By Karen Dringenburg, CPA, Senior Accountant at Blue & Co.

The IT environment is constantly evolving, and not-for-profit organizations face unique challenges in keeping pace. While your primary focus is advancing your mission and serving your community, you’re also responsible for protecting donor information, safeguarding financial data, and maintaining secure systems. Balancing these priorities can be complex, especially as technology and cyber risks continue to change.

An IT assessment can help you take a step back and evaluate whether the right controls are in place to support your organization. By identifying vulnerabilities, strengthening internal safeguards, and reducing the risk of fraud or cyberattacks, an assessment provides valuable insight into the overall health of your IT environment, so you can stay focused on what matters most.

Cybersecurity threats continue to rise, with global cyberattacks increasing by nearly 80 percent last year and not-for-profits ranking second among the most-targeted sectors, according to the CyberPeace Institute.

As part of an IT assessment in collaboration with our partners at Blue Pioneer Consulting, we can take a closer look at the policies and procedures you have in place to help ensure your organization is protected. Their team can also help evaluate, strengthen, and develop IT policies that align with your operations, risk profile, and regulatory requirements.

While there are many IT policies worth considering, the following are among the most essential:

IT User Acceptance Policy – This policy outlines how your organization’s applications, networks, and devices should be used. It includes expectations for acceptable use, confidentiality of passwords, and guidelines for accessing company accounts. This is also a great place to establish boundaries around social media usage. And remember – no more passwords written on sticky notes!

Data Access Policy – This policy defines how sensitive information is classified and who has access to it. Organizations often tier data based on risk and user roles. Proper data access controls help protect everything from donor records to financial documents.

Password Security Policy – A strong password policy is critical for internal security. It should clearly prohibit password sharing and outline requirements for password complexity, rotation, and storage. Even small lapses, like shared logins, can bypass important internal controls.

Remote Access Policy – With many employees working remotely—especially post‑pandemic—this policy defines how users may connect to your systems from outside the office. It helps ensure that secure methods such as virtual private network (VPN) access and multifactor authentication (MFA) are always used.

Document Retention Policy – Many not-for-profits keep documents forever, but not all records need permanent storage. This policy identifies which documents must be retained indefinitely (such as articles of incorporation, bylaws, board minutes, and fund agreements) and provides retention schedules for everything else. Remember that this policy should cover both physical and electronic data.

Disaster Recovery Plan – While not technically a “policy,” every organization should have a business continuity and disaster recovery plan tailored to its size and risks. This plan outlines when it should be activated, who is responsible, how systems will be restored, and how critical information is backed up and protected.

Data Backup & Recovery Policy – Even though backups are part of disaster recovery, a dedicated policy helps clarify the frequency, storage method, and testing of backups.

If any of these policies are missing or if some feel unfamiliar, now may be a good time to take a closer look at your IT environment. Our not-for-profit team can help you think through these considerations and, when appropriate, introduce you to Blue Pioneer Consulting for specialized support in evaluating and strengthening your IT policies and overall IT environment. You’re also welcome to reach out to the Blue Pioneer Consulting team directly to continue the conversation. Reach out to your local Blue & Co. advisor to start the conversation today.