials sell for as little as $10 on criminal marketplaces, according to Verizon. A password manager and MFA make those stolen credentials worthless.
Acceptable Use Policy: Setting Clear Expectations
An acceptable use policy (AUP) defines what staff and volunteers can and cannot do with your organization’s technology. It covers hardware, software, email, internet access, and cloud services. Without one, you have no enforceable standard for how people interact with your systems.
Key Elements of a Nonprofit AUP
- Scope: Which devices, networks, and software the policy covers
- Permitted use: What is and is not allowed (personal browsing, social media, personal email)
- Prohibited activities: Downloading unauthorized software, sharing credentials, bypassing security controls, accessing data unrelated to job duties
- Monitoring disclosure: Whether the organization monitors email, web traffic, or device usage
- Consequences: Clear, proportionate steps for policy violations
- Acknowledgment signature: Staff must sign that they have read and understood the policy
Think of the AUP as your organization’s technology rulebook. It protects your nonprofit from liability while giving staff clear guardrails. According to Tech Impact’s Nonprofit Technology Policy Workbook, an AUP should be the first policy any organization creates.
BYOD Policy: Managing Personal Devices Safely
A BYOD (Bring Your Own Device) policy sets rules for staff who use personal phones, tablets, or laptops to access work email, files, or systems. For nonprofits with limited hardware budgets, BYOD is often a financial necessity. But it introduces real security risks.
The risks of bring your own device policies include data leakage through unsecured apps, malware infection from personal downloads, loss of organizational data when a device is lost or stolen, and difficulty enforcing security standards on hardware you do not own.
What a BYOD Policy Should Cover
- Which systems personal devices can access (email only, or full network access?)
- Required security measures: device passcode, encryption, automatic updates, screen lock timeout
- App restrictions: which apps can access work data
- Remote wipe consent: the organization’s right to erase work data from a personal device if lost or if employment ends
- Network requirements: no accessing work systems on public Wi-Fi without a VPN
- Exit procedures: how work data is removed from personal devices when someone leaves the organization
A practical BYOD approach for nonprofits is to use Mobile Device Management (MDM) software that creates a secure container for work data on personal devices. This separates personal and work data without requiring full control over the employee’s phone.
Data Handling and Privacy Policy
Nonprofits collect sensitive information every day: donor names and payment details, client case files, employee records, and grant financial data. A data handling policy defines how this information is collected, stored, accessed, shared, and eventually deleted.
Core Components
- Data classification: Categorize data as public, internal, confidential, or restricted
- Access controls: Define who can access what, based on role – not everyone needs access to the donor database
- Retention schedule: How long you keep different types of data (grant records may need 7 years; event RSVPs can be purged annually)
- Encryption requirements: Data at rest and in transit should be encrypted, especially donor financial information
- Third-party sharing: Rules for sharing data with vendors, consultants, or partner organizations
- Breach notification: Your obligations under state law to notify affected individuals if data is compromised
With regulations like CCPA and various state-level privacy laws, nonprofits face increasing compliance requirements. A clear data handling policy is not just good practice. It is a legal necessity. Your fractional CIO or IT partner can help you map data flows and identify gaps.
How to Implement IT Policies on a Nonprofit Budget
Writing policies is the easy part. Getting your team to actually follow them requires a plan. Here is a practical approach that works for organizations with limited IT staff and budgets.
Use Case: A 25-Person Nonprofit Rolls Out IT Policies
A mid-sized education nonprofit with 25 staff members and a part-time IT coordinator needed to formalize its technology policies before a major grant audit. The organization had no written IT policies and staff used a mix of personal and organization-owned devices.
Here is the approach that worked:
- Start with a tech audit. Document every device, software subscription, and cloud service your organization uses. You cannot write policies for systems you do not know about. A tech stack audit gives you this baseline.
- Prioritize by risk. Draft the Acceptable Use Policy and Password Policy first. These address the two most common attack vectors: human error and weak credentials.
- Keep it short. Each policy should be 2-4 pages. If staff cannot read it in 10 minutes, it will not get read.
- Get leadership buy-in. The executive director and board should formally adopt the policies. This gives them weight.
- Train, do not just distribute. Hold a 30-minute all-staff session to walk through the policies. Answer questions. Make it practical, not punitive.
- Schedule annual reviews. Technology changes fast. Review and update your policies at least once a year.
The total cost for this nonprofit? A password manager subscription ($0 through TechSoup), staff time for drafting and training (about 20 hours total), and ongoing review built into their annual calendar. No expensive consultants required, though working with an IT partner like Scottship Solutions can accelerate the process significantly.
