GOVERNANCE TOOLKIT: CYBER SECURITY

The ACNC has provided guidance that defines cyber security, which outlines your charity's legal obligations, and explains how to manage the risks of cyber attacks.

Creating an information asset register can help your charity identify the information assets it has, and assess its importance to your charity’s operation.

Identify

An information asset register can help you identify:

·      the types of information assets your charity has

·      valuable information assets that need to be prioritised

·      where the information assets are stored or held

·      assets that pose significant risk

·      who has access to assets, and which people and positions are responsible for particular information assets.

Assess

An information asset register can also focus your charity’s attention on:

·      the relative value or importance of each of the assets to your charity’s operation

·      the impact of a cyber incident on the assets, and business continuity.

You can use the information asset register to focus your charity’s attention and resources on protecting its information assets.

A register can help clarify how your charity protects assets, as well as help you conduct a risk assessment for your charity that:

·      identifies risks

·      considers potential incidents

·      analyses the likelihood and effect of an incident

·      explores ways to manage risks or respond to incidents.

Prevent

There are many practical things your charity can do to mitigate risks and prevent incidents.

• Ensure software and operating systems are updated regularly: Regular updates will fix known security vulnerabilities in software.
• Limit access: Only allow staff and volunteers to access the information they need for their roles.
• Use multi-factor authentication: Multi-factor authentication requires users enter more than just a password when they log in to your charity’s systems.
• Protect devices: Use antivirus software to protect all devices. Modern antivirus software can find, contain and remove viruses.
• Protect networks: Use firewalls for your charity’s network. This is software that can prevent unauthorised access to a network, and unauthorised use of the network by your charity’s staff and volunteers.
• Use only authorised resources: Only allow approved applications on your charity’s computer and phones, and block access to inappropriate websites and downloads.
• Use passwords effectively:
• Make backups: Ensure your charity has scheduled regular automatic backups for its important information.

Engage

It is a good idea for your charity’s staff and volunteers to have at least basic training in cyber security and data privacy.

The training, at a minimum, should cover common cyber security risks and their mitigations, and outline the ways to collect and handle personal information securely.

Take Action

Your charity should have a plan for responding to cyber security issues and data breaches.

• Identify and contain: Understand what is happening and, if possible, take steps to prevent other systems, devices or data from being affected.
• Investigate: Find out the nature of the issue, which devices and systems are affected, and what the risks might be.
• Assess the risks and respond: Work out what harm has been done, the effects of the harm, and what could go wrong from here.
• Act and notify: Decide on the priorities for protecting individuals and organisations from further harm. In the case of a data breach, follow the OAIC notification guidelines to inform the regulator and other parties if required.
• Review: Look over your charity’s policies, procedures and systems to identify any changes that would reduce the likelihood and consequences of similar issues occurring again, and then implement these changes.

For more information refer: https://www.acnc.gov.au/for-charities/manage-your-charity/governance-hub/governance-toolkit/governance-toolkit-cyber-security