Carolyn Woodard: Welcome, everyone, to the Community IT webinar. This one is Making IT Governance Work for Your Nonprofit. Today we’re going to be addressing some questions that seem fairly simple:
- What IT policies do you need and what are the best ways to create them?
- How do you roll them out to staff?
- Are there barriers that are keeping you from doing this project?
We know that if creating or updating these policies were simple, we wouldn’t have to have this panel discussion today with our experts. We would already have our policies.
So if you are feeling paralyzed about starting the project to create or revise your policy, our experts today are going to
- take questions on where to find nonprofit IT policy templates,
- how to overcome these barriers
- and modify the templates to your organizational needs and your strategic goals,
- and how to get your stakeholders on board
- and roll out training on new policies to all of your staff.
My name is Carolyn Woodard. I’m the Outreach Director for Community IT and the moderator today. I’m very happy to hear from our guest speakers, Jeff Gibson from Build Consulting and Nura Aboki from Community IT.
But first, I’m going to go over our learning objectives today.
Learning Objectives
By the end of today, we hope you’ll be able to:
- Discuss essential IT policy documentation for nonprofits and what should be prioritized.
- Learn how to create or update these IT governance policies and we’re going to share templates.
- Learn tactics and strategies to roll out policies to all of your staff and understand barriers to implementing IT governance and how to overcome those barriers.
Presenters
So now I’d like to turn it over to our panel to introduce themselves. Jeff, would you like to go first and also tell us about Build Consulting?
Jeff Gibson: Absolutely. Hi, I’m Jeff Gibson. I’m with Build Consulting.
I’ve spent about the last 25 years in the nonprofit and private sector, focusing primarily on analytics and implementing those results into an operational model that’s manageable. Trying to take the theory out of things like governance and putting them into practical applications. Build Consulting is a consultancy focused exclusively on nonprofits, and we are highly agnostic to vendors or other partnerships.
We focus on the strategy and the sort of approach to technology, project leadership, change management. We tend to focus on the situation rather than the technology and managing change management from an organizational perspective, and then relating it to the technology itself.
We have a large variety of consultants with very diverse subject matter expertise, and we can pretty much find someone that has a deeper knowledge base for any problem you might run into.
I’m happy to be here, by the way.
Carolyn Woodard: Oh, I’m so glad you’re here too, Jeff. This is the first time for Jeff on the webinar, but hopefully not the last. Yes, I think we did a webinar with Build a while back, and something struck me that you often say, which is the technology decision should be last. When you’re thinking about the problem you’re trying to solve, there’s a whole bunch of work that comes first before you choose which platform or tool you’re going to go with. And I just love that approach.
Nura, would you like to introduce yourself?
Nura Aboki: Hi, I’m Nuradeen Aboki, Community IT Consultant. I’ve been at Community IT for about 15 years helping clients with their IT management strategies, IT planning, budgeting, IT road mapping of their network infrastructure, as well as working on developing IT policies for our nonprofit clients.
Over the past 15 years, I’ve seen quite an evolution in the management of IT infrastructure from on-premises to the cloud. So I’m really excited here to talk about governance, IT governance in general, and how it’s been quite interesting watching our clients over the past 15 years.
Carolyn Woodard: Yes, I feel like we’ve said for maybe a couple of years now that we should do a webinar on governance, because we always say governance is so important. And those policies are the bedrock of what you’re going to do with IT. But I’m really happy that we’re finally doing it.
Before we begin, if you’re not familiar with Community IT, I’m going to tell you a little bit about us. We are a 100% employee-owned managed services provider. We provide outsourced IT support exclusively to nonprofit organizations.
And our mission is to help nonprofits accomplish their missions through the effective use of technology. We are big fans of what well-managed IT can do for your nonprofit. We serve nonprofits across the United States.
We’ve been doing this for over 20 years. And we are technology experts who are consistently given the MSP 501 recognition for being a top MSP. And that’s an honor we received again in 2023.
