Information Security Policy

3 Things To Consider As You Begin

Getting Started

Information Security Policy

Every organization needs to put down in writing the ways they will handle data. It is boring work. Still, it is important to have an information security policy. Written policies for how you will handle other peoples’ information and how you will keep it secure help clarify things within your organization and may come in handy when applying for insurance. Once you have yours drafted, have your lawyer take a look to make sure there is nothing you have missed.

3 Key Considerations As You Draft Your Information Security Policy

1. What information you handle/store.

Nearly every organization handles or stores data of some sort. What sort do you collect? Examples include credit card numbers, birth dates, contact information, purchase history. Whose information do you collect? Likely categories include staff, customers/clients, donors, and even sometimes visitors to your website. In order to draft a complete information security policy, you will need to consider which information your organization handles and whose information you handle.

2. Access to this information.

Whether you handle a few simple details or a huge collection of data, it is unlikely everyone in your organization needs access to all of the information. Part of stewarding information wisely involves minimizing the access within your organization. Information about client identities may not be the business of the front desk person. Your head of marketing may not need to access customer credit card information. What roles within your organization require access to which information?

Access to the information also speaks of how you retain data. Hard copies of some information can kept in a locked cabinet. Digital copies may be encrypted or stored in a special way. Spelling these things out in your information security policy helps make sure everyone is on the same page.

3. Outside requirements.

Get a handle on the requirements on your organization coming from the outside. If you are in an association of some kind, they may have an information security policy of their own that all associated organizations must use. That would mean most of the work has been done for you. If you are an independent organization, you are still likely subject to legal requirements of some kind. For instance, if you handle credit card numbers you will need to be PCI compliant. Those in healthcare will need to consider HIPAA. If possible, consult with a lawyer to make sure you cover all the bases when it comes to your information security policy.


Frontline Technology is one of the only ministry-focused IT companies that is led by pastors and ministry leaders. With over 20 years' experience serving organizations of all sizes, Frontline understands the unique needs, budgets, and technology challenges of nonprofits.

Technology is often perceived as complicated and expensive. Many nonprofits struggle to implement the technology solutions and security needed to drive their mission forward. Frontline Technology helps nonprofits overcome their technology challenges so they can stay focused on their mission.

For nonprofits of every type and size:  We Keep IT Simple

Contact Us

Frontline Technology is one of the only ministry-focused IT companies that is led by pastors and ministry leaders.

Corporate Office

6136 Frisco Square Blvd, Suite 400
Frisco, TX 75034

Regional Office

2300 Lakeview Parkway, Suite 700
Alpharetta, GA 30009


Monday-Friday: 9am - 5pm
After-hours by appointment

Call Us

(866) 944-4044

Scroll to Top