Governance Guidelines

IT Governance Standard

Contents

1. Introduction
2. Scope
3. Key Roles and Responsibilities
4. Hardware Asset management
5. Account management
6. Data management
7. Security
8. Exceptions

1. Introduction

1.1 Purpose

The IT Governance Standard outlines the principles, policies, and procedures for managing technology within the organisation to ensure efficient, secure, and compliant use of IT resources. This document provides guidance on roles, responsibilities, and standards for IT decision-making, risk management, and asset management, ensuring that our technology infrastructure aligns with our values and goals. By adopting this governance framework, we aim to protect our assets, mitigate risks, and optimize the value derived from our technology investments.

2. Scope

2.1 Validity

The IT Governance standard should be reviewed and approved annually to ensure its relevance and applicability to the organisation’s current needs.

2.2 IT Assets

The IT Governance standard should provide the necessary guidance to the utilisation and management of all IT assets purchased or subscribed by the organisation. IT Assets include hardware (computers, servers), software (operating systems, applications), network infrastructure, data storage, and cloud services. Examples of IT Assets include:

1. Hardware: Desktops, Laptops, Printers, Projectors, Network equipment
2. Software: Operating systems, applications (Microsoft Office)
3. Data: Organisational and Department Meeting minutes, Department documents, Member and Volunteer records, Forms, Memorandums and Agreements
4. Services: Google Workspace(GSuite), Software-as-a-service (SaaS) subscriptions (Spotify, Libby)

2.3 Users

The scope of this document should include the following users

1. Organisations Staff including Pastors, Administrative staff, Department staff, interns and part-time staff
2. Volunteer Leaders who hold accounts and are leaders for ministries who use IT equipment and IT services purchased or subscribed by the organisation
3. Volunteers who use IT equipment and IT services purchased or subscribed by the organisation

3. Key Roles and Responsibilities

• Executive Director: The Executive Director is responsible for overseeing the implementation of the IT Governance Standard, ensuring that it aligns with the organisation’s strategic goals and objectives.
• Governing Board: The Governing Board is responsible for reviewing and approving the IT Governance Standard and ensuring compliance with the organisation’s policies and procedures. The Governing Board is also responsible for the management and acceptance of Risk and approval of deviations.
• Data Protection Officer: The Data Protection Officer (DPO) is a required appointee by the PDPC in accordance with the Personal Data Protection Act 2014 and is responsible for overseeing the protection and usage of data within the organisation in accordance with the responsibilities listed by the PDPC
• Volunteer Leaders: Leaders are responsible for ensuring their ministries’ compliance with the IT Governance standard.
• Volunteers: Volunteers are responsible for carrying out their duties as outlined in the IT Governance Standard, ensuring that they adhere to the organisation’s policies and procedures. They can be members or non-members of the organisation.
• Organisation Members: Members are responsible for being aware of and executing their responsibilities as outlined in the IT Governance standard.
• External Parties: Any person who is not a member of the organisation is considered an external party. Subsidiaries that are not fully owned, hardware, software or services suppliers, government or regulatory bodies are also considered a external parties.

4. Hardware Asset Management

1. Hardware should be properly maintained to the best of the organisation’s ability.
2. Hardware should be stored in proper locations in accordance with manufacturers’ recommendations and returned to the storage location after each use.
3. Hardware should be inspected regularly for any signs of damage, wear and tear, or other issues that may affect its functionality. Upon discovery of such issues, they should be reported to Department leaders.
4. Hardware should be disposed properly according to the manufacturer’s recommendations.

5. Account Management

1. Accounts should created with manager or Executive Director approval
2. Accounts should be assigned to individuals for responsibility and ownership
3. Accounts should be reviewed annually and updated as necessary, including adding new accounts for new staff members and removing accounts for departing staff members.

6. Data Management

1. Organisational data should be backed up regularly to prevent organisational knowledge loss
2. Organisational data should be stored on organisation owned locations for data residency
3. When sharing organisational data, it should be directly to the person who needs it. Avoid using sharing via Public accessible links where possible.
4. Storage of Personally identifiable information (PII) should be flagged out to the Data Protection Officer for reviewing of Organisation’s Data Protection Obligations. Such data should be automatically classified as Confidential.
5. Once no longer required, members and volunteers should relinquish access to sensitive and PII where possible to reduce exposure
6. Organisational data that is actively being shared should be reviewed annually and updated to remove volunteers who are not longer relevant.
7. Data Classification and Security
   1. Confidential Data refers to data that should not be shared to non-members and members who are not directly involved. e.g. Organisational Financial Data, Personal Data from camp registrations.
   2. Private and Confidential Data refers to data that should not be shared with people other than those who are directly involved. e.g. HR Data
8. Stored data should utilise the following data retention guidelines
   1. Archived copies of the following data should be backed up and retained by the organisation with public/remote access removed for up to 7 years for audit reasons if required.
   2. Individually stored personal data should not be stored for more than 1 year from the completion of the event. e.g. if you have received personal data over WhatsApp or personal email for convenience, the messages/emails should be deleted.
   3. Financial data should not be stored for more than 2 years from the completion of the purchase
   4. Event Photographers may retain photos taken by them indefinitely as part of their portfolio. After completion of the event a copy should be passed to the organisation for storage/retention. Sharing with other volunteers should be removed from 1 year from the completion of the event.
9. Release of data to organisation members or external parties
   1. Release of confidential or private data requires the approval of the Data Protection Officer. Data should be redacted or masked for compliance with the Personal Data Protection Act.
   2. Purpose of the data request and rationale for release of the data should be explicit and included in the request for release
   3. Data release requests should be tracked and documented for audit purposes.
   4. The release of large datasets should be require additional approval by the governing board. This is due to increased risk from cross-referencing large sets of data. The criteria for large datasets should be at the discretion of the Data Protection Officer due to the uniqueness of each organisation and their data.

7. Security

1. If you suspect your account has been hacked, do inform the Executive Director immediately.
2. Passwords should not be shared to anyone.
3. If absolutely necessary, you should be the one to type in the password. e.g. for IT support/Troubleshooting. After the issue has been resolved, your password should be changed immediately.
4. Passwords should following the following recommended complexity
   1. At least 10 Characters long
   2. Contain a mix of uppercase, lower case Characters, numbers and special characters
   3. As far as possible passphrases should be used e.g. 3LongRedCars!, 5BlackCrowsOutside?, Romans12:1Therefore
   4. Password complexity can be checked using online tools CSA Password Checker HaveIBeenPwned. These should only be used as an estimate of what a secure password should be.
5. Never enter your username and password into suspicious websites.
6. Do not open any suspicious links, files or attachments that are sent to you, always prefer to type in the URL if you are unsure. Example: apple.com
7. Endpoint Protection software should be installed in the device if possible. E.g. Windows Defender

8. Exceptions

8.1 Deviations

To ensure compliance with our security standard, any deviation requests must be formally approved by the governing board. Deviation requests should be in writing and include the following information:

• The nature of the deviation
• The reason for the deviation
• Efforts made to address resolve the deviation
• Any relevant documentation or evidence supporting the deviation

Approved deviations will have a maximum validity period of 12 months from approval date. Renewal or extension requires resubmission to the governing board before expiration.