Computer & Electronic Resources Policy
Idlewild Baptist Church · IT Department
✉ Contact IT
Technology Governance

Computer & Electronic
Resources Policy

Idlewild Baptist Church's framework for responsible, secure, and mission-aligned use of technology.

Effective: July 2025
Version: 2.0
26 Policy Sections
Contact: it@idlewild.org
01

About This Policy

At a Glance
IBC technology is provided for ministry work — unauthorized use is not permitted.
All use of IBC systems is monitored and must comply with Church policy and applicable law.
Misuse can result in loss of access, disciplinary action, or legal consequences.

IBC provides staff and volunteers with access to a broad range of technology resources — computers, phones, cloud services, email, AI tools, and more — to support the work and mission of the Church. Access to these resources is a privilege extended for ministry purposes, not a personal entitlement.

Everyone who uses IBC technology is expected to act responsibly, ethically, morally, and in accordance with this policy, the IBC Employee Handbook, and applicable federal and state law. Users must respect the rights and privacy of others, maintain the integrity of Church systems, and honor all relevant legal and contractual obligations.

IBC monitors all activity on Church-owned or Church-managed systems to ensure appropriate use. Misuse of technology resources may result in disciplinary action — up to and including termination — loss of access, or legal investigation where laws have been broken. Users are held accountable for their conduct regardless of the medium or device used.

02

Who This Policy Applies To

At a Glance
These policies apply to all staff, volunteers, contractors, and third parties with IBC system access.
This document is reviewed and updated at least annually — or after any significant security incident.

This document is considered a "living document" and will be reviewed and updated at least annually, or immediately following any significant security incident, to reflect the evolving threat landscape and new legal or regulatory requirements.

Compliance with these and all of Idlewild's policies is mandatory for all staff, volunteers, and contractors or third-party service providers who access IBC systems or data.

04

Rules Everyone Must Follow

At a Glance
Use IBC technology primarily for ministry work — avoid unauthorized purposes.
All activity on IBC-owned systems, email, and networks is subject to monitoring.
Report any security incident or suspicious activity to IT immediately at it@idlewild.org.
General Rules of Conduct
  • Privacy and Rights: Users must respect the rights and privacy of all individuals and observe all relevant laws, regulations, and contractual obligations.
  • Prohibited Activity: Users are prohibited from using IBC resources for illegal, immoral, defamatory, or unbiblical activities, or for any unauthorized solicitation or personal gain. For guidance on activities that conflict with IBC's biblical standards and community expectations, refer to the Employee Handbook (Conduct and Standards section).
  • Accountability: Misuse of resources can result in disciplinary action up to and including termination, loss of access privileges, and/or legal investigation.
  • Data Protection: Ensure that no sensitive or high-risk data is shared, stored, or accessed outside of approved, secure systems — see the Protecting Church Data section of this policy.
  • Personal Use: Incidental personal use of IBC-provided technology is permitted provided it is brief, does not interfere with job duties, does not consume significant network or storage resources, and does not violate any other provision of this policy. Personal use is a privilege, not a right, and may be revoked at any time. IBC resources must never be used for personal business ventures, secondary employment, or ongoing personal projects. Artificial Intelligence (AI) Tools: The use of AI-powered tools and services (including generative AI, large language model chat tools, and AI-assisted productivity features) in connection with IBC work or on IBC systems is governed by IBC's separate Artificial Intelligence (AI) Acceptable Use Policy. Users must review and comply with that policy before using any AI tool for church-related tasks, and must never input sensitive, confidential, or personally identifiable information into unauthorized AI services. Cloud Storage and File Sharing: IBC-approved cloud storage platforms (currently Microsoft OneDrive and SharePoint within the Microsoft 365 tenant) must be used for all work-related files and collaboration. Users must not store, sync, or share IBC data using personal or unauthorized third-party cloud services (e.g., personal Google Drive, Dropbox, or similar). Files containing sensitive or high-risk data must be shared only through IBC-managed platforms with appropriate access controls applied.
Monitoring, Reporting, and Compliance
  • Monitoring: All activity on IBC-owned or IBC-managed systems, networks, devices, and accounts — including but not limited to email, internet browsing, Microsoft 365 services, cloud storage, and endpoint activity — is subject to logging, auditing, and monitoring by the IT Department or authorized personnel. This monitoring applies regardless of whether the activity occurs on IBC premises or remotely. Users have no expectation of privacy when using IBC resources, accessing IBC accounts, or connecting to IBC networks. Monitoring data may be reviewed for policy compliance, security incident investigation, or legal purposes and may be disclosed to church leadership, legal counsel, or law enforcement as required.
  • Incident Response: Users must immediately report any security incidents or suspected unauthorized access to the IT Department.
  • Training: All users granted access to IBC’s systems are required to complete Orientation and ongoing security awareness training.
  • Compliance: Users must comply with federal and state laws, IBC policies, and the terms of applicable software licenses and contracts.
  • Personal Devices (BYOD): Users who access IBC systems or data on personally owned devices (including smartphones, tablets, and personal computers) must do so in compliance with IBC's Bring Your Own Device (BYOD) Policy. The AUP applies equally to personal devices used for IBC work. IBC reserves the right to require enrollment of personal devices in IBC's mobile device management solution as a condition of access.
Keeping Work and Personal Accounts Separate

Avoid mixing work and personal accounts on shared devices or apps (e.g., email, contacts, calendars). Co-mingling can lead to unintended data loss if IBC-managed content is wiped from a device — for example, at the end of employment. Keep church data in IBC systems and personal data in personal ones.

05

Account Access & Permissions

At a Glance
You receive only the access your role requires — no more, no less.
All access requests must be approved by your manager and the IT Department.
Accounts inactive for 90 days are flagged; privileged accounts inactive for 45 days require immediate review.

This policy applies to all employees, contractors, volunteers, and any other users who are granted access to IBC’s information systems and resources.

Access Control Principles / Access Authorization

Access to IBC’s electronic resources is restricted to authorized individuals whose job roles require such access. The determination of access needs is a collaborative effort between department leadership and the Information Technology (IT) Department, ensuring that users have access only to the resources necessary for performing their job functions.

  • Principle of Least Privilege: You are given only the access your job requires — no more, no less. Access rights are reviewed regularly, and any access that is no longer needed is removed promptly.
  • Privileged and Administrative Account Controls: Privileged accounts (including but not limited to Microsoft 365 Global Administrators, Entra ID role assignments, financial system administrators, HR and payroll system administrators, endpoint security administrators, network infrastructure administrators, and local device administrators) are subject to heightened controls beyond those applied to standard user accounts: - - - MFA is mandatory for all privileged accounts without exception. - Privileged access is granted only for the duration required; standing administrative access must be reviewed quarterly by the IT Department. - All privileged account activity is subject to logging and audit review. - Emergency ('break-glass') administrative accounts must be inventoried, secured with MFA and a stored credential, and audited after each use.
Access Request and Review Process

Requests for new access or modifications to existing access must be submitted through a formal process.

  • Submission of an access request form via SharePoint (Idlewild Intranet) or an official communication channel.
  • The request must be approved by the user’s department leadership and the IT Department, with justification based on job responsibilities.
  • Any requests for additional access must be justified by business needs and approved by both the relevant department manager and the IT Department.
  • All access rights are reviewed regularly to make sure each person still needs what they have. Reviews happen on the following schedule: standard accounts are reviewed annually; accounts with elevated access (such as admin accounts) are reviewed every six months; accounts for temporary staff, contractors, or volunteers are reviewed every 90 days.
User Authentication

All users must authenticate their identity through secure methods, which include the following requirements:

  • Strong Passwords: Your password must meet IBC's complexity requirements (see the Passwords section of this policy). You do not need to change your password on a regular schedule — but you must change it immediately if you think it has been compromised or if IT notifies you of a breach.
  • Multi-Factor Authentication (MFA): MFA is required for all IBC accounts — no exceptions. This means logging in with both your password and a second verification step (such as an app notification or code). MFA is required for Microsoft 365 email and applications, financial and payroll systems, remote access, and all other IBC systems.
  • Password Confidentiality: Users are strictly prohibited from sharing login credentials. Any suspected unauthorized use must be reported immediately to the IT Department.
Account Lifecycle Management

User accounts are created, modified, and deactivated based on employment status and job function.

  • Deactivation: Deactivation of accounts for former employees or those changing roles must occur promptly to prevent unauthorized access.
  • Temporary Access: Temporary access may be granted to contractors, volunteers, or external users. Temporary accounts must be configured with expiration dates, and access is subject to periodic review.
  • Inactive Accounts: If your account has not been used for 90 days, IT will flag it for review and notify your department manager. Accounts with elevated access that go unused for 45 days are reviewed immediately. Unused accounts may be deactivated to protect IBC's systems.
Remote Access and Device Use
  • Prohibition of Personal Device Use: Access to IBC’s resources through personal devices is generally prohibited except for specific approved cloud-based services under the guidelines set forth in the Bring Your Own Device (BYOD) Policy. All personal devices accessing these services must comply with BYOD security requirements.
  • Conditional Access: IBC's sign-in security system automatically checks whether your device and connection meet security requirements before granting access to Microsoft 365 and connected applications. If access is blocked and you believe it should not be, contact IT for assistance.
06

Passwords & Account Security

At a Glance
Minimum 12 characters for standard accounts; 14 for admin/privileged accounts.
MFA is required for every IBC account — no exceptions.

This policy protects IBC's accounts and data by requiring strong passwords and secure sign-in practices for all systems — whether you access them from the office or remotely.

Password Requirements (Applies to All Users)
  • Minimum Length: 12 characters (standard users); 14 characters (administrative or privileged accounts)
  • Complexity: Passwords must meet all of the following complexity requirements in addition to the minimum length. At least one character from each of the following classes is required:
  • Uppercase letters (A–Z)
  • Lowercase letters (a–z)
  • Numbers (0–9)
  • Special characters (e.g., !@#$%^&*)
  • Password Uniqueness:
  • Passwords must be unique and not reused across services
  • Personal info (e.g., names, birthdays) and dictionary words are prohibited
  • Predictable patterns (e.g., “123456”, “qwerty”, “Idlewild123”) are not allowed
  • Enforcement: These password requirements are automatically applied to all IBC accounts. You will be prompted to create a new password if your current one does not meet these standards.
Password Rotation & Expiration
  • Routine expiration: Not required
  • Passwords must be changed immediately if:
  • There is evidence or suspicion of compromise
  • Notified by IT following a breach
  • Security audits: Users may be prompted to reset their passwords during regular audits
Multi-Factor Authentication (MFA)
  • Mandatory for all Idlewild accounts, including:
  • Email
  • File storage (OneDrive, SharePoint)
  • Church management systems (e.g., the ChMS)
  • Administrative dashboards
  • IT will contact affected account holders no later than August 1, 2026 to coordinate hardware key provisioning.
  • Fallback: SMS-based MFA allowed only if app authentication is not possible
Password Managers
  • Strongly encouraged for all users
  • Approved examples: Dashlane (cloud-based)
  • Benefits:
  • Create strong, unique passwords per system
  • Eliminate reuse or patterned passwords
  • Note on Credential Sharing: Sharing credentials within a team must only be done through Dashlane's built-in secure sharing feature (encrypted vault-to-vault transfer). Credentials must never be shared via email, Teams chat, SMS, or any plaintext channel. Shared accounts should be reviewed and rotated whenever a team member changes roles or leaves. Where possible, replace shared credentials with individual accounts or service accounts governed under the Shared and Service Account section of this policy.
  • Support controlled credential sharing within teams — subject to IT-approved sharing methods only (see note below)
Recommended Password Creation Methods
MethodExampleBenefit
PassphraseBanana$Horse79!SkylineLong and memorable
Random GeneratorgK8!pLz7%qB4#dYwExtremely secure if stored safely
Modified PhraseILuvHikn@COevryS!Combines memorability and strength
Hybrid Security Enhancements

IBC uses several additional security tools to protect all accounts:

  • Account Lockout Protection: After repeated failed sign-in attempts, accounts are automatically locked to block attackers.
  • Password Protection: Blocks weak and commonly used passwords
  • Password Policy Enforcement: IBC's security settings automatically enforce these password requirements across all accounts and devices.
Enforcement
  • Password requirements are automatically enforced across all IBC accounts and devices.
  • IT may conduct regular audits or require password resets as part of security hygiene
  • Non-compliance may result in temporary account restrictions
  • All suspected or confirmed security events must be reported to IT immediately
  • Shared and Service Accounts: Shared mailboxes, ministry distribution accounts, and service accounts (e.g., system integration credentials) require special handling: - Shared mailboxes in Microsoft 365 should be configured as resource accounts with no direct interactive sign-in password where technically feasible (access granted via delegation to individual licensed accounts).
Avoid These Practices
Bad PracticeWhy It's Dangerous
Using leetspeak (e.g., P@ssw0rd)Attackers easily crack common substitutions
Reusing passwordsOne breach compromises multiple accounts
Short passwordsEasier to crack by brute force
Scheduled rotations (without cause)Encourages weak, predictable patterns
Writing passwords downRisk of physical theft; use a password manager instead
07

Approving Third-Party Apps

At a Glance
You cannot grant an app permission to access church data on your own — all app consent goes through IT.
Submit an App Consent Request via the IT form on the IBC SharePoint intranet.
IT evaluates security, permissions, and compliance before approving any app.

