Charity Cyber Framework
This checklist is based on the Australian Charities and Not-for-profits Commission (ACNC) Governance Toolkit: Cyber Security. It is designed to help charities implement practical steps to strengthen their cyber security posture, protect sensitive information, and meet governance obligations.
https://www.acnc.gov.au/for-charities/manage-your-charity/governance-hub/governance-toolkit/governance-toolkit-cyber-security
1 — Governance & Responsibility
Assign responsibility: Nominate a Responsible Person (board or committee member) for cyber risk oversight.
Policy & documentation, keep these high level and to the point. Our FAQ section gives more guidance on policies.
ACNC recommends maintaining written policies for Acceptable Use, Access Control, Data Handling, Backup, and Incident Response.
Defensv also recommends a supplier management or cloud policy.
2 — Identify & Assess (Assets & Risks)
Create an information asset register: record systems, what data could be important, storage locations, and access permissions.
The register doesn’t need to be in-depth but consider the systems where critical or very important data is stored, and if lost or breached would be catastrophic for the charity.
Risk assessment: Document the key risks, consider the following scenarios:
Data Breach
Corruption of Data or Malware
Malicious Insider
Failure of supplier (focus on those holding critical data from the register)
Risk assessments let you focus on directing funds to protect what matters and making informed decisions.
3 — Prevent (Technical Baseline)
Patching & updates: Enable automatic security updates for laptops, desktops and applications.
Multi-factor authentication (MFA): Require MFA for cloud, email, and admin accounts. This is a top priority.
Restrict administrative privileges: Grant admin rights only where necessary.
Anti-malware & endpoint protection: Install and automatically update antivirus protection.
Firewalls & network protections:
Firewalls can be enabled on laptops, but check mobiles and tablets. Enable the firewall on the router,
Suggest a secure service that can filter internet traffic, your ISP may have options or look at OpenDNS (or the paid version such as Cisco Umbrella).
Segregate guest Wi-Fi. Only authorised staff are on the local network.
Backup strategy: Automate backups, keep an offline copy, and test restores.
This could be Onedrive, GoogleDrive or a dedicated service but make sure its not in the same location or network.
Malware can and will hunt down backups so that’s why it’s important to make sure there are not on the same network.
Password guidance:
Use strong passphrases and password managers.
Have unique passphrases, don’t reuse them.
Password managers can assist in generating unique strong passwords, just ensure.
4 — Engage (People & Suppliers)
Training & awareness: Provide regular cyber and privacy training for staff and volunteers.
Third-party / vendor management: Review suppliers and cloud providers for their security controls.
Often this is called ISO27001, additionally a supplier may also provide what is called a SOC2 Type 2 (an audit document, if there are deviations noted, ask the supplier what is being done about them).
5 — Detect, Respond & Recover
Incident response plan (IRP): Maintain a simple IRP with roles, contacts, and communication plans.
Reporting & legal requirements: Know OAIC notification and ACNC reporting obligations.
Log & monitoring basics: Enable and review system audit logs.
Restore testing: Test restores from backups regularly.
6 — Review & Continuous Improvement
Regular reviews: Review risk assessments and controls annually or after major changes.
Quick-start Checklist
Responsible Person named and recorded
Information asset register created & updated
Risk assessment completed for critical assets
Automatic patching enabled
MFA enforced for cloud/email/admin accounts
Admin privileges restricted
Backups automated, tested, with an offline copy
Endpoint protection installed (antivirus)
Incident Response Plan in place
Cyber training completed within 12 months