I want to remind everyone, for these presentations Community IT is vendor agnostic. So we only make recommendations to our clients and only based on their specific business needs. We never try to get a client into a product because we get an incentive or benefit from that. But we do consider ourselves a best of breed IT provider. It’s our job to know the landscape, the tools that are available, reputable and widely used, and we make recommendations on that basis for our clients based on their business needs, priorities and budget.
Poll 1: Does Your Organization Have an Acceptable Use Policy?
And now we would like to go on to our first poll.
Does your organization have an acceptable use policy?
And the options to answer are:
- Yes, and we know how to use it.
- Yes, but we don’t really use it.
- Not sure.
- Not applicable or other.
So we know we have lots of different people on the presentation from different types of nonprofits, large ones, small ones.
Nura, can you see the answer?
Nura Aboki: Yes, about 38% said they have it, but they don’t really use it. And about, let’s say, 23% said, not yet. So there seems to be organizations that wanted to start.
Some are not sure. Then followed by the ones that have it, and we know how to use it, which is quite impressive. Eight people responded to that. And then lastly, one person said it’s not applicable or other.
Carolyn Woodard: Thank you, everyone, for sharing that with us. There’s no shame, right? You’re in the right place.
If you don’t have one or you’re not sure, that’s what this webinar is about.
Essential IT Policies at Nonprofits
So our first topic is to explain what are the essential IT policy documents nonprofits need to have? And why? What are the priorities if you have to start with one before the other?
Want to skip right to our blog post of free resources on free templates and frameworks for creating IT Policies for nonprofits?
So Jeff, would you like to weigh in on some of these policies?
Jeff Gibson: Absolutely. The biggest ones are the obvious ones, disaster recovery and data retention.Those are becoming obvious, but there may be something in particular to your type of organization that you have to prioritize other things.
AI also, depending on the usage internally, could be promoted to the top of that list depending on what your situation is.
Data retention probably is the newest leader in that game because of the lowered cost of lower point of entry for AI tools and malicious actors. Data repositories tend to make a pretty big target for a malicious actor, but it is particularly your organization. But the obvious ones, I think, are data security and the overall organizational disaster recovery.
Carolyn Woodard: Nura, I know we often say that an acceptable use policy that we just asked about is one of the bedrock policies that you should have. Can you talk a little bit about what that is for anyone who doesn’t know?
Nura Aboki: Yeah, it is the foundation of most IT organizations’ IT policy. Acceptable use is their foundation policy, a basic policy that governs what staff is allowed to do and not allowed to do with their devices and software. And it usually defines the use of equipment, computing services and lays out security expectations.
Organizations are thinking of IT policy, thinking it may be challenging or they don’t have resources.
One quick one to actually roll out, and there are several templates out there. I know resources can be shared during this webinar for the acceptable use policy. It’s one way to start because that’s the policy that impacts the staff most immediately.
If you provide devices to them, then they need to know what to do with those devices. The applications that they use at work, they need to know the applications for productivity and if there’s any room for other applications, or maybe it’s quite strict and there’s no room to use any other application.
That is the one that we call the bedrock, it’s definitely foundational for all organizations. Along with that, there is BYOD or Bring Your Own Device. Some organizations allow for staff to bring their own device to work and having a policy around the use of that BYOD device and applications can go alongside with the acceptable use policy.
Process to Create or Update IT Governance Policies at Nonprofits
Carolyn Woodard: I want to move on to the process.
We just published a blog post about a bunch of different types of policies and links to some templates that you can use, including some that are on our site and examples. That website address is communityit.com/governance.
But once you know that you need an acceptable use policy, for example, or disaster recovery policy or data retention policy, what’s the process?
How do you identify the stakeholders and make them part of the process? Is your policy strategic? Is it tactical? And how do you create an implementation plan? And if you already have a policy, are there different steps that you might take?
I’m going to turn it over to you, Jeff. Do you want to talk a little bit about being successful at a process to develop or revise your policies?
Identify Stakeholders and Get Buy-In
Jeff Gibson: The easy identification would be any group that holds, uses or retains data. Whether that’s end user data, customer data, constituent data, those folks have to have a meaningful bit of input into how data is stored and accessed and what data they need to have access to and what data can be manipulated.
They also need to, if possible, get buy-in and sign-off on your draft policies, especially the data retention policies.