This policy covers how third-party applications are approved before they can access IBC data or church systems. It protects the Church's information while still allowing staff and volunteers to use helpful tools — the key is getting IT's approval before connecting any app to IBC accounts or data.

Consent Control

To protect organizational data and ensure the security and integrity of our environment:

  • End users and group owners are not permitted to grant consent for applications to access organizational data or services.
  • All application consent requests must be reviewed and approved by an administrator before being granted.

This policy is enforced automatically — IBC's systems are configured to prevent apps from connecting to church data without IT approval. If you try to add an app and see a message saying access is blocked, that is by design. Submit an IT request to begin the approval process.

Rationale

While allowing users to grant consent can enable faster adoption of useful tools, it also introduces the risk of unauthorized access, data leakage, malicious applications, and compliance violations. Centralizing consent decisions through administrator review ensures:

  • Alignment with Idlewild’s security, data privacy, and compliance requirements
  • Assessment of the application's legitimacy, security practices, and need for access
  • Consistency with Idlewild's mission, values, and operational priorities
Administrator Review Process

When a user encounters an application that requests permissions and cannot proceed:

  • Users must submit an IT Request through the Idlewild Intranet to begin the approval process.
  • The request must include:
  • Name and description of the application
  • Purpose of the application and intended use
  • Specific permissions the application is requesting
  • Business justification for why the application is needed
  • The IT Department will evaluate the request based on:
  • Scope and sensitivity of requested permissions
  • Vendor reputation and trustworthiness
  • Security practices of the application (e.g., encryption, data handling, privacy policy)
  • Compliance with legal, regulatory, and organizational standards
  • For applications that incorporate AI functionality (including but not limited to Copilot plugins, generative AI integrations, and third-party AI-powered services): alignment with the AI Use Policy section of this policy, including assessment of data handling by AI models, training data practices, and any OAuth or API-level consent that grants the AI service access to organizational data or user content
  • Potential risks to Idlewild’s systems, data, and users
  • After evaluation, the administrator will either:
  • Approve and grant the requested access
  • Deny the request with a documented reason
  • Request additional information before making a decision
  • Response Time: IT will acknowledge all App Consent Requests within two business days of submission. A final decision (approval, denial, or a request for more information) will be provided within ten business days.

All decisions will be logged and reviewed at least annually to ensure ongoing compliance and security.

Post-Approval Governance
  • The IT Department will conduct a review of all approved applications and their granted permissions at least annually (no less than once per calendar year).
  • Revocation of Unused Access: Permissions for applications found to be unused or lacking a current, justifiable business need will be promptly revoked by the IT Department.
Exceptions

Exceptions to this policy may be granted under limited circumstances but must be:

  • Pre-approved by the IT Security Team and Leadership Team
  • Justified with a documented business need
  • Implemented with compensating controls as necessary (e.g., restricted permissions, conditional access)

No individual user, group owner, or department may independently override this policy.

Responsibilities
  • Users are responsible for submitting accurate, complete information when requesting application access.
  • The IT Department is responsible for evaluating, approving, governing, and documenting all application consent requests.
  • Leadership is responsible for supporting this policy and reinforcing adherence across departments.
Enforcement

Violations of this policy, including attempts to circumvent controls, may result in disciplinary action up to and including loss of access privileges or other corrective measures as deemed necessary.

Unapproved App Access to IBC Data

Third-party applications — including sync apps, unapproved note-taking apps, and AI-powered tools (e.g., ChatGPT, Google Gemini, unapproved Copilot integrations) — must not be granted access to IBC cloud services (Outlook, OneDrive, SharePoint, Teams) without explicit IT approval. Microsoft Copilot for Microsoft 365, accessed through IBC-licensed apps, is pre-approved. All other AI tool access to IBC data must go through the app approval process before use.

08

Protecting Account Information

At a Glance
Never update banking, payroll, or account details based on an email or chat message alone.
All sensitive account changes require dual-channel verification — a second, independent confirmation.
This policy protects IBC from Business Email Compromise (BEC) and social engineering attacks.

Email scammers — including some that specifically target churches — often impersonate staff, executives, or trusted contacts to trick people into changing account details, redirecting payroll, or transferring money. This policy protects IBC by requiring extra verification steps before any sensitive account changes are processed.

This policy applies to all employees, contractors, and volunteers with access to organizational databases, financial systems, or personnel records.

Verification Requirements for Account Changes
  • Requests to update user or employee account details cannot be processed based solely on an email, text message, chat, or social media request.
  • All changes must be verified using a second, independent method of communication — for example, calling the person at a known phone number or verifying in person — before any update is made. An email alone is never sufficient.
  • Whenever possible, users should update their own information through designated self-service portals.
  • If there is any doubt or uncertainty, the request should be escalated to the appropriate database or system owner for verification.
Restriction on Disclosure of System Information
  • When communicating about account updates by email, avoid mentioning the specific system, database, or software being updated. Use general language such as 'Please log in to your account settings to update your details.' This makes it harder for attackers to craft convincing fake requests.
  • Instead, general language should be used (e.g., "Please log in to your account settings to update your details").
Direct Deposit & Payroll Changes
  • Requests to change direct deposit information must be verified in person, or completed by the employee themselves through IBC's HR and payroll portal (which requires your login and a second verification step). No payroll change will be processed based on an email or phone request alone.
  • No changes will be processed based solely on an email, text, or phone request without authentication and verification.
Protection Against Executive Impersonation Scams
  • Employees must not process wire transfers, financial transactions, or sensitive account changes based on an email or text request from an executive without verbal confirmation from the executive.
Reporting Suspected BEC Attempts
  • Any suspicious email, phone call, or message requesting account changes, financial transactions, or credential updates must be reported to the IT Department immediately. Staff can reach IT through the IT Help Desk page on the IBC SharePoint Intranet or by calling 813-264-8720. Do not delete the suspicious message before reporting — IT needs to examine it. If the message has already been flagged or quarantined by IBC's email security tools, notify IT and do not attempt to release it independently.
Common Business Email Compromise (BEC) Scams

BEC scams involve impersonating trusted individuals to deceive victims into taking fraudulent actions. Common tactics include:

1. Email Account Change Scam
  • The attacker impersonates a trusted contact, claiming their email or phone number has changed.
  • They request an update to their contact details in the database.
  • Once updated, they reset the account password and take control.
2. Payroll/Direct Deposit Fraud
  • The attacker poses as an employee and requests an update to their payroll or direct deposit information.
  • Funds are redirected to a fraudulent account.
3. Vendor Payment Fraud
  • The attacker impersonates a vendor or supplier and requests a change to payment details.
  • This results in fraudulent wire transfers.
4. Executive Impersonation (Financial Urgency Scam)
  • The attacker poses as an executive and demands an urgent financial transaction (e.g., wire transfer, gift card purchase).
  • They use pressure tactics to bypass verification.
5. Invoice Fraud
  • The attacker gains access to a vendor’s email and sends a modified invoice with fraudulent banking details.
6. Tax and W-2 Fraud
  • The attacker impersonates a company executive and requests employee tax documents (e.g., W-2s), leading to identity theft.
7. Donation or Charity Scam

8. AI-Generated Voice and Deepfake Impersonation Scam — Attackers use AI voice-cloning or video deepfake technology to impersonate a pastor, executive, or staff member in a phone call or video message, instructing an employee to authorize a wire transfer, process a payroll change, or share credentials. These calls can closely mimic a known person's voice and may reference accurate personal details. Any voice or video request for a financial transaction or account change — even from someone who sounds or appears to be a known leader — must be verified through a separate, pre-established written or in-person channel before any action is taken. Do not rely on voice recognition alone as proof of identity.

  • The attacker poses as a legitimate charity affiliated with the organization and solicits fraudulent donations.
  • Email Security: IBC's email system automatically scans incoming messages for signs of impersonation, spoofed senders, and malicious links. However, no security system catches everything — your awareness and judgment are essential. When in doubt, report it to IT before taking any action.
Enforcement & Training
  • This policy will be reviewed annually and updated as necessary.
  • Employees must complete annual security awareness training.
  • Violations of this policy may result in disciplinary action, up to and including termination.
09

Protecting Church Data

At a Glance
All work files must be saved to IBC-designated OneDrive folders — not your desktop or personal cloud storage.
Sensitive data (financial, HR, member records) has strict handling and sharing requirements.
See the Data Classification table in this section for guidance on what counts as sensitive or high-risk.

This policy applies to all work-related files created, received, or maintained by employees, volunteers, and associates of IBC in the course of their work, as well as personal files that might be stored on company-owned equipment or cloud services. It includes, but is not limited to, documents, spreadsheets, presentations, multimedia files, email attachments, and personal media such as photos and music.

Mandatory Use of Microsoft OneDrive

All work-related files related to the operations, administration, and ministry activities of IBC must be stored on the organization’s designated Microsoft OneDrive accounts.

  • IBC's OneDrive folders are organized by ministry area and labeled accordingly (for example, Administrative Operations folders, Executive Operations folders). If you are unsure which folder to use, ask your supervisor or contact IT.
  • Files saved in IBC's designated OneDrive folders are protected with IBC's security measures and included in regular backups. Files saved anywhere else — including your computer desktop or personal cloud storage — are not protected or backed up by IBC.
Prohibition of Local Storage

The storage of IBC files on local drives, personal devices, or non-designated cloud services is strictly prohibited.

  • Files stored locally are not covered by IBC’s security measures or backup systems, leaving them vulnerable to data loss or breaches.
  • All employees and volunteers are required to ensure that files are stored only in the designated Microsoft OneDrive folders.
Prohibition on Personal Files

Personal files, including but not limited to photos, music, and videos, should not be stored on company-owned equipment or IBC’s designated cloud services, such as Microsoft OneDrive.

  • Employees and volunteers should use personal storage solutions for such files to maintain separation between professional and personal data.
  • IBC’s resources must be used exclusively for ministry-related work to ensure security and operational efficiency.
High-Risk Data and Data Minimization

High-risk data includes sensitive information such as credit card numbers, Social Security numbers, and personally identifiable information (PII).

