Nonprofit Technology and Data Security Annual Review

Nonprofits hold sensitive donor, beneficiary, and financial data that represents a valuable target for cybercriminals. This annual security review ensures basic cybersecurity controls are in place proportionate to the organization's risk profile.

  • Industry: Nonprofit
  • Frequency: Annually
  • Estimated Time: 3-4 hours
  • Role: Operations Manager / IT Lead
  • Total Items: 27

Access Controls

Verify access control practices.

  • Every staff member has unique username (no shared accounts)?
  • Multi-factor authentication enabled for email, banking, and critical systems?
  • Strong password policy enforced (12+ characters, complexity)?
  • Password manager used to manage organizational credentials?
  • Immediate account deactivation process upon staff departure?

Data Protection

Verify data protection practices.

  • Inventory of sensitive data (donor, beneficiary, financial) and where it is stored completed?
  • Sensitive data encrypted at rest and in transit?
  • Data minimization: only data needed for operations retained?
  • Credit card data not stored in organizational systems (PCI DSS)?
  • Data retention and deletion policy in place?

Backup and Recovery

Verify backup and recovery systems.

  • Automated backups of critical data running daily?
  • Backup copies stored offsite or in cloud separate from primary systems?
  • Backup restoration tested successfully within last year?
  • Basic disaster recovery and business continuity plan documented?

Email and Phishing Security

Verify email security.

  • Staff trained to recognize phishing emails?
  • Business email compromise awareness training completed (fake wire transfer requests)?
  • Wire transfer and banking change requests verified by phone before processing?
  • Email spam and phishing filtering enabled?

Incident Response

Verify incident response readiness.

  • Basic cybersecurity incident response plan documented?
  • State data breach notification law requirements known?
  • Cyber liability insurance coverage in place?
  • Prior security incidents reviewed and lessons applied?

Vendor and Third-Party Security

Assess vendor security risks.

  • Vendors with access to organizational data identified?
  • Data processing agreements with all vendors handling personal data?
  • Fundraising platform security and PCI DSS compliance verified?
  • Organizational social media accounts secured with strong passwords and MFA?
  • Domain registration secured against hijacking?

Related Nonprofit Checklists

Related Facility Operations Checklists

Why Use This Nonprofit Technology and Data Security Annual Review?

This nonprofit technology and data security annual review helps nonprofit teams maintain compliance and operational excellence. Designed for operations manager / it lead professionals, this checklist covers 27 critical inspection points across 6 sections. Recommended frequency: annually.

Frequently Asked Questions

What does the Nonprofit Technology and Data Security Annual Review cover?

This checklist covers 27 inspection items across 6 sections: Access Controls, Data Protection, Backup and Recovery, Email and Phishing Security, Incident Response, Vendor and Third-Party Security. It is designed for nonprofit operations and compliance.

How often should this checklist be completed?

This checklist should be completed annually. Each completion takes approximately 3-4 hours.

Who should use this Nonprofit Technology and Data Security Annual Review?

This checklist is designed for Operations Manager / IT Lead professionals in the nonprofit industry. It can be used for self-assessments, team audits, and regulatory compliance documentation.

Can I download this checklist as a PDF?

Yes, this checklist is available as a free PDF download. You can also use it digitally in the POPProbe mobile app for real-time data capture, photo documentation, and automatic reporting.

Browse More Checklists