Writing a Nonprofit Acceptable Use Policy (AUP): A Quick How-To

Many nonprofits understand the risk that third-party actors pose to their organization and take the necessary steps to maintain the integrity of their network. However, not every organization has recognized that its staff and volunteers actually represent just as much of a risk to data and network security.

According to a study conducted by the Ponemon Institute, cybersecurity incidents caused by an individual with legitimate access to a company’s tech assets (referred to as “insider threats”) have skyrocketed by nearly 50% since 2018.

Unfortunately, waiting until there’s an issue can not only be costly but can also do irreparable damage to the organization’s reputation.

This is why one of the most essential nonprofit technology policies is an acceptable use policy (AUP). Read on to learn the ABCs of an AUP.

What Is an Acceptable Use Policy (AUP) for Nonprofits and Why Do I Need One?

An AUP for nonprofits is a document that explicitly states the rules staff and volunteers must follow while using technology to perform work for the organization. This includes both software and hardware provided by the nonprofit as well as personal mobile devices and apps used by staff and volunteers for nonprofit operations.

An AUP clearly outlines how staff and volunteers should and shouldn’t use technology such as the internal network, computers and laptops, mobile devices, software, and the internet.

As mentioned above, one of the biggest reasons to consider implementing an AUP is the ability of staff and volunteers to either intentionally or inadvertently compromise the security of your organization.

An acceptable use policy allows you to communicate to nonprofit staff and volunteers their responsibilities and rights as well as the organization's expectations of them in regards to their use of technology. It also helps educate staff and volunteers on how to identify potential threats and vulnerabilities so they can keep both the nonprofit and themselves safe from cybercriminals.

5 Essential Elements of an Acceptable Use Policy for Nonprofits

As with most nonprofit technology policies, an acceptable use policy for nonprofits includes descriptions of which technologies the guidelines do and don’t pertain to, a list of individuals who are required to abide by the policy, and an explanation of consequences for failure to follow the protocol.

Here is a more thorough breakdown of each of the five essential elements of an AUP:

1. Policy Brief and Purpose

This is the introduction to your policy and consists of a concise summary of the policy and its purpose, including what issues it is intended to prevent and the situations in which it is pertinent.

Example: “[Nonprofit Name]’s acceptable use policy (AUP) outlines the expectations for how staff and volunteers are to use technology when performing work for the organization. The purpose of this policy is to ensure all parties understand their responsibilities with respect to technology use and to protect both the organization as well as staff and volunteers from unnecessary risk.”

2. Policy Scope

In this section, you will specify the individuals to whom the policy applies. This could be any combination of the following: full-time staff members, part-time staff members, contractors, volunteers, interns, and board members. You will also outline the technologies and devices the policy does and does not cover.

Example: “All individuals, both paid and volunteer, who perform work for [Nonprofit Name] are required to abide by the rules and restrictions in this document when using any of the following in the context of the organization’s operations: desktop computers, laptops, mobile devices, software, email, any internal network, and the internet.”

3. Security Guidelines

This section describes the general rules staff and volunteers must follow in regards to user behavior. For instance, adhering to password security best practices and opting into multi-factor authentication.

Example: “All individuals, both paid and volunteer, are required to update passwords every 90 days and may not reuse a previous password. Passwords may not be shared, and any vendor-supplied default passwords should never be used.”

(Note: you have the option to simply use this section as a reference to additional guidelines, such as a bring-your-own-device policy or an email use policy. This allows you to go into greater detail about expectations.)

4. Unacceptable Use

This is essentially a list of activities that are expressly forbidden and is the “meat and potatoes” of a nonprofit acceptable use policy. This section will likely be updated the most often as you encounter new situations you need to address.

Example: “The following activities are strictly prohibited: bypassing user authentication or security procedures; utilizing organization-provided technology for personal commercial use; accessing organization data for purposes not related to work duties; disrupting network communication.”

(Note: The above example is certainly not exhaustive; use your best judgment to generate your initial list and then update as needed.)

5. Implementation and Penalties

Explain how the policy will be enforced as well as the repercussions and consequences for noncompliance. Clarify that some activities will receive warnings and others can result in termination of the relationship with the organization.

Example: “[Nonprofit Name] reserves the right to monitor and audit technology use to ensure proper protocol is being followed. If an individual is found to be in violation of the policy, the severity of the infraction will determine next steps. Gross negligence or deliberate noncompliance will result in removal from office or immediate termination.”

Expert Tips for Drafting a Nonprofit Acceptable Use Policy

Keeping the following in mind as you develop your AUP will help make the policy even better:

• Provide staff and volunteers with clear reasons why it’s in their best interest to adhere to the policy rather than just telling them it’s required.

• Ensure the AUP protects the nonprofit without impeding a staff member’s or volunteer’s ability to perform their duties.

• Avoid unnecessarily specific terms. For example, use broader language like “mobile devices” instead of “iPhones and iPads”.

• Don’t attempt to address every hypothetical event or threat. Focus only on the risks staff and volunteers are most likely to encounter.

• Regularly review and update the AUP to guarantee all current technology and risks are addressed and no obsolete technology is referenced.

• Record all revisions/updates made to the AUP along with the date(s) on which the change was made.

With a well-organized and easy-to-understand acceptable use policy for nonprofits, you can considerably reduce your organization’s risk of cyberattacks, data breaches, and compliance violations by reducing opportunities for staff or volunteers to compromise your nonprofit’s security.

Along with adopting a detailed AUP, take the time to evaluate your technology investments to make sure your organization is utilizing secure solutions. For example, AffiniPay for Associations exceeds standards for internet security and PCI Level 1 compliance—the highest level available. Our technology features advanced data encryption and robust cybersecurity safeguards to ensure sensitive information is always protected.

To learn more about our secure online payment processing, give us a shout! One of our Certified Payments Professionals will be more than happy to help.