  • Compromises of such data can lead to financial loss, legal repercussions, and damage to IBC’s reputation.
  • Data Minimization Principle: Employees and volunteers must only collect, process, or store high-risk or sensitive data (PII) when it is strictly necessary and relevant for a specified ministry purpose. All such data must be properly disposed of as soon as its retention period expires.
  • Data Classification Tiers: IBC data is classified into three risk tiers that govern handling, access, and retention requirements: - Low Risk: Publicly available or non-sensitive information (e.g., published ministry schedules, general announcements). Standard access controls apply. - Moderate Risk: Internal operational information not intended for public release (e.g., internal communications, non-financial ministry records, volunteer contact lists). Access is limited to authorized staff and volunteers with a legitimate ministry need. - High Risk: Sensitive personal, financial, or legally regulated information (e.g., Social Security numbers, credit card numbers, bank account details, medical information, employment records, and other PII). Access is strictly limited, handling is governed by the Prohibited Actions and Approved Vendors provisions of this policy, and storage outside approved systems is prohibited.
Prohibited Actions
  • Employees and volunteers should direct any payment requests to Finance — never handle card data directly.
  • Information containing high-risk data should remain in their respective systems (e.g., financial, contribution, HR, etc.).
  • Under no circumstances should high-risk data, including credit card numbers and PII, be copied, written down, emailed, or stored outside approved systems.
Individual Data Rights

Idlewild is committed to treating all personal data according to the highest standards of privacy and stewardship.

  • Right to Access: Individuals may request confirmation of and access to their personal data stored by IBC.
  • Right to Rectification: Individuals may request that their personal data be corrected if it is inaccurate or incomplete.
  • Right to Erasure (When Applicable): Individuals may request the deletion of their personal data when it is no longer necessary for ministry or operational purposes, and where no legal or regulatory obligation requires its continued retention.
  • All requests regarding individual data rights must be directed to the Information Technology (IT) Department, in coordination with Human Resources or Risk Management, for review.
Enforcement

The IT Department is responsible for enforcing this policy. Regular audits will be conducted to ensure compliance with the storage location requirements and the prohibition of personal file storage on company-owned resources. Any exceptions to this policy must be approved in writing by the IT Department head.

IBC DATA CLASSIFICATION
RISK TIERDATA EXAMPLESREQUIRED CONTROLS
LOW RISKPublic ministry schedules · Job postings · General announcements · Published sermonsStandard access controls · No special handling required
MODERATE RISKInternal communications · Volunteer contact lists · Non-financial ministry records · Operational data not intended for public releaseAccess limited to authorized staff with a ministry need · Store only in approved IBC systems
HIGH RISKSocial Security numbers · Medical / health information · Credit card & bank details · Employment records · Background checks · Contribution records · Pastoral care notesStrict access controls · Encryption required · Handle only in approved vendor systems · Mandatory breach notification if compromised
Private Information

Private information includes, but is not limited to, the following: health information protected under HIPAA, credit card and bank account information, security codes and passwords, Social Security numbers, personal financial information, individual contribution records, government ID information (driver's license, passport, visa), background check information, attorney-client privileged documents, and counseling or medical records.

10

Data Retention & Secure Disposal

At a Glance
Keep data only as long as required by law or ministry need — then dispose of it securely.
Never discard equipment or media yourself; IT handles all secure data wiping and disposal.
The retention schedule table in this section shows how long specific record types must be kept.

This policy applies to all employees, volunteers, contractors, and all IBC records, files, databases, and electronic media (including emails and backups) created, received, or stored in the course of church business.

All data must be kept only as long as the law, regulation, or ministry need requires, and must be securely deleted once that period ends. Keeping data longer than necessary increases the Church's risk in the event of a breach or legal inquiry. When in doubt about how long to keep something, contact IT or Risk Management.

Data Retention Schedules

The following table outlines the minimum retention periods for common categories of IBC records:

Data CategoryExamples of RecordsMinimum Retention Period
Financial/TaxInvoices, receipts, annual budgets, audits, tax filings, fixed asset ledgers.7 years (Required by IRS)
Human Resources (HR)Employment applications (for non-hired staff), performance reviews, termination records, salary history.7 years post-termination (Required by FLSA/EEO)
Sensitive Member DataContribution records, background checks, child safety documentation.Indefinite or as long as member is active + 7 years (for contribution records).
Legal/LitigationIncident reports, insurance claims, legal correspondence, records subject to a legal hold.Indefinite (until legal hold is lifted)
General MinistryNon-critical emails, draft documents, presentation slides, general memos.2 years or less
Backup MediaSnapshots of corporate OneDrive/network files.90 days (aligned with User Deletion Policy preservation period)

General Ministry (non-critical emails, drafts, slides, memos): 2 years or less. Email retention for this category is enforced automatically — older messages are removed from mailboxes on a rolling basis. You do not need to manually delete these messages.

Legal Hold Requirement

The IT Department and the Leadership Team must be immediately notified of any potential or pending litigation, investigation, or audit.

  • Upon notification, IT will place a Legal Hold on all related data, documents, emails, and electronic media. A Legal Hold overrides all standard deletion schedules — nothing related to the matter may be deleted while the hold is active.
  • Lifting the Hold: No records subject to a Legal Hold may be disposed of until the hold is formally lifted in writing by Executive Leadership or Legal Counsel.
Secure Disposal Procedures

All data and media must be disposed of using the method appropriate for the data's risk classification to ensure that the information is rendered permanently unrecoverable.

Data TypeDisposal Method RequiredAccountability
Physical (Paper)Shredding (cross-cut) or supervised third-party destruction.HR/Finance/Ministry Leader
Electronic (Local Drive)Wiping/Degaussing hard drives, or physical destruction (e.g., drilling/smashing) for hardware being permanently retired.IT Department
Electronic (Cloud/Email)Purging data from all primary storage and ensuring corresponding permanent deletion from all backup systems.IT Department
Roles and Responsibilities
  • IT Department: Manages the technical systems that enforce retention schedules (such as automatic email deletion), carries out secure disposal of physical and electronic media, and manages all Legal Holds.
  • Department Heads: Responsible for enforcing retention schedules within their respective ministries and ensuring their staff adhere to the disposal procedures for physical records.
  • All Users: Responsible for classifying and storing their records correctly (in designated OneDrive folders) and notifying their Department Head of any records that need early disposal or immediate Legal Hold.
11

Data Backups

At a Glance
Files saved to IBC-designated OneDrive folders are automatically backed up — files saved only to your desktop are not.
IT monitors backup jobs daily; report any data loss or missing files immediately.
Microsoft 365 data (email, SharePoint, Teams) is backed up daily by IBC's cloud backup solution.

This policy applies to all employees, volunteers, contractors, and all ministry-related data and files stored on IBC systems. It covers all data that IBC has a responsibility to protect and recover in the event of a system failure or data loss.

Roles and Responsibilities
  • IT Department: IT manages all backup systems, monitors backup success daily, and handles all data restoration requests. If you suspect data has been lost or deleted, contact IT immediately.
  • Users/Staff: All users are responsible for ensuring that critical, ministry-related files are saved exclusively to the designated OneDrive folders to be included in the corporate backup process.
Backup Schedule

Files stored in the designated ministry-related OneDrive folders created by the IT Department (such as AO-, EO-, FM-, etc.) are included in these backups. Microsoft Teams channel conversations, posts, and chat messages (where not otherwise covered by a Purview retention policy) are also captured by IBC's cloud backup solution as part of the nightly Microsoft 365 backup job. Private Teams chats between individual users are included in the backup of the associated Exchange Online mailbox.

Critical system data is backed up every night. Microsoft 365 (email, file storage, and Teams) is backed up nightly, seven days a week, using IBC's cloud backup service.

Non-Backed Up Locations

Files stored in the following locations are not included in the backup process:

  • Local Drives: Files stored locally on individual computers or laptops.
  • My Drive on OneDrive: Personal storage within OneDrive that is not part of the designated ministry folders.
  • Individually Created Shared Drives: Any shared drives that are created and managed outside of the IT-designated structure.
Storage of Backups and Retention
  • All backups are stored in a secure, encrypted location that is separate from IBC's primary systems. This means that even if IBC's main systems are affected by a disaster, the backups remain safe and recoverable.
  • Backups are kept for 90 days. After 90 days, older backup snapshots are automatically removed.
Storing Files in Undesignated Locations

Should you choose to store files in any location outside the designated Ministry OneDrive folders, such as on local drives or personal OneDrive spaces, it is done at your own risk. These files will not be backed up, and their recovery cannot be guaranteed in the event of data loss.

Inquiries

If you have any questions regarding backup procedures or which locations are covered under IBC’s backup policy, please contact the IT Department for assistance.

12

Hardware & Software Standards

At a Glance
IBC provides standard equipment based on your role — equipment choices are not made by the employee.
All software on IBC devices must be approved and installed by IT. Need a tool? Reach out and we'll get it set up.
Equipment is IBC property; treat it with care and report damage or loss to IT immediately.
Pre-Approved Software

The following software is pre-approved for use on IBC devices:

  • Microsoft 365 — including Word, Excel, PowerPoint, Outlook, Teams, OneDrive, SharePoint, and Microsoft Copilot (provisioned accounts only)
  • Adobe products — licensed Adobe applications provisioned by IT (e.g., Acrobat, Creative Cloud where licensed)
  • IBC-approved AI tools — as defined in the AI Use Policy (Section 24); provisioned accounts only, not free-tier versions
  • IBC standard security and productivity tools — Sophos Intercept X, and any other tools IT has deployed to your device

Any software not on this list requires IT approval before installation. Most software requires administrative rights — do not attempt to install software yourself. Submit a request through the IT Request form on the Intranet and IT will handle the installation.

This policy ensures that all staff receive consistent, secure, and properly managed technology equipment and software. Standardizing what IBC provides makes it easier to support, secure, and maintain all devices.

IBC provides all employees with the computer equipment and software needed for their role — including desktops or laptops, monitors, and required software. Equipment type and specifications are determined by your job role and approved by the Leadership Team.

Standard Equipment Provision:
  • Managers and Up: Managers and higher-level positions have the option to choose between a laptop or a desktop.
  • Monitors: IT will provide one 22" monitor, but two 22" monitors may be requested.
  • The church does not provide iPads or other tablets, iPhones, or other smartphones.
  • Software: Employees will be provided with the necessary software to perform their job roles. This includes productivity tools, collaboration platforms, and any specialized software required for specific roles.
Software Provision:
  • Standard Software:
  • Standard software — including the operating system, Microsoft 365, and security tools — is the same across all IBC devices. IT selects, installs, and maintains all standard software.
  • All software licenses are purchased and managed by IT to ensure IBC stays compliant with licensing requirements.
  • Software updates are pushed to your device automatically by IT. You should not need to manually install updates — but if prompted, do not postpone or decline them.
  • Software as a Service (SaaS):
  • Cloud-based software subscriptions (also known as SaaS — Software as a Service) must be evaluated and approved by IT and the Leadership Team before purchase. This includes AI-powered tools such as Microsoft Copilot. Contact IT before subscribing to any new software tool for your ministry.
  • Before any new cloud service is purchased, IT reviews the vendor's security practices and data handling to ensure it meets IBC's standards.
  • Access to SaaS platforms will be provisioned based on the employee’s role and position, ensuring only authorized personnel have access to specific services.
  • Cloud software subscriptions are reviewed annually by IT to confirm they are still needed, cost-effective, and secure.
Reasons for Standardization:
  • Security: Standardized equipment and software ensure all devices and systems are equipped with the necessary security features and regular updates to protect against cyber threats and data breaches.
  • Support and Maintenance: Having a standard set of equipment and software simplifies IT support and maintenance, allowing for quicker resolutions and minimizing downtime.
  • Compatibility: Standardization ensures that all employees are using compatible hardware, systems, and software, enhancing collaboration and communication within the organization.
  • Cost Efficiency: Purchasing standardized equipment and software licenses in bulk or through subscription models can lead to significant cost savings for the organization.
  • Quality Control: Standardized software and hardware ensure employees have reliable, high-performing tools necessary for their roles.
  • Consistency: Standardization ensures employees have consistent user experience, which can enhance productivity and ease of use. This uniformity also helps in training and reduces the learning curve for employees transitioning between different roles or departments.

When evaluating non-standard equipment requests, the following stakeholders may be consulted:

  • The requesting Department and corresponding leadership
  • Risk Management
  • Communications and/or Production
  • Information Technology
  • Finance
Policy on Personal Equipment and Software:

Employees are not permitted to purchase and/or use their own computer equipment or software on the Idlewild corporate network. This policy is in place to maintain the integrity, security, and efficiency of our IT systems. Personal devices and software may not meet our security standards and could introduce vulnerabilities into our network. Additionally, it complicates support and maintenance processes, leading to potential inefficiencies and increased costs.

