Cybersecurity Policy Development and Maturity Roadmap for a National Park Foundation
Client Overview
A national nonprofit foundation dedicated to the conservation and preservation of a major U.S. national park sought to strengthen its cybersecurity governance and compliance posture. The foundation had a highly experienced audit committee with backgrounds in large-scale corporate governance, and during a review of their cybersecurity insurance policy, they identified gaps in security maturity and risk management.
Their operations involved managing sensitive donor and financial data, making cybersecurity a critical area for improvement. Initially, the foundation engaged us to develop a comprehensive cybersecurity policy grounded in NIST Cybersecurity Framework (CSF). The policy assessment uncovered gaps in coverage and security maturity, leading to an ongoing cybersecurity retainer to address risks, implement controls, and build a long-term security roadmap.
Problem Statement
The foundation faced two key cybersecurity challenges:
Limited internal cybersecurity expertise. While the audit committee had extensive experience in corporate risk management and compliance, the operational team needed practical guidance and structured policies to ensure security best practices were in place.
Sensitive financial and donor data protection. The foundation relied on cloud-based financial systems, donor management platforms, and third-party vendors to manage transactions and communications, increasing exposure to cyber risks such as phishing attacks, data breaches, and financial fraud.
Without a structured security program, the foundation risked data loss, reputational damage, regulatory scrutiny, and potential loss of donor trust.
Scope of Engagement
Our firm provided cybersecurity policy development, risk assessment, and security program implementation using NIST CSF as the guiding framework.
We conducted policy development and performed a thorough risk assessment to identify gaps in cybersecurity coverage and compliance. Following this evaluation, we created a comprehensive cybersecurity policy aligned with industry best practices and cybersecurity insurance requirements. Additionally, we implemented key security maturity improvements, such as risk management procedures, vendor security evaluations, and enhanced access controls. Ultimately, our relationship evolved from an initial project-based engagement into an ongoing cybersecurity advisory retainer, providing continuous support for the foundation’s long-term security objectives.
Approach & Solution
We developed and implemented a cybersecurity policy framework tailored to the foundation’s operational and compliance needs.
The engagement began with an audit of existing cybersecurity policies and risk areas using NIST CSF as a baseline. Through structured analysis and stakeholder interviews, we identified gaps in:
Access controls and identity management, particularly in managing financial system access and donor data.
Incident response planning and cyber insurance alignment, ensuring security measures met insurance policy requirements.
Third-party risk management, given reliance on vendors for IT infrastructure, cloud services, and donor data processing.
With these findings, we designed and implemented security enhancements, including:
Access control policies to enforce least privilege and multi-factor authentication for critical financial and donor management systems.
Incident response planning to establish formal security response and business continuity procedures.
Vendor security risk assessments, ensuring third-party partners adhered to security best practices and contractual obligations.
Security awareness training for staff, equipping teams with the knowledge to identify and mitigate cyber threats such as phishing and business email compromise attacks.
Results & Impact
We strengthened cybersecurity policies and ensured alignment with industry standards and cybersecurity insurance requirements. By addressing critical gaps in risk management, vendor security, and access controls, we significantly improved overall security maturity. Additionally, we enhanced the board and executive leadership’s understanding of cybersecurity risks, positioning cybersecurity as a strategic organizational priority. Ultimately, we developed a long-term cybersecurity roadmap, transitioning from an initial policy-focused project to an ongoing cybersecurity retainer that provides continued support for risk management, compliance, and advisory services.
Client Testimonial
“This engagement transformed how we approach cybersecurity as an organization. The ability to communicate complex security topics in clear, actionable terms helped our executive board, audit committee, and operations team align on security priorities. The team’s deep expertise and ability to quickly address ad hoc security questions gave us confidence that we now have a trusted cybersecurity partner guiding us forward.”
Lessons Learned & Best Practices
Cybersecurity policies must align with business objectives. Simply having security policies is not enough—organizations must ensure their cybersecurity frameworks support both compliance requirements and operational needs.
Cyber insurance policies should be reviewed carefully. Many organizations assume their cyber insurance covers all risks, but gaps in security maturity can lead to coverage limitations or denials in the event of a breach.
Foundations and nonprofits must prioritize cybersecurity. Handling donor and financial data requires a level of security maturity comparable to regulated industries, particularly when working with high-net-worth individuals and corporate donors.
This engagement reinforced the importance of structured cybersecurity governance, risk management, and ongoing advisory support, ensuring the foundation’s security posture continues to evolve with emerging threats and compliance requirements.