Free Templates and Resources
You do not need to start from scratch. Several organizations offer free IT policy templates specifically designed for nonprofits:
- Tech Impact’s Nonprofit Technology Policy Workbook – a comprehensive, free workbook covering AUP, incident response, and disaster recovery policies
- Apparo’s Policy Templates – downloadable Word documents for acceptable use, technology strategic plans, and business continuity
- Community IT Innovators – free AI acceptable use policy template and cybersecurity policy resources
- NIST Cybersecurity Framework – the gold standard for structuring your security policies, adaptable to any organization size
Many discounts on nonprofit IT policy development tools are available through TechSoup, which offers donated and discounted software to qualifying nonprofits, including security tools, productivity suites, and cloud services that support policy enforcement.
Pros and Cons of Formal IT Policies
Some nonprofit leaders worry that formal policies will slow down their team or feel corporate. Here is an honest look at the trade-offs.
| Pros | Cons |
|---|---|
| Reduces risk of data breaches and compliance violations | Requires staff time to draft, review, and maintain |
| Provides clear expectations for staff and volunteers | May feel restrictive to staff used to informal processes |
| Strengthens grant applications and audit readiness | Policies must be enforced consistently to be effective |
| Simplifies onboarding for new staff and volunteers | Outdated policies can create a false sense of security |
| Protects the organization from legal liability | Small teams may lack capacity for full policy governance |
What it comes down to: the risk of not having policies far outweighs the effort of creating them. A single data breach can cost a nonprofit its reputation, donor trust, and years of operational momentum.
“Technology governance is no longer optional for nonprofits. The organizations that invest in clear policies today will be better positioned to earn donor trust, win competitive grants, and respond to incidents without panic.”
– Build Consulting, Essential IT Governance Policies Every Nonprofit Should Have
Frequently Asked Questions
What should a nonprofit IT policy guide include?
A nonprofit IT policy guide should include an acceptable use policy, password policy, BYOD policy, data handling and privacy policy, incident response plan, backup and disaster recovery policy, and an AI acceptable use policy. Each document should be 2-4 pages, written in plain language, and reviewed annually.
How much does nonprofit IT policy development cost?
Many IT policy development resources are available at no cost. Organizations like Tech Impact and Apparo offer free templates, and TechSoup provides discounts on security tools for qualifying nonprofits. If you work with an IT partner, expect to invest 10-30 hours of combined staff and consultant time to develop a complete policy set.
Why is a password policy important for nonprofits?
Password policies are important because weak and reused credentials are the top attack vector for small organizations. With 80-85% of people reusing passwords and stolen credentials available for as little as $10, a strong password policy paired with multi-factor authentication is the most cost-effective security measure a nonprofit can implement.
Does my nonprofit need a BYOD policy if we only have a few staff members?
Yes. Even a small team using personal devices to check work email creates security exposure. A BYOD policy does not need to be complicated. It should cover required device security settings, which systems personal devices can access, and what happens to work data when someone leaves the organization.
How often should nonprofits update their IT policies?
Review and update IT policies at least once a year, or whenever your organization adopts a major new system, experiences a security incident, or faces new compliance requirements. Assign a specific person or committee to own the annual review process.
Your Next Steps
- Audit your current state: List every device, app, and cloud service your organization uses. Identify who has access to what.
- Download a free template: Start with Tech Impact’s Nonprofit Technology Policy Workbook or Apparo’s Acceptable Use Policy template.
- Draft your first two policies: Begin with the Acceptable Use Policy and Password Policy. Keep each under 4 pages.
- Deploy a password manager: Apply for 1Password for nonprofits through TechSoup or set up Bitwarden for your team.
- Schedule a training session: Walk your team through the new policies in a 30-minute meeting. Answer questions and set expectations.
- Set a review date: Add an annual policy review to your organizational calendar.
- Talk to an IT partner: If you need help prioritizing or implementing, schedule a consultation with Scottship Solutions. We help nonprofits build right-sized IT policies that protect your mission without overcomplicating your operations.
Related Reading
- Cybersecurity Guide for Nonprofits — the security policies referenced in this guide feed directly into your cybersecurity program
- Common Nonprofit IT Infrastructure Problems — diagnose the issues your IT policies should address
- What Is a Fractional CIO? — a fractional CIO can lead your IT policy development process
Sources
- Verizon 2025 Data Breach Investigations Report – brute force attack statistics and credential pricing
- Barracuda Networks – U.S. data breaches hit record high in 2025 (3,322 incidents)
- Tech Impact – Nonprofit Technology Policy Workbook (free template)
- Build Consulting – Essential IT Governance Policies Every Nonprofit Should Have
- Community IT Innovators – Free Resources for Building IT Policy at Nonprofits
- Nonprofit Association of the Midlands – IT Guidelines and Principles
- Deepstrike – 70+ Password Statistics for 2026: Breaches & MFA Trends
At Scottship Solutions, we help nonprofits build practical, enforceable IT policies that protect donor data, strengthen grant applications, and keep your team focused on your mission. From IT support to policy development. From backup and disaster recovery planning to fractional CIO services, our team understands that your mission matters more than your tech stack. Schedule a consultation today to get started.