Policy on Purchasing any Technical Equipment and Software:

All requests for technical equipment, including but not limited to computers, laptops, TVs, desktop phones, monitors, and related hardware, must be made through IT Any purchase of such equipment outside of this process is strictly prohibited and considered a violation of IBC policy. Failure to comply may result in disciplinary action, up to and including termination.

Deviation Requests for Non-Standard Equipment:

must be submitted in writing to the IT Department and approved by the Leadership Team (LT) prior to purchase. The IT Department will review and respond to deviation requests within 5 business days of submission.

Hardware & Software Modifications
  • The laptop has standard issued and owned software installed. Only Idlewild Baptist Church approved and licensed software can be installed. All requests for additional hardware and software should be made via the IT Request form on the Intranet. Unauthorized installation of software may result in loss of laptop privileges and possible disciplinary action.
  • Consent of the IT Department is required to add or delete software and/or hardware.
13

Accessories & Peripherals

At a Glance
Peripherals included in your standard device configuration are provided at no cost — extras or spares (e.g., a second charger) are Tier 2 requests.
Non-standard or additional items require department budget approval before purchase.
IT determines the standard configuration for each role — deviations need prior approval.

To define how Idlewild Baptist Church provisions and funds accessories and peripherals for computing devices, and to establish a consistent standard for what the IT Department provides at no cost, what is available as a department-funded supplemental request, and what remains the personal responsibility of the individual. This policy applies to all Church-owned computing devices and to personally-owned devices used in connection with Church resources.

This policy uses a three-tier model. The dividing line is not the cost of an item but whether it is part of the standard configuration the IT Department issues for a role. Items within the standard configuration are provided and maintained by IT; anything beyond that standard is a department-funded request; and accessories for personally-owned equipment are the responsibility of the individual.

Tier 1 — Included at Issue (Standard Configuration)
  • The IT Department provisions a standard device configuration appropriate to the role at no cost to the department.
  • The standard configuration includes the laptop charger and cable; the standard display configuration for the role, which may include up to two monitors with their stands and cables; a docking station where the role requires one; and a standard keyboard and mouse.
  • The IT Department determines the standard configuration for each role. Any item within that standard is provided and, if it fails, replaced by IT at no cost to the department.
  • Replacement of a failed included item is an IT cost. A second or spare copy of an item already issued (for example, an additional charger to keep at home) is not part of the standard configuration and is handled as a Tier 2 supplemental request.
Tier 2 — Supplemental Accessories (Church-Owned Devices)
  • A supplemental accessory is any item requested for a Church-owned device beyond the standard configuration defined in Tier 1.
  • A laptop bag or protective carrying case (not to exceed $100.00)
  • All supplemental requests must be submitted through the IT Request form on the Intranet. The IT Department reviews each request for compatibility and security before approval.
  • Approved supplemental items are purchased through the requesting department's Idlewild Baptist Church Amazon Business account and funded from the department budget. Purchases must not be made through personal Amazon accounts.
  • Supplemental accessories purchased for a Church-owned device are the property of Idlewild Baptist Church, are tracked to the assigned device where practical, and must be returned when the individual separates from the Church or the device is reassigned. When a device is reassigned mid-tenure (e.g., hardware refresh or role change), the assigned user must return all tracked accessories to the IT Department as part of the device handoff process. IT will coordinate transfer or reissuance of accessories to the new assignee.
Tier 3 — Personal Devices
  • Idlewild Baptist Church does not fund accessories for personally-owned equipment. Charging cables, power adapters, and other peripherals for an individual's personal phone, tablet, or computer are the responsibility of the individual and remain that individual's property.
14

Laptop Use & Responsibilities

At a Glance
IBC laptops are Church property and must be returned promptly upon departure.
Keep your laptop with you at all times — never leave it unattended in a vehicle or public place.
Report loss or theft to IT immediately, even after business hours.

This policy defines how IBC-owned laptops are to be used, secured, and returned. Laptops are provided to support your ministry work and must be treated with care.

Laptops purchased and issued for use by Idlewild Baptist Church are the sole property of the Church. They are provided as tools/resources to approved individuals by request for business purposes only. Ministry leadership must approve the purchase and issue of a laptop by IT Because such property is owned by Idlewild Baptist Church, there can be no expectation of privacy with respect to the use of such devices. All activities on these devices can and will be audited and are subject to all policies, guidelines, and laws.

User Agreement

All laptop recipients must sign a separate Laptop Use Agreement form, maintained by Human Resources, before a device is issued.

Where Replacement is Concerned

  • If the lost, stolen, or damaged laptop and/or accessories is determined to be caused by negligence or intentional misuse, the department will be responsible for the cost of replacement.
  • If the lost, stolen, or damaged laptop and/or accessories is determined to not be caused by negligence or intentional misuse, the Department/ministry representing the individual in possession of the laptop and/or its accessories will be responsible for the funding to replace the resource.

Where Routine Maintenance is Concerned

Operating system and third-party application updates are managed and pushed centrally by the IT Department via the IT Department's device management and endpoint security tools. Users must not defer or disable IT-initiated updates. In cases where a manual update prompt appears, users must apply it within 24 hours or contact the IT Department for assistance.

  • Windows Laptop Users:
  • Click the Start button.
  • Type "Updates" in the search bar.
  • Select "Check for Updates" to check for and install updates.
  • Mac Laptop Users:
  • Click the Apple logo.
  • Select System Settings.
  • Choose General.
  • Click Software Update to check for and install updates.

Where Backups and File Placement are Concerned

  • All work data must be saved to your department's designated OneDrive folder. Data stored outside these designated locations — including personal OneDrive folders or local hard drives — is not covered by the Church's backup solution. Contact the IT Department if you are unsure which folder applies to your department.

Where Security is Concerned

  • Everyone is responsible for confidentiality and security for the access and information created and/or transmitted on the laptop.
  • Your laptop (or user account) is not to be used by an unknown or unauthorized person.
  • All IBC laptops must have drive encryption enabled (this is configured by IT) and must be set to lock automatically after no more than 5 minutes of inactivity. Do not disable these settings.
  • You are responsible for the security and care of the laptop. If the laptop (or any accessory) is lost, stolen, or damaged while on or off Idlewild Baptist Church property, the incident MUST be reported within 24 hours to the IT Department.
  • The laptop is to be secured in a protective storage bag or carrying case for transport. Carrying cases and other supplemental accessories are provided under the Device Accessories and Peripherals Policy, which governs how such items are requested, approved, funded, and purchased.
  • Lock laptops in cabinets, desks and/or offices where/when possible.
  • Shut down, log out or lock the laptop while unattended to prevent unauthorized access to data (see Computer Use Policy).
  • Avoid leaving your laptop in a car where temperature extremes or theft are a risk.
  • Be cautious with regards to having drinks and food around the laptop.
  • If employment is terminated, the laptop, accessories, and any other Idlewild Baptist Church owned property must be returned prior to receiving your final payroll disbursement. [EDITORIAL NOTE: The User Agreement acknowledgment language ('I understand that...') currently embedded in this policy section should be extracted into a separate, signed acknowledgment form. Embedding it in policy text does not constitute a verifiable signed agreement and is unenforceable as a standalone attestation.]
15

Network & Wi-Fi Security

At a Glance
Non-IBC devices may not connect to the internal (staff) wired or wireless network.
Guests and visitors should always use the designated guest Wi-Fi, not the staff network.
Only IT-approved routers, access points, and devices may connect to IBC's network.

This policy protects IBC's network from unauthorized access that could result in data loss, system damage, harm to the church's reputation, or legal liability.

Access to Network Resources

IBC's internal staff network is for IBC-owned devices only. Personal phones, laptops, and tablets may not connect to the staff network. Guests and visitors should use the designated guest Wi-Fi network.

  • Unauthorized access to either wired or wireless networks is strictly prohibited.
  • All network access, regardless of user or device type, may be monitored as necessary or required by law.
Wireless Access Points and Rogue Devices

IBC's wireless network is provided through equipment installed and managed by IT around the campus. These devices provide secure wireless access to authorized staff and guests.

  • Connecting your own wireless router, hotspot, or network device to IBC's network without IT approval is strictly prohibited. Unauthorized devices can create serious security vulnerabilities and are a violation of this policy.
  • No device — wired or wireless — may be connected to IBC's network without IT's involvement. Wired connections must not be shared or extended using personal network switches or hubs.
Network Configuration and Security Standards

All network equipment — including computers, routers, firewalls, and servers — is configured, managed, and maintained solely by IT. Only IT may make changes to how IBC's network is set up. IT is responsible for:

  • The installation and management of firewalls and intrusion detection/prevention systems (IDS/IPS).
  • The regular updating of security protocols and software to protect against emerging threats.
  • Ensuring all network devices comply with Idlewild’s security standards. Any deviations must be approved by the IT Department, and unauthorized configuration changes are strictly prohibited.
  • Vendor and Third-Party Access: Any vendor requiring remote access to the internal network for maintenance or support must be pre-approved, utilize Multi-Factor Authentication (MFA), and operate on a least-privilege basis. All vendor access and activities must be logged and monitored by the IT Department.
User Authentication and Access Control

All users must verify their identity before accessing IBC's network resources. IBC requires strong passwords, Multi-Factor Authentication, and other verification steps to ensure only authorized users can access church systems. Any unauthorized access attempt will be logged and investigated by IT.

  • Secure password policies that require strong passwords and prohibit password reuse and password sharing.
  • Multi-Factor Authentication (MFA) and other forms of identity verification as deemed necessary by the IT Department.
  • Unauthorized access attempts will be logged and promptly reported to the IT Department for investigation and resolution.
Network Audits and Vulnerability Management

Idlewild’s network infrastructure will undergo regular security audits and testing to identify and address vulnerabilities. This includes:

  • Routine security assessments, penetration testing, and vulnerability scans conducted by the IT Department or approved external vendors.
  • Identified vulnerabilities will be documented and mitigated promptly to prevent security breaches.
Data Encryption and Secure Communications

All sensitive data transmitted over Idlewild’s network must be encrypted to protect against interception and unauthorized access.

  • All sensitive data transmitted over IBC's network must be encrypted. IT configures all systems to use current, secure communication standards. Staff should always use IBC-approved connections and should contact IT if they have questions about secure access when working remotely.
Incident Response

For any network security incident, follow the procedures in Section 23 — Responding to Security Incidents. Do not attempt to investigate or remediate independently — report to IT immediately.

Personal Device Security (MAM)
  • Antivirus/Malware: Where applicable (e.g., Android, personal laptops), up-to-date antivirus or anti-malware software must be installed and active.
  • App-Level Security: IBC may apply security settings to IBC-related apps on your personal device. These settings apply only to IBC apps — not your personal files. For example, IBC may require that IBC email can only be accessed through Outlook and that Outlook data cannot be copied to personal apps.
16

Microsoft 365, Email & OneDrive

At a Glance
Use IBC-approved tools: Outlook, OneDrive, SharePoint, and Teams — not personal cloud services.
Never store church files in personal Google Drive, Dropbox, or similar unauthorized services.
Lock your screen whenever you step away from your computer.

This policy sets the guidelines for using Microsoft 365 tools — including Outlook, OneDrive, SharePoint, and Teams — at Idlewild Baptist Church. These tools make it easier to collaborate and share files, but they also require responsible use to protect church information and member privacy.

