Sample Congregational Data Security Policy
Revised January 14, 2011
Information Security PolicyPurposeCongregation Name
(referred to as "this congregation") seeks to promote the highest standards of privacy and safety for the information and data which it uses in its work of ministry. All confidential information must be protected from disclosure to unauthorized persons. Additional persons may be given access to confidential information only when a demonstrable need to know exists, and when such a disclosure has been expressly approved by the appropriate congregation leadership. This congregation’s policy is to keep such information secure. General Standards
Exceptional care must be taken to control confidential information. Failure by staff to comply and control information as defined by this policy may result in corrective disciplinary actions in accordance with personnel policies of this congregation. Members and volunteers should take equal care to comply with this policy. Confidential Information Defined
Confidential data is defined as any information which, if lost, stolen or inappropriately released (without the proper authorization) could do harm to this congregation, its members, staff or to other parties working with this congregation. Such information includes, but is not limited to the following:
Managing Risk Information risk management
- Members’ personal identity information (PII) -- names, home and e-mail addresses, telephone numbers, birthdates, Social Security numbers and bank account information (i.e., accounts and routing numbers); and
- Congregation’s personal identity information -- bank account and routing numbers, lists of members, donors and grants, detailed accounting information, confidential memos concerning counseling sessions, staff information and any other documents which would in any way harm, embarrass or negatively impact this congregation or its members.
consists of three components: a risk assessment
, risk reduction
, and ongoing risk monitoring
. This congregation should be familiar with and practice these processes accordingly, as determined by the sensitivity of the information. Risk Assessment Process
The purpose of conducting an informational risk assessment is to identify risk exposures and implement appropriate, cost-effective, and protective measures to lower risk to an acceptable level. When used appropriately, a risk assessment is a very effective management tool.
A simple risk assessment would consist of documenting the following:
- The documentation this congregation has in its possession;
- The risks perceived for this documentation. Examples of perceived risk would include private or confidential information such as:
- personal identity information (PII) as defined above;
- this congregation’s confidential financial information;
- information that, if released, would be embarrassing to an individual or group of individuals (i.e. the pastor’s discretionary fund, special fund for the unemployed, individual giving data);
- information that, if released, would be embarrassing to this congregation as a whole (i.e., a church debt or financial crisis);
- information that, if released, would hamper or damage this congregation’s strategic goals (purchase of new site, expansion plans which have not been made public);
- staff private information;
- member and volunteer private information, including background checks; and
- information that is legally restricted or sensitive, such as legal claims, health information on individuals, etc.
- After identifying the documentation and evaluating the risk to each, this congregation should take the steps necessary to ensure such information is safeguarded (i.e., access and password controls to systems data and lock file cabinets for paper documentation).
Risk reduction is the mitigation of risk exposure to an acceptable level. This requires the identification, analysis, selection approval and implementation of cost-effective protective measures. Risk reduction should be undertaken when this congregation determines that an unacceptable level of risk exists for the information assets under their control, based on the risk assessment outlined above. Examples of risk reduction measures include:
- All software programs and data files need to be password protected and each employee needs to have a unique password.
- All security software should be current and any updates installed as soon as they are received.
- Access should be restricted commensurate with job responsibilities.
- All software and data files should be backed up on a regular basis and backups should be kept off-site.
- All computers should have virus software installed and running.
- There should be a current computer and Internet use policy spelling out this congregation’s position on the personal use of the computer and, if allowed, what type of websites are strictly forbidden.
- All confidential paper documentation should be kept under lock and key when not being worked on.
- When no longer needed, paper documentation containing confidential information should be shredded or stored in a secured archive location.
- It is this congregation’s policy that all information containing personal identity information or other confidential information should not be downloaded to any portable media devices (i.e., laptops, flash sticks, CDs) without the pastor’s written consent. Further, it is this congregation’s policy that personal identity information or other confidential information should not be e-mailed to anyone without prior written authorization.
Risk monitoring is an ongoing activity used to ensure the continued effectiveness of information’s protective measures. This includes determining when sufficient changes have occurred to the information’s risk exposure to require that another risk assessment be performed for the affected information. Risk monitoring is a continuous process that should be performed (usually on an annual basis) by this congregation. It may be useful to assign risk monitoring responsibility to an individual or a congregation council committee.Additional Resources:
Computer and Internet Safety
Computer and Internet Policy
Administration Matters March 2011