One that gets forgotten a lot is data sharing policies. What do different departments share with outside vendors that frequently gets lost in the shuffle?
And really, an organization that does share a fair amount of user data, constituent data for outside vendor analytics or whatever, they really need to craft at least a policy for the vendor to sign once they’ve been thoroughly vetted on data destruction, data sharing with their particular partners, etc. That one gets missed a lot, but it’s critical because once that data leaves your organization, you have no control over what occurs with it.
I saw in some of the questions that came in before the webinar question how to get buy-in.
Of course, getting buy-in from leadership is one of the toughest things to do and getting leadership to prioritize your ever-shrinking timeframes to actually craft these policies. One trick I’ve used in the past is through risk analysis, putting it into terms non-technical leadership will understand, GDPR (General Data Protection Regulation) is a great example. The first fine associated with GDPR violation could be as much as $40,000, and most organizations can’t take that hit.
And those are per-incident fines. So, framing it like that rather than giving a technical explanation, or here’s the risk to the organization, here’s the financial risk, here’s the risk to our continued operations. Those are good ways to get buy-in.
And then once you do garner that buy-in, or even if it’s partial, always encourage the leadership to be consistent and persistent in their messaging to the larger staff.
Three months into this project, they’re going to need that refresher like, hey, VP X is very into this and we have to do this for the security of the organization. So we need you to prioritize this within your own department, your own team, or within your own timeline.
It’s never easy, but again, frame it in a way that non-technical folks will understand.
Carolyn Woodard: That’s great advice.
Form the Policy Team
Nura, can you talk a little bit more about forming that team? Do you always need to have someone from the executive team as part of the leadership driving the process forward to create the policy or revise it?
Nura Aboki: Yeah, I think it’s important to have an executive in terms of stakeholders, management team, executive team, and also the board. If you have a board, you could have an executive or governance committee in the board, and that governance committee could have influence to effectively convince the executive team to work on this, making it a priority.
So I like Jeff’s tactics and approach with using the risks analysis to get buy-in. As well as getting stakeholders from across the organization so you can have a spectrum of perspective. You want your policy to be as holistic as possible.
Taking a few steps back, more and more we have seen the need arising from cyber liability insuranceapplications. If you want to get coverage, you have to have certain policies in place.
More importantly for non-profit organizations, some funders require certain IT policies and IT governance policies to be in place. Those are key drivers of convincing the executive team to actually create the time to make this a priority.
Carolyn Woodard: Thank you so much for that.
Strategy Vs Tactics – IT Policies
I want to get into strategic or tactical policies and if that impacts who needs to be involved leading the process. So I suppose a more tactical policy might be some of the things you were talking about, Jeff, around the vendor, like you needing to interact with the vendor in a certain way.
So having to have a policy around that versus perhaps the acceptable use policy is a more strategic high level. This is kind of a blanket policy of how we’re going to go forward. Jeff, do you have some more ideas on a process when it is a tactical policy need of how to get those stakeholders engaged?
It might be per vendor or per platform. Is that true?
Jeff Gibson: Yeah, part of it. I would almost argue that every policy needs to be tactical in some respect, because one thing that does get short shrift is we made this policy. It’s beautiful. We already signed off on it. It was a lot of work, but we’re all happy we got it done and then it becomes shelfware.
How do we implement these policies? The users who need to execute or escalate on a policy infringement, what do they do next? What are their next steps?
I ran operations for the last 20 years and you’d be surprised no matter how much we craft the DR (Disaster Recovery) policy, the actual execution, the first three-hour execution, that’s critical to the success or failure of your plan. But a lot of folks don’t get trained on it even within IT organizations.
With something like GDPR, you have 72 hours to resolve the issue. If the person in your development department doesn’t know anything about GDPR or our process, that could be a problem.
The strategic stuff can be prioritized based on the strategic plan of the organization and you can weight things within your prioritization process for projects, et cetera. But on the tactical front, especially things like COVID, things like changes in legislation, CCPA or the California Privacy Act, those have forced a lot of these things to be of greater import. Formerly back burner, relatively safe back burner policy issues are now at the forefront because of right to be forgotten laws across the globe.