General Guidelines for Use
  • Confidential Data Restrictions: At no time should materials containing Private Information (as defined below) be sent via email or stored/shared through OneDrive.
  • Account Credentials: Each staff member is responsible for their own account credentials. Sharing credentials or using another person’s credentials is prohibited.
  • Always lock your computer before stepping away — especially when signed into church services like Outlook, OneDrive, SharePoint, Teams, or PushPay.
  • File Security: For added protection, files (such as Excel or Word documents) can be encrypted with a password.
  • Complex passwords and multi-factor authentication (MFA) must always be used for Microsoft 365 accounts to enhance security.
  • Secure File Sharing (OneDrive/SharePoint): Use care and good judgment when sharing links to files. Links must always be set to the most restrictive permission level required (e.g., 'Specific People' instead of 'Anyone with the Link') and automatically expire when appropriate. Sharing must align with the security classification (Low, Moderate, High Risk) of the file. IT will conduct a quarterly audit of active external sharing links in OneDrive and SharePoint; links without a documented business justification will be revoked. Artificial Intelligence (AI) Tools: Microsoft 365 Copilot and any other AI features or third-party AI tools used in connection with church data are governed by the AI Use Policy section of this policy. Staff must not submit Private Information (as defined below), member data, financial records, or any High or Moderate Risk content into AI prompts or chat interfaces. Questions about approved AI tools or appropriate use cases should be directed to the IT Department.
  • Health information (such as PHI) and HIPAA-protected data.
  • Credit card, debit card, or bank account information.
  • Security codes, PINs, and passwords.
  • Social Security numbers.
  • Personal/confidential financial information.
  • Individual contribution information.
  • Driver’s license, passport, and visa information.
  • Background check information.
  • Documents subject to attorney-client privilege.
  • Any information that could compromise the security or privacy of the church or individuals.
  • Counseling, medical, or health records.
  • Employee records.
  • Any files, images, or materials deemed illegal, immoral, or confidential.
Reporting and Queries

If there is any doubt about whether specific materials can be stored on OneDrive or sent via Outlook, or if a security compromise is suspected, users should contact the IT Department immediately for clarification and assistance.

17

Email Best Practices & Security

At a Glance
Use your IBC email for church work only — use it for church work only, not personal accounts or subscriptions.
Never send sensitive data (financial info, member records, passwords) in a plain email.
Suspicious email? Don't click any links — forward it to IT or use the Report Phishing button in Outlook.

This policy applies to all users of Idlewild Baptist Church email systems, including employees, contractors, and volunteers with access to Microsoft 365 accounts and any integrated tools (e.g., KnowBe4, the ChMS).

Acceptable Use
  • Use church-provided email accounts for ministry-related communication only.
  • Maintain a professional and friendly tone in all communications.
  • Avoid using personal email accounts for church business.
  • Respond to emails within 24–48 hours when possible.
  • Use standardized email signatures for consistency. Contact the Communications Department for the current IBC email signature template.
Prohibited Use
  • Sending or forwarding confidential information (e.g., donor data, counseling records)
  • Auto-forwarding emails to external accounts.
  • Using email for personal gain, political activity, or unauthorized mass communication.
  • Signing up for suspicious websites or services.
  • Sending spam, chain letters, or defamatory/discriminatory content.
  • Using email to harass, solicit, or participate in illegal or unbiblical activities.
  • Using your @idlewild.org email address for personal accounts, purchases, or subscriptions (e.g., banking, Starbucks, Amazon). Use your personal email address for anything unrelated to IBC ministry work.
  • Sending non-pertinent mass emails (e.g., All Staff) without Communications or IT approval.
Email Security Requirements
  • Report suspicious emails using the Phish Alert Button or contact the IT Help Desk.
  • Auto-forwarding and inbox redirect rules require IT approval — reach out before setting them up.
  • Be cautious with external links and auto-forwarding settings to avoid security risks.
  • Email Retention: IBC maintains email retention policies that determine how long messages are kept. Messages older than the retention period are automatically removed. If you need to preserve a specific email for legal or ministry reasons, contact IT before it is deleted.
External & Mass Communication Guidelines
  • Messages to members, donors, or the public that represent official church announcements must be approved by the Communications Department.
  • All mass communications must go through the ChMS to ensure:
  • Proper tracking
  • Unsubscribe functionality
  • Compliance with data privacy standards
  • Unsubscribe requests must be honored and processed through the ChMS.
Email Communication Best Practices
Subject Line & Content
  • Use clear and concise subject lines to improve readability and response time.
  • Proofread content for professionalism, grammar, and clarity.
Distribution Lists & BCC
  • Use distribution lists or BCC to protect recipient privacy.
  • Avoid putting large recipient groups in the "To" or “CC” field
  • Limit "Reply All" to necessary group responses to reduce email overload.
Risks of not using BCC/Distribution Lists:
  • Privacy breaches (exposed email addresses)
  • Phishing risks if one account is compromised
  • Inbox overload due to unnecessary replies
Managing Distribution Lists:
  • New or updated list requests must be submitted via the IT Request Form on the Idlewild Intranet.
  • Review lists periodically to ensure accuracy.
Attachments and Forwarding:
  • Avoid forwarding emails containing personal or sensitive content without permission.
  • Double-check all recipients, attachments, and message content before sending.
Executive Impersonation Protections:
  • Always verify email requests involving fund transfers, credentials, or sensitive information, especially if they appear to come from senior leadership.
  • Take impersonation alerts from IBC's email security tools seriously and report them to IT.
  • Confirm unusual requests using a secondary method (e.g., phone call or Teams). For requests involving financial transfers or payment modifications, secondary confirmation must be completed via an in-person conversation or a validated phone call (using a known, published number, not a number provided in the suspicious email).
User Responsibilities:
  • Immediately report suspected misuse or compromise to the IT department.
  • Log out of email sessions on public/shared devices.
  • Maintain a clean and organized inbox by regularly archiving or deleting unnecessary messages.
Monitoring and Enforcement
  • All email usage is subject to monitoring and audit.
  • Violations may result in disciplinary action, including termination of access or further corrective measures as determined by leadership.
  • The IT Department and Leadership Team reserve the right to investigate any suspected misuse.
Review and Maintenance

This policy will be reviewed annually by IT and updated to reflect changes in technology, risk, or operational needs.

18

Calendar & Meeting Scheduling

At a Glance
Use Office 365 for all meeting invites — not personal calendar tools.
Enable a Teams meeting link only when remote attendance is actually needed.
For large or sensitive groups, use "Hide Attendee List" to protect participant privacy.
Schedule Invites Through Office 365

When scheduling calendar events, use Office 365. When dealing with large groups, and where a distribution group is available, use the distribution group email address instead of listing individuals separately. This maintains consistency, reduces the risk of exposure, and streamlines calendar management.

  • Utilize the "Hide Attendee List" Feature
    • For large or sensitive groups, particularly when dealing with external recipients, use the "Hide Attendee List" feature. This ensures that email addresses remain private, maintaining professionalism and protecting the privacy of all attendees.
  • Enable Microsoft Teams Meetings Only if Remote Attendance is Needed
    • When scheduling meetings through Office 365, only enable Microsoft Teams if remote attendance is offered or required. If the meeting is in-person only, make sure to disable the Teams link to avoid confusion and unnecessary clutter in the invite.
  • Use Clear and Descriptive Event Titles
    • Ensure your event titles are clear and concise so that recipients can immediately understand the purpose of the meeting. Do not include sensitive or confidential information in the subject line, as external systems or logging tools may capture this metadata.
  • Provide Detailed Information and Attachments
    • Always include details like the agenda, location, or virtual meeting link, along with any relevant attachments. This helps attendees come prepared and ensures the meeting runs smoothly.
  • Set Reminders for Attendees
    • Set appropriate reminders before the event to give participants time to prepare.
  • Make an Event Private When Necessary
    • Use the private event option for meetings that involve sensitive information or when personal details should remain confidential. For example, performance reviews or private discussions should be marked as private to ensure discretion.
Meeting Recording and Confidentiality

If a meeting is to be recorded (e.g., via Microsoft Teams), the organizer must announce that recording is taking place at the start of the meeting and obtain the consent of all attendees. AI-assisted transcription tools may only be used in meetings where all attendees have been notified and must not be used in confidential or pastoral care meetings without explicit Leadership Team approval. All AI-generated meeting summaries must be reviewed for accuracy before distribution.

Invite Only Necessary Participants

Keep the attendee list limited to those who are essential for the meeting. If others might benefit but are not required, mark them as "Optional" participants.

Respect Time Zones and Availability

Be mindful of different time zones when scheduling external meetings. Use the Scheduling Assistant in Office 365 to avoid conflicts and overlapping meetings.

Maintain Your Calendar and Respond to Invites

All staff are expected to maintain their calendars and respond to meeting invites promptly. Recurring meetings should be audited at least quarterly: organizers must cancel or update series that are no longer active, have outdated attendee lists, or lack a clear agenda, to reduce calendar clutter and unnecessary resource consumption.

19

Starting & Leaving IBC

At a Glance
The hiring department or HR should notify IT at least 4 weeks before a new hire's start date. Anything less may mean equipment and accounts will not be ready for their first day.
On departure, all IBC equipment, data, and credentials must be returned or revoked immediately.
Account access is disabled on the last day of employment — no exceptions.

This policy outlines the procedure for onboarding and offboarding employees and volunteers with respect to the IT systems and resources at Idlewild Baptist Church. It ensures that all new hires have the necessary access to perform their duties and that access is properly revoked upon termination or resignation, safeguarding Idlewild's data and assets.

This policy applies to all employees and volunteers of Idlewild Baptist Church who require access to IT systems and resources.

Pre-Onboarding Procedure
Notification Timeline:
  • Human Resources must notify IT of a new employee or volunteer at least four (4) weeks prior to their arrival. If less than four (4) weeks' notice is provided, IT will make reasonable efforts to complete provisioning by the start date but cannot guarantee full system access on day one. HR and the relevant ministry will be notified of any access gaps resulting from late notification.
Hardware Allocation:
  • If the new hire is filling an existing role, they will receive the hardware previously allocated to that position. For newly created positions, new hardware must be acquired, with the approval of the requesting department, leadership, and the finance department. Appropriate lead time must be given for purchasing and provisioning equipment.
Software and Licensing:
  • IT will assess if existing software licenses from the previous employee can be transferred. If not, new licenses will be purchased and allocated in time for the new employee's start date. All purchases and license allocations must follow Idlewild’s purchasing procedures.
Pre-Provisioning of Accounts:
  • User accounts for email, file access, and other IBC systems must be set up and tested before the new hire's first day. Prior to their arrival, IT will confirm that all accounts are working correctly.
HR Documentation:
  • Human Resources is responsible for ensuring that all necessary documentation, such as the Computer Use Policy, is signed by the employee prior to their IT onboarding.
Onboarding Procedure
Provisioning Access:
  • IT will provide resources and access as directed by Human Resources, the relevant ministry, and leadership. For volunteers, provisioning and deprovisioning procedures follow this policy except where the Volunteer Access Policy specifies different access tiers or approval workflows. In all cases of conflict, the more restrictive policy applies. HR and IT must confirm the applicable volunteer access tier before provisioning any accounts or resources.
  • IT will set up all required accounts and access as directed by Human Resources, the relevant ministry, and leadership. As part of setup, IT will configure Multi-Factor Authentication (MFA) for the new employee and confirm it is working before their first day.
Scheduling Orientation:
  • The requesting ministry or department is responsible for scheduling IT orientation with the new employee. During the orientation, IT will issue credentials and provide instructions for using the allocated equipment and services.
Security Briefing:
  • New employees will receive a brief overview of IBC's technology security policies, including password best practices and how to recognize phishing attempts. IT will assign a security awareness training module to be completed within the first 30 days.
Offboarding Procedure
Notification of Termination:
  • Human Resources must notify IT as soon as possible of an employee or volunteer’s upcoming termination or resignation. For terminations “for cause,” IT must be notified in advance to take necessary precautions to protect Idlewild’s assets.
Account Disablement Timeline:
  • All IT accounts and access must be disabled immediately upon the final working day for voluntary exits, or at the moment of termination for cause, as directed by Human Resources. This includes the prompt revocation of all VPN and remote access privileges. In addition, IT must: (a) revoke all registered MFA methods and authentication app registrations from the user's account in Microsoft Entra ID; (b) revoke all active OAuth tokens and third-party app authorizations linked to the departing user's Microsoft 365 account; and (c) remove the user from all SharePoint site memberships and Microsoft Teams channel memberships. IT must document the completion of each of these steps in the offboarding ticket.
  • For terminations for cause, IT must be notified in advance and will immediately disable the employee's accounts, revoke remote access, and remove all active multi-factor authentication registrations and connected app permissions at the moment of termination.
Data and Account Preservation:
  • Prior to or concurrent with account disablement, IT must coordinate with the employee's supervisor and Human Resources to identify, transfer, and securely archive all ministry-related data, files, and communications.
  • The employee’s supervisor must clearly document the designation of the former employee’s mailbox (e.g., convert to shared mailbox, apply forwarding rule) as specified in the User Account Deletion Policy.
  • IT must apply any necessary legal or litigation holds to the former employee’s accounts and data as instructed by Leadership or Risk Management.
Return of Assets:
  • All IT assets must be returned to the IT department prior to the employee or volunteer’s final paycheck or termination. It is the joint responsibility of the department and Human Resources to collect and return these assets.
Department Notification Responsibility

Each department or ministry is responsible for notifying IT promptly of any staffing changes — including terminations, resignations, role changes, or extended leaves. Timely notification ensures access is adjusted before it becomes a security gap. Unused accounts may be deactivated to protect IBC's systems.

