What’s inside
A 30-item checklist organized by axis. Each item is yes / no / not-applicable plus a one-line “why it matters” so a board member who hasn’t done this before can score it cold.
- Identity (8 items). MFA coverage, password hygiene, offboarding sequence, shared-account audit.
- Email & messaging (6 items). SPF/DKIM/DMARC, suspicious-message reporting, executive impersonation defense.
- Endpoints (4 items). Operating-system updates, basic EDR, full-disk encryption, mobile-device baseline.
- Backups (5 items). Frequency, off-site copy, restore-tested, ransomware-resilient.
- Vendors (4 items). Inventory, contract review, data-processing agreements, breach-notification clauses.
- Governance (3 items). Named privacy officer (mandatory in Quebec), written incident response plan, annual tabletop exercise.
Who it’s for
Executive directors, operations leads, and treasurers at Canadian charities (5–50 staff) who need a defensible baseline they can take to a board, an insurer, or a granting body without hiring a consultant.
What it isn’t
Not a substitute for an actual audit. The checklist will tell you where the gaps are — closing them is the next conversation. If you score under 20/30 and your board is asking questions, start with a posture call.