Turning it into tactical, with leadership, you have to have that conversation that tactical resources need to be applied to this and Project X is now suddenly very important because of state, local, federal compliance issues or a new compliance issue related to our industry or our space.
Therefore, explaining to leadership, not only here’s why we have that buy-in, here are the urgent issues, but then also what’s not going to be done. And then managing those expectations that there are. Again, every organization I’ve ever been in, especially in the nonprofit space, is just taxed for time and resources.
There’s a finite amount of work in the week if you want to keep your staff. Strategically measuring tactical problems is more of an art than a science, but there are some tools to help you do that.
Carolyn Woodard: Thank you.
Updating IT Governance Policies Vs Starting From Scratch
I want to get back to this question also that some places may already have a policy, but it’s really outdated. Maybe they haven’t updated it since people were working remotely or since everything was in the cloud or since the advent of AI.
Is it easier, Nura, to update an existing policy or do you recommend that they just start over, start from scratch? What’s better?
Nura Aboki: Well, a review of the existing policy might be easier, given that they have somewhere to start. But, there are several templates out there. So even if you don’t have one, you can reach out to partners, vendors, to get samples of templates that you can work with.
But if you have an existing policy, you will need to determine whether a change is required in your organization. This is where the assessment comes into play. If you have an assessment done, you may notice transformation in technology has happened and where your outdated policies need to change.
So it needs to be reworded to cover the new technologies that you’re currently using, or even some regulatory requirements that have come about, given the changes that the world or your environment has gone through, your organization needs.
Then there’s another question about this. When you’re updating this IT policy, you really want to also focus on the communication.
How are you going to make sure you communicate the changes to the policies to all your employees and provide necessary training to them? And then periodically, you need to have a way to regularly check for any compliance with the policy and address any issues or violations that may come about.
Carolyn Woodard: That’s right. One of the reasons you have a policy is so if an employee does something that’s against what the policy says, you have some standing there.
Can IT Policies Build In Some Flexibility?
How do you create IT policies that allow for flexibility as IT continues to rapidly evolve, especially as Gen Z is joining the workforce?
I have a quick little anecdote on that. I was at a conference and a bunch of people my age were sitting around saying, oh, we don’t need an AI policy because we’ve just told people they can’t use it. And I asked, are you never going to hire anyone ever again? Because I guarantee every 20-year-old coming in to work at your organization will be using AI for practically everything.
So do you have advice, Nura or Jeff, on making policies that can be flexible? Is it just a matter of revising them often enough?
Jeff Gibson: I think it simply comes down to that. It’s not very clever, but literally putting time on a yearly or bi-yearly basis or quarterly, depending on how rampant change is in your organization. But yeah, something like AI is the perfect example.
If you have a timed quarterly or bi-annually review of certain documents, that’s the best way to just block off that time. I’m talking at a very logistical level here, but with the hustle bustle of every day and ever-shifting priorities, knowing that there’s a time where these five stakeholders get together and say, has anything changed since our last meeting? And documenting those changes.
Nura talked about it a little bit earlier. I started life as a tech writer. Having a section at the tail end of a document with significant changes, version controls, revisions in the document just to archive those changes. And then also making sure that maybe new groups need to be involved, if you have a new department that’s utilizing something like AI.
And then the other thing from the IT leadership perspective is you have to have an awareness. You have to have an awareness of everything new going on and imagining ways in which departments you don’t oversee could potentially be backdooring things like AI tools into the environment.
And also not just your policies, but updating your trainings as well and maybe calling new training. If you’re on a schedule of yearly IT training that gives everybody 15 minutes and they have to take a CBT or something, that’s one thing. But specialized, focused training on emerging trends or changes to the workspace that you exist in, you have to have that in your tool bag and don’t be afraid to have a training specifically associated with a significant change in the workplace.
Carolyn Woodard: That makes sense. I think that’s another way to get people’s attention. If there’s something new and exciting like AI, you can invite them to a meeting about it and then work in the policy as well. Here’s what our rules are going to be and here’s how you can help contribute, etc.