20

Account Removal

At a Glance
Accounts are disabled on the final day of employment and deleted within 30 days.
Former employee mailboxes are converted to shared mailboxes accessible to the departing employee's supervisor.
All active sessions and MFA registrations are revoked at time of account disablement.

To ensure the secure and compliant handling of user accounts, personal files, and mailbox access upon termination of employment at IBC.

Policy Statement:

Upon receiving notice from Human Resources regarding the termination of an employee, IT will take the following actions immediately:

  • The former employee's account will be immediately disabled to prevent login. At the same time, IT will end all active sign-in sessions and remove any connected app authorizations associated with the account.
  • Temporary File Access: The employee's supervisor will be given temporary access to the former employee's personal OneDrive files for 90 days from the date the account was disabled, so that any ministry-related files can be retrieved and moved to the appropriate shared folder.
  • Note: Per IBC policy, all IBC-related files should be stored in designated shared drives or folders (e.g., AO, EO, or other authorized locations). The personal My Drive should not be used for long-term storage of ministry-related documents.
  • The user's mailbox will be converted to a shared mailbox. Access to this shared mailbox will be granted exclusively to the supervisor for continued management of any remaining communications. Note: Shared mailboxes in Microsoft 365 do not require a separately assigned paid license as long as the mailbox remains under 50 GB. IT must release the user's previously assigned Microsoft 365 license back to the available license pool upon conversion to a shared mailbox to avoid unnecessary license costs.
  • Automated Response and Forwarding: An automated response will be set up on the former employee's email address to inform contacts of their departure and provide alternate contact information. The automated reply will read:

Thank you for contacting Idlewild Baptist Church. [Full Name] is no longer with Idlewild. Please direct any future correspondence to [Supervisor's Name] at [supervisor@idlewild.org]. This is an automated reply. For your convenience, this email has been automatically forwarded to [Supervisor's Name].

  • Supervisors and other authorized staff who are given access to a former employee's files or mailbox must handle all content according to IBC's data security and privacy standards. This includes properly deleting or archiving any files that are no longer needed.
21

Volunteer System Access

At a Glance
Volunteers receive the minimum access needed for their specific role — no more.
Volunteer access is reviewed regularly and revoked immediately when no longer needed.
Volunteers are subject to the same acceptable use and security rules as paid staff.

Idlewild Baptist Church’s mission requires the engagement of volunteers to multiply efforts in reaching others. Certain volunteer roles may necessitate access to corporate-level computer systems and information. This policy establishes guidelines for granting such access while addressing potential liabilities that could arise from providing system access.

Potential Liabilities of Granting Access

Granting access to corporate systems carries risks, which may include but are not limited to the following:

  • Misrepresentation: A volunteer could send an email under the church’s name that does not represent the church’s views.
  • Harassment: A volunteer might misuse information from the database to contact individuals for personal interest or gain.
  • Solicitation: A volunteer could obtain and use member lists for unauthorized solicitation.
  • Violation of Privacy: Sensitive information (e.g., phone numbers, email addresses, physical addresses) could be shared or made public without consent.
  • Data Loss: A volunteer with access to modify or delete files could cause accidental or intentional data loss.
Policy for System Access

Given the above liabilities, efforts should be made to avoid granting direct access to corporate systems. In most cases, ministries can provide volunteers with the necessary data (e.g., spreadsheets, reports) to perform tasks without giving them direct access to the database or systems. This approach keeps the ministry involved in the process and maintains oversight.

Granting Access When Required

When access is necessary, requests will be evaluated on a case-by-case basis. The following steps must be followed:

  • The request for access must be approved by the volunteer's immediate supervisor.
  • The supervisor will present the request to the Leadership Team (LT) for review and approval.
  • Members of the LT, representing IT and Data Management, will weigh the appropriateness of granting access.
  • A signed Computer Use Agreement must be obtained.
  • A Background Check must be completed. Volunteer Account Deactivation: When a volunteer's service concludes — whether by completion of a defined term, resignation, removal, or any other reason — the supervising ministry leader must notify the IT Department within 24 hours. The IT Department will promptly disable the volunteer's @idlewildvolunteer.org account, revoke all system credentials including the ChMS access, and remove the volunteer from any shared resources or distribution groups. Refer to the Offboarding Policy for complete procedures. No grace period is permitted; accounts must be deactivated before the volunteer's last active day when the end date is known in advance.
Email and Database Access for Volunteers
  • Volunteers who are granted access will receive an Idlewild email address with the domain @idlewildvolunteer.org to distinguish volunteers from staff. All @idlewildvolunteer.org accounts are subject to mandatory Multi-Factor Authentication (MFA). Volunteers must enroll in MFA before their account is activated. Access will not be enabled until MFA enrollment is confirmed by the IT Department.
  • Example:
  • Staff email: staffmember@idlewild.org
  • Volunteer email: volunteer@idlewild.org
  • Volunteers granted access to databases such as the ChMS will receive login credentials formatted as "VolunteerFirstInitialLastName".
  • Example: Volunteerdbolden
Handling Data Access for Volunteers

If a staff supervisor requires a volunteer to manipulate data (e.g., enhancing a report or contacting members), the supervisor (or designated employee with appropriate access) can export or print the required data and provide it to the volunteer. However, high-risk data should never be printed or exported from approved systems. For data sharing, the supervisor must use a secure, encrypted method, such as a time-restricted OneDrive link, to share the file with the volunteer's @idlewildvolunteer.org email address. The volunteer can work with the data without direct access to the database, ensuring that the original data remains protected. The use of unmanaged storage devices (e.g., personal flash drives) or personal email accounts to transfer church data to or from a volunteer is strictly prohibited.

Other alternatives for engaging volunteers with sensitive data include:

  • Read-Only Access: Volunteers can be given read-only access to specific data, folders, or databases as necessary.
  • When on-site and under direct supervision, volunteers who have been granted system access must use their own @idlewildvolunteer.org credentials to perform specific tasks (e.g., adding barcodes or notes). Volunteers who have not yet been granted individual credentials may perform tasks while the supervisor operates the workstation and remains present throughout the session. Credential sharing is strictly prohibited under any circumstance. The supervisor is responsible for ensuring appropriate use and remains accountable for all changes made during the supervised session.

Only volunteers who have completed the required processes outlined in this policy are eligible for any type of access.

Collaboration via Network or OneDrive

When collaborating on documents or projects via the network or OneDrive, volunteers should typically be given read-only access. Changes can be communicated to a staff member, who will apply the updates. The volunteer must use their assigned @idlewildvolunteer.org email address for all communication related to church data.

Access to Other Databases and Resources

Access to other databases or resources will be considered on an as-needed basis, following the same approval and supervision processes outlined in this policy.

Application Access Limitations

Volunteers granted access to Idlewild's systems must adhere to the Approving Third-Party Apps section of this policy. Volunteers may not independently authorize, install, or connect external applications or tools to Idlewild's systems without prior approval from the IT Department and Leadership Team. Volunteers are explicitly excluded from access to AI-powered productivity tools, including but not limited to Microsoft 365 Copilot, Copilot Chat, and any other generative AI tools integrated into Idlewild's Microsoft 365 environment. Volunteer accounts will not be licensed for or granted access to these tools. Any volunteer who circumvents this restriction or uses AI tools through another individual's credentials will be subject to immediate revocation of all access.

22

Vendors & Third-Party Services

At a Glance
All vendors with access to IBC data or systems must be assessed and approved before engagement.
Vendors are classified by risk tier — higher-risk vendors require more documentation and scrutiny.
Vendor access must be actively reviewed and renewed; it does not automatically continue.

This policy applies to all departments and personnel involved in selecting, procuring, managing, or renewing services from any external entity (vendor) that stores, transmits, or processes IBC's data, or connects to IBC's internal network.

Vendor Classification and Risk Tiers

All vendors must be categorized based on the sensitivity of the data they handle and the level of access they require:

Risk TierData Accessed/Access LevelDue Diligence Required
HighHandles High-Risk Data (PII, financial, PHI) or requires direct remote access to the IBC network.Mandatory written security questionnaire, annual review, contractual audit rights.
ModerateHandles Proprietary Church Data (non-sensitive), or provides SaaS applications integrated with IBC systems (e.g., Office 365, calendar apps).Review of vendor's SOC 2 or equivalent certification, data handling policy review.
LowHandles public information only (e.g., website hosting for public pages) or provides non-critical services (e.g., office supplies).Basic review of Terms of Service.

Handles High-Risk Data (PII, financial, PHI) or requires direct remote access to the IBC network; or is an AI/ML system or service (including generative AI, meeting transcription AI, or data-processing AI) that ingests, processes, or outputs any IBC member, staff, financial, or operational data. AI vendors at this tier must complete additional questionnaire items covering: data-training opt-out confirmation, model-access controls, platform data retention and deletion policies, and full sub-processor disclosure.

Pre-Contract Due Diligence (Mandatory Vetting)

Before any contract is signed or service is implemented, the requesting Department Head must initiate the following vetting process:

  • Risk Classification: The IT Department must formally assign a Risk Tier (High, Moderate, or Low) to the vendor.
  • Security Questionnaire (High/Moderate Risk): The vendor must complete a security questionnaire focused on their security controls, including MFA requirements for their staff, their incident response plan, and their data center security/residency.
  • Data Location Vetting: The vendor must disclose the geographic location where IBC data will be stored (data residency). Storage outside of the United States requires explicit approval from the Leadership Team and Risk Management.
  • All contracts must include a mandatory clause requiring the vendor to notify IBC immediately (within 24 hours) of any data breach or security incident involving IBC data. Note: IBC itself may face a separate 30-day obligation to notify the Florida Attorney General and affected individuals under the Florida Information Protection Act (Fla. Stat. § 501.171). The Leadership Team and Risk Management are responsible for assessing and executing IBC's own notification obligations following any vendor-reported incident.
Contractual Security Requirements

All agreements with Moderate and High-Risk vendors must enforce the following security mandates:

  • MFA Mandate: Any vendor personnel requiring access to IBC systems (e.g., for support) must use Multi-Factor Authentication (MFA).
  • Audit Rights: IBC reserves the right to request proof of security compliance (e.g., SOC 2 report) or request an audit of the vendor's controls at any time.
  • Data Disposal: The contract must specify that the vendor will securely dispose of all IBC data upon contract termination, as defined in IBC's Data Retention and Secure Disposal Policy.
Ongoing Monitoring and Termination
  • Vendor Register: The IT Department will maintain and quarterly-reconcile a Vendor Register listing all approved third-party vendors. The register must document: vendor name and primary service, assigned risk tier, contract expiration date, date of last security review, data types accessed or processed, and the name of the IBC department owner. The register will be reviewed by the Leadership Team annually as part of the annual compliance audit.
  • Annual Reassessment (High Risk): High-Risk vendors must undergo a full security reassessment annually to ensure controls remain adequate and aligned with current cyber threats.
  • Change Monitoring: The requesting department must notify the IT Department immediately if the vendor's service changes (e.g., if they plan to integrate a new third party or change the data location).
  • Breach/Incident: If a vendor suffers a security incident, the IT Department will immediately revoke all network access and coordinate with the vendor's incident response team, as outlined in the Responding to Security Incidents section of this policy.
  • Vendor Offboarding: When a vendor contract ends or is terminated, the requesting department must notify the IT Department at least five (5) business days before the planned end date. IT will revoke all vendor credentials, API keys, OAuth authorizations, and network access within one (1) business day of contract end. IT will confirm secure disposal of all IBC data in writing from the vendor, consistent with the Data Retention & Secure Disposal section of this policy, and update the Vendor Register accordingly.
23

Responding to Security Incidents

At a Glance
Report any suspected security incident to IT immediately at it@idlewild.org — do not wait.
If you suspect an incident, contact IT right away — let the IT team handle investigation and containment.
IT will classify the incident, communicate to leadership, and coordinate the response.

