# Charity Cybersecurity Posture Checklist

> A 30-item, plain-English self-assessment for a Canadian charity with no dedicated security headcount. Identity, email, backup, vendor, governance — covered in an afternoon.

**Published:** 2026-05-16
**Categories:** compliance, charities

*This resource is gated behind an email opt-in on the HTML page. The PDF (RedactLabs-Charity-Cybersecurity-Posture-Checklist.pdf) is delivered via a Resend email with a 72-hour HMAC-signed download link.*

---

## What's inside

A 30-item checklist organized by axis. Each item is yes / no / not-applicable plus a one-line "why it matters" so a board member who hasn't done this before can score it cold.

- **Identity (8 items).** MFA coverage, password hygiene, offboarding sequence, shared-account audit.
- **Email & messaging (6 items).** SPF/DKIM/DMARC, suspicious-message reporting, executive impersonation defense.
- **Endpoints (4 items).** Operating-system updates, basic EDR, full-disk encryption, mobile-device baseline.
- **Backups (5 items).** Frequency, off-site copy, restore-tested, ransomware-resilient.
- **Vendors (4 items).** Inventory, contract review, data-processing agreements, breach-notification clauses.
- **Governance (3 items).** Named privacy officer (mandatory in Quebec), written incident response plan, annual tabletop exercise.

## Who it's for

Executive directors, operations leads, and treasurers at Canadian charities (5–50 staff) who need a defensible baseline they can take to a board, an insurer, or a granting body without hiring a consultant.

## What it isn't

Not a substitute for an actual audit. The checklist will tell you where the gaps are — closing them is the next conversation. If you score under 20/30 and your board is asking questions, [start with a posture call](/contact/?service=audit).