This policy defines how IBC identifies, reports, and responds to security incidents — including data breaches, account compromises, ransomware, and other threats to church systems or data.

This policy applies to all IBC-owned systems, software, data, and communication platforms, as well as to any individual (staff, volunteer, contractor) who accesses or manages these systems.

Policy Ownership
  • Owner: Information Technology Department
  • Review Frequency: Annually or following a major incident
Incident Classification & Severity Levels

Incidents will be categorized by severity to guide appropriate response and escalation:

SeverityDescriptionExamplesResponse Time
LowNo immediate operational impact.Spam emails, minor login issue, low-risk malware flagged but blocked.Within 1 business day
ModeratePotential impact to user data, systems, or operations.Account compromise, phishing click, data access by unauthorized volunteer.Within 4 hours
HighSignificant impact to multiple users, critical data, or public reputation.Ransomware, data breach, mass phishing attack, unauthorized financial access, repeated, unsolicited Multi-Factor Authentication (MFA) requests (MFA Fatigue Attack) reported by a user, or any known session hijacking event.Immediate – escalate to LT

Ransomware Immediate Response Steps: (1) Disconnect the affected device(s) from the network immediately — do not power off, as volatile memory may contain forensic evidence. (2) Do not pay any ransom demand without explicit approval from the Leadership Team and legal counsel. (3) Report to the FBI Internet Crime Complaint Center (IC3) at ic3.gov and notify CISA at 1-888-282-0870. (4) Contact the IT Department to assess restore points from IBC's cloud backup solution and begin recovery planning. (5) Follow the full Incident Response procedure immediately.

Incident Response Procedure
Detection
  • Incidents may be detected via security software, user reports, audits, or third-party alerts.
  • Suspicious activity should be reported immediately to the IT Department via the SharePoint Help Desk, by email at it@idlewild.org, or by phone at 813-264-8720. After business hours, call 813-264-8720 directly. Do not attempt to self-remediate or conceal the incident.
Reporting
  • All personnel are required to report suspected or confirmed incidents — even if they were involved.
  • Anonymous reporting can be made through the HR or Risk Management office when applicable.
Initial Response
  • IT will assess the nature and severity of the incident.
  • High-severity events will be escalated immediately to the appropriate Leadership Team (LT) members and Risk Management.
Containment
  • Affected accounts, systems, or devices will be isolated to prevent further damage.
  • Temporary access restrictions may be put in place.
Investigation
  • IT will document all findings, log reviews, and user activity tied to the event.
  • IT will determine what external notifications — including regulatory, legal, or notifications to affected individuals — are required. Under Florida law, if personal information is breached, affected individuals must be notified within 30 days of discovery.
Remediation
  • Restore impacted systems and data from backups.
  • Patch vulnerabilities, reset credentials, and notify affected individuals if required.
Post-Incident Review
  • Conduct a formal review for all moderate/high severity incidents.
  • Document root cause, timeline, decisions, and lessons learned.
  • Adjust policies, training, or infrastructure as needed.
  • Documentation: For all Moderate and High severity incidents, IT must complete a written Incident Report within five business days of closure. The report must document what happened, how it was handled, what data or systems were affected, and what steps are being taken to prevent recurrence.
Contingency Planning

In the event of a critical system failure, disaster, or extended outage, IBC will activate contingency plans to maintain operations:

Core Objectives
  • Minimize downtime for critical ministry and business operations.
  • Protect sensitive data from loss or compromise.
  • Maintain communication with staff and congregation.
Critical Systems

Contingency plans apply to the following:

  • Microsoft 365 (Outlook, OneDrive, Teams)
  • Church Database (the ChMS)
  • Contribution & Financial Systems (PushPay, IBC's financial system)
  • Public Communication Platforms (Subsplash, Website, Mobile App)
  • Facilities & Security Systems
Backup and Recovery
  • Daily backups of OneDrive-based ministry folders.
  • Cloud-based systems (Microsoft 365, IBC's financial system, PushPay, the ChMS) have vendor-managed failover and disaster recovery capabilities.
  • Local infrastructure backups are managed by IT using IBC's cloud backup system.
Communication Failures
  • If Microsoft 365 becomes unavailable:
  • Emergency messages will be sent via church app push notifications, SMS (Powered by Text), and/or social media.
  • A communication plan is maintained and reviewed quarterly by Communications and IT.
Data Breach or AI Failure

In the event of an AI system malfunction or bot miscommunication:

  • Disable or isolate the AI service immediately.
  • Notify Communications and Leadership Team for message correction and member notification.
  • Review what the AI produced for theological or factual errors, and correct any communications that went out. If the AI incident involves potential exposure of member or staff data, immediately escalate to a full security incident response as described in this section.
Training & Awareness
  • Incident response protocols will be included in annual cybersecurity training.
  • Key ministries (Finance, Communications, HR) will receive additional guidance on breach scenarios relevant to their area.
Enforcement
  • Failure to report an incident or comply with containment actions may result in disciplinary action.
Lost or Stolen Devices

If a device that has access to IBC systems or data is lost or stolen, report it to IT immediately. This allows IT to remotely remove IBC-managed apps, change account credentials, or disable access to prevent unauthorized use of church data.

Upon device loss, theft, or termination of employment, IBC reserves the right to remotely remove IBC-managed apps and their associated data from the device. Note: only IBC-managed app data is affected — personal photos, contacts, and files are not touched.

24

Artificial Intelligence (AI) Use Policy

Our Foundation: Technology Serves Ministry

At a Glance
AI is a ministry tool — it assists and accelerates but never replaces human judgment or spiritual discernment.
Every AI output must be reviewed and approved by a human before it is acted upon, sent, or shared.
Contact IT before making any new AI tool a regular part of your ministry workflow.

Artificial Intelligence (AI) is a tool - one we are called to steward wisely. It exists to serve ministry, not define it, replace it, or control it. We use it with discernment, transparency, and responsibility, knowing that no tool can replicate the wisdom born of prayer, the presence of a caring shepherd, or the Spirit-led insight that flows from a life of faith.

Above all, technology must serve the mission of the church and never compromise the people we shepherd.

Human Discernment & Spiritual Formation

AI may assist and accelerate, but human judgment is the governing framework - not an optional layer. Every AI output must pass through the mind, conscience, and calling of the person responsible for it. No tool can replicate Spirit-led wisdom, the presence of a caring shepherd, or the formation that happens when a pastor wrestles with Scripture in prayer.

Before acting on any AI output, ask yourself three questions:

  • Is this output accurate, faithful, and something I am prepared to own fully?
  • Am I using my Idlewild-provisioned account? If not, anonymize any sensitive data before entering it.
  • Does this involve pastoral counseling, legal matters, medical information, or data about minors? If yes - anonymize before entering on any platform. See Section 3.

Exercise particular care when using AI for sermon preparation, prayer and devotional writing, Bible study and curriculum development, and pastoral correspondence. In these areas, the process of preparation is itself formative - lean on AI to support your work, not to replace the prayerful engagement those tasks require.

A human must review and approve every AI output before it is acted upon, sent, or shared. The person is always accountable; the tool is never a substitute for that accountability.

Approved Platforms & Data Protection

At a Glance
IBC provisions four AI platforms: Microsoft Copilot, Google Gemini, Claude, and ChatGPT.
Always use your Idlewild-provisioned account — free/consumer versions do not carry data protections.
To access a provisioned account, get department approval and submit an IT ticket.

The same brand of AI tool can offer very different levels of data protection depending on the plan. Free and consumer-grade versions typically do not meet the privacy standards required for confidential ministry work.

Our Approved Platforms with Organizational Data Protections

Idlewild currently maintains the following centrally provisioned AI accounts:

PlatformCostNotes
Microsoft CopilotIncluded with M365 (basic) $31.50 / user / month (full)Full version adds deep integration with Word, Outlook, Teams, and other M365 apps. Most staff have the basic version already.
Google GeminiFreeIncluded with NFP* Workspace — organizational data protections apply.
Claude$8 / user / monthA provisioned nonprofit account is required — the free version lacks organizational data protections, so always use your IBC-provisioned account.
ChatGPT$8 / user / monthA provisioned nonprofit account is required — the free version lacks organizational data protections, so always use your IBC-provisioned account.
* NFP = Not-for-Profit. These are specially priced plans offered by AI providers to qualifying nonprofit organizations, and include organizational data protections not available on free or consumer plans.

Central provisioning keeps access controlled, accounts properly secured, and usage visible to leadership—while allowing the church to leverage NFP pricing and avoid redundant or ungoverned tools. These four platforms represent our approved general-purpose AI assistants. Specialized AI tools—such as those used for graphic design, video production, or website creation—may still be used by following the process in Sections 4 and 5. To access one of these provisioned accounts, get your department’s approval and submit an IT ticket.

Data Protection & Platform Practices

All four Idlewild-provisioned accounts operate under organizational or nonprofit terms that include one critical protection: your data is not used to train the AI model. This means routine operational tasks - sorting a member list, drafting a communication, organizing event data - can be done on these platforms without anonymizing the data first, as long as you are using your provisioned account.

Practical habits for all four platforms:

Use your Idlewild-provisioned account for confidential work. Your provisioned account operates under organizational terms that protect your data and the people it belongs to.

Review memory and history settings. Platforms retain conversation history by default - clear it regularly, and immediately after sensitive sessions. “Memory” features that persist across sessions are not appropriate for pastoral or confidential work.

Anonymization applies to uploaded files too. Any file you upload exposes all its contents to the model, even if your question is unrelated. On your provisioned account, uploading a member list or staff roster for an operational task is acceptable. Do not upload private/confidential data on unapproved platforms (only accounts provisioned by IT are acceptable for such data).

Be cautious with plugins and integrations. Third-party plugins and connected apps may have entirely different data terms than the base platform. Any integration with church systems requires Tier 3 approval (i.e. the ChMS, Powered By Text, Slack, Microsoft Office, etc.)

Name conversations carefully. Conversation titles and project names can appear in admin logs. Avoid naming sessions in ways that identify individuals (e.g., “Counseling situation - John Smith”).

The protection level depends on the plan, not just the brand. Always use your Idlewild-provisioned account when handling any church-related work that involves data.

Handling Sensitive Information

At a Glance
Pastoral, legal, HR, donor, and minor-related data must be anonymized before entering any AI platform.
On provisioned accounts, routine operational member data is permitted without anonymization.
When in doubt: remove names and specifics, keep the task. The AI does not need to know who.

Not all sensitive information requires the same level of caution - and the right standard depends on which account you are using. Your Idlewild-provisioned accounts do not use your data for training, which makes routine operational use of member and staff data appropriate. However, some categories of information carry legal, pastoral, or ethical weight that goes beyond technical security, and those require anonymization regardless of platform.

Handle with Care - When Possible, Anonymize Before You Enter

Some information carries weight that goes beyond data security — it belongs to people who entrusted us with it. Before entering any of the following into an AI platform, remove names, identifying details, and specifics where/when possible. The AI doesn’t need to know who to help you work well.

Pastoral counseling content, prayer requests, and sensitive personal disclosures — remove names and identifying details before entering

Legal correspondence or anything subject to attorney-client privilege (sharing with a third party, including AI, can waive this privilege)

Staff HR data, compensation details, and performance or disciplinary matters

Donor giving records, financial commitments, and payment details

Medical, mental health, or health-related information about any individual

Information about minors in pastoral, behavioral, or sensitive contexts (see Section 7)

The pattern is simple: remove names and specifics, keep the task. The AI doesn’t need to know who to help you work well.

SituationInstead of…Enter as…
Pastoral counseling“John Smith came in struggling with his marriage after his wife Sarah discovered he had been lying about finances…”“A congregant came in struggling with his marriage after his spouse discovered financial dishonesty…”
HR matter“Review this PIP for David Jones, Children’s Ministry Director, hired March 2021…”“Review this performance improvement plan for a ministry director with 3 years of tenure…”
Prayer request“Please help me draft a prayer for the Williams family — Tom has stage 3 cancer and their daughter just entered rehab…”“Please help me draft a prayer for a family facing a serious illness and a loved one in recovery…”

If you need to upload a file or work with data containing sensitive data to complete a task, save any output in a secure location and clear the conversation from the platform when you’re done. Only IT provisioned accounts should be used when dealing with sensitive information.

Operational Data on Provisioned Accounts

On your Idlewild-provisioned accounts, routine operational use of member and staff data is permitted. Examples of tasks that do not require anonymization when using a provisioned account include sorting or grouping member lists, drafting communications that reference staff by name, organizing event attendance data, or working with giving summaries for stewardship planning. The provisioned account protections mean this data is not exposed for training or used beyond your session.

Tiered Use Model

At a Glance
Tier 1: Creative and non-confidential work — explore freely and share what works.
Tier 2: Confidential work — use provisioned accounts, anonymize when needed, clear history when done.
Tier 3: System integrations, automation, public-facing tools — require IT and LT approval before proceeding.

To keep expectations clear and practical, AI use at Idlewild falls into three tiers. Most staff will operate primarily in Tiers 1 and 2.

Tier 1 - Creative & Non-Confidential Use

We want to encourage creative and productive use of AI across the church. Use AI freely for brainstorming, drafting, research, creative work, and productivity tasks - provided no personal or identifying information is shared. Explore, experiment, and bring others along.

Share useful tools and creative wins with your direct LT member so other ministries can benefit

Tier 2 - Confidential Use - Discernment & Anonymization

Work involving sensitive pastoral, legal, medical, or minor-related information may or may not require anonymization before entering any platform. For routine operational data on provisioned accounts, anonymization is not required, but heightened discernment is. Use the approved tool best suited to the task; protect the people behind the data and clear your history when complete.

For pastoral, legal, medical, private, and minor-related content: use discernment and anonymize data when applicable before you enter information on any approved platform. If not anonymized, clear output immediately after use.

Tier 3 - Leadership Review & Approval Required

Some AI applications carry enough risk or complexity to require IT and LT approval before moving forward.

Tier 3 approval is required before:

  • Building AI-powered apps that collect or store personal data
  • Integrating AI tools with church systems or databases
  • Automating communications or decision-making processes
  • Deploying any public-facing AI tool on behalf of the church
  • Acquiring new AI platform licenses or subscriptions
  • Approval is requested through a simple request that captures what the tool is, why it’s needed, how it will be used and by whom, what data it touches, and who is responsible for ongoing oversight.

Introducing New AI Tools

At a Glance
Found a promising tool? Share it with your LT Member and IT before making it part of your workflow.
Tools not touching confidential data require just a quick conversation.
Tools involving data, system integration, or automation follow the Tier 3 approval process.

We want to hear about tools that could benefit ministry - and we want that conversation to be easy, not bureaucratic. When you discover an AI tool that excites you, here’s the path forward:

  • Share it your LT Member and IT before making it a regular part of your workflow
  • Share what is it, what does, what are the risks, and what does it cost
  • For tools that don’t touch confidential data, the conversation is usually quick
  • For tools that involve data, system integration, or automation, follow the Tier 3 process
  • Don’t go it alone - sharing what works helps the whole church benefit
  • If it doesn’t touch confidential data and it serves the mission - explore it, share it, and bring others along.

Responsible Use Standards

At a Glance
You own every AI output — the tool generates, but you are always accountable for the result.
AI-generated likenesses of real people require their express consent before creation or distribution.
Recording or transcription must be disclosed to all participants at the start — no exceptions.

Human Accountability

Using AI does not transfer moral, theological, legal, or pastoral responsibility to the tool. Every person who uses AI shares the responsibility to use it ethically and wisely. AI is a tool we wield in service of Christ - human discernment is always the governing layer, never an afterthought.

Ask of every output: Is this glorifying to God? Does it reflect the character of Christ and the mission of this church?

All AI-generated content must be reviewed and approved by a human before it is acted upon, sent, or distributed - without exception.

Users are responsible for how they prompt, interpret, and apply AI outputs. The tool generates; the person owns the result.

Final decisions must always be made by a human operating under church leadership authority.

Ministry leaders are responsible for understanding the tools in active use within their areas.

AI-Generated Images & Likenesses

AI image generation raises real risks around dignity, consent, and representation.

AI-generated images, likenesses, or voice reproductions of staff, volunteers, or members may not be created, altered, or distributed without the express consent of the individual

This includes realistic images, caricatures, or any representation that could be associated with a real person

Posting AI-generated likenesses on social media or any public platform - whether depicting church personnel or created on behalf of the church - requires approval

AI tools may not be used to create content that misrepresents a person’s appearance, words, or actions

Making Comments/Commitments on Behalf of Others

Without explicit authorization, AI may not be used to produce any output (visual, audible or written) that binds another party to a commitment or project without their knowledge or consent.

Recording, Transcription & Consent

AI-enabled recording or transcription tools must be used with full transparency. Meetings or conversations may not be recorded or transcribed without clear disclosure at the beginning, notification to all participants, and appropriate consent. Special care must be taken when minors are present or sensitive matters are discussed.

When in doubt, do not record. Secret recordings, undisclosed monitoring, or use of AI in ways that compromise privacy are never permitted.

Legal & Copyright Integrity

AI must not be used in ways that violate copyright, licensing agreements, intellectual property rights, or applicable law. Users are responsible for ensuring that AI-generated materials - including images, text, and audio - are legally and ethically appropriate before use or distribution.

Minors & Children’s Ministry

Children and students deserve the strongest possible protection. Federal law (COPPA) and Florida state law impose strict limits on collecting or processing minors’ data - limits that apply fully to AI tools.

Routine operational uses involving minors - such as grouping students by age, drafting class schedules, or preparing curriculum - may be done on provisioned accounts with appropriate discretion. Behavioral notes, pastoral conversations, disciplinary matters, photos, and sensitive personal details about minors must be anonymized before use on any platform. COPPA prohibits collecting or processing personal data of children under 13 without verifiable parental consent; comply with this regardless of platform or task.

AI tools used in children’s or student programming – such as curriculum generation, check-in automation, or communications drafting – must be reviewed and approved through the Tier 3 process before deployment, regardless of whether they appear to handle personal data.

AI-generated images, video, or audio depicting minors are prohibited without exception. This includes realistic depictions, illustrated representations, and any content that could be associated with a specific child or student.

When in doubt about any situation involving a minor, skip AI entirely. Protecting the child always comes first.

Legal Compliance & What’s at Stake

The guardrails in this policy are not simply good practice — several of them reflect legal obligations that apply to Idlewild as a church and employer. AI does not exist outside the law. When we enter data into an AI platform, the same privacy, consent, and confidentiality obligations follow. This section summarizes the key legal frameworks staff should be aware of. It is not legal advice; when specific legal questions arise, bring them to church leadership.

COPPA — Children’s Online Privacy Protection Act

Federal law prohibits collecting or processing personal data of children under 13 without verifiable parental consent. This applies fully to AI platforms — entering a child’s name, photo, behavioral notes, or pastoral details into any AI tool without consent is a federal violation. Idlewild’s children’s and student ministries must treat AI tools with the same care as any other digital platform that handles minors’ data. See Section 7 for full guidance.

Florida Data Breach Notification Law — Fla. Stat. § 501.171

Florida law requires any organization that experiences a breach of personal information to notify affected individuals within 30 days of discovery. This obligation extends to data inadvertently entered into AI platforms. If a staff member enters member, staff, or donor data into an unsecured or unapproved platform — or if a provisioned account is compromised — Idlewild may be legally required to notify those individuals and potentially the Florida Attorney General. This is why incident reporting (Section 11) is treated as non-negotiable.

Attorney-Client Privilege

Communications between Idlewild and its legal counsel are protected by attorney-client privilege — a legal protection that can be permanently waived by sharing that content with a third party. AI platforms, including our provisioned accounts, are considered third parties for this purpose. Entering legal correspondence, attorney advice, or litigation-related content into any AI platform risks waiving that protection and exposing the church in any related legal proceeding. When in doubt, keep legal matters out of AI entirely and consult with church leadership first.

Copyright & Intellectual Property

AI-generated content — including text, images, and audio — may incorporate copyrighted material or carry its own licensing restrictions. Staff are responsible for ensuring that AI-assisted work used in ministry, published on behalf of the church, or distributed publicly complies with applicable copyright law. Do not reproduce song lyrics, sermon material, or published works through AI without appropriate licensing. When producing content for public use, apply the same copyright diligence you would to any other church communication.

Employment & HR Data

Staff HR data — including compensation, performance reviews, disciplinary records, and personal employment details — is subject to confidentiality obligations under employment law and Idlewild’s own policies. Entering this data into an AI platform without anonymization, even on a provisioned account, creates unnecessary exposure. HR matters should be handled with the same discretion in AI tools as in any other written or digital form.

The law does not have an AI exception. When we handle people’s data — members, staff, donors, or children — we carry both a legal and a pastoral obligation to protect it. If a situation arises that this policy does not clearly address, bring it to IT or your LT member before proceeding.

Vendor & Embedded AI

At a Glance
AI embedded in Planning Center, Pushpay, and M365 is subject to the same data standards.
The tool being familiar does not change what data should enter it.
New embedded AI features in vendor products should be reviewed with IT.

AI is increasingly embedded into tools our church already uses - Planning Center, Pushpay, Microsoft 365, and others are actively adding AI features. Staff may encounter these without realizing it. The same rules apply regardless of where the AI appears.

The same data protection standards that apply to our approved platforms apply to AI features embedded in any vendor product. The tool being familiar does not change the rules that govern what data enters it.

When a vendor introduces new AI features in a product Idlewild uses, the same data care standards apply. If a feature raises questions about sensitive data, bring it to IT.

Data Retention & Deletion

At a Glance
Clear AI conversation history at least monthly — immediately after any sensitive session.
Disable persistent "memory" features for any account used in Tier 2 or Tier 3 work.
Staff AI accounts must be deprovisioned within 24 hours of departure from IBC.

Florida law (Fla. Stat. § 501.171) requires personal information to be disposed of securely - an obligation that extends to data entered into AI platforms. Staff share responsibility for managing what they submit and how long it persists.

Conversation history in all approved AI platforms should be reviewed and cleared at least monthly, and immediately following any session involving sensitive, pastoral, or confidential topics.

“Memory” and persistent context features - where a platform retains information across sessions - must be disabled for any account used in Tier 2 or Tier 3 work. IT will verify this as part of account provisioning.

When a staff member separates from Idlewild, their AI platform accounts must be deprovisioned within 24 hours and any shared conversation history reviewed by IT before account closure.

Incident Response

At a Glance
If confidential data enters an unsecured or compromised platform, stop immediately and notify IT same day.
Florida law requires notifying affected individuals within 30 days of a confirmed breach.
Never handle an AI data incident quietly — reporting protects the individual and the Church.

If IBC data is compromised through an AI platform, follow the incident response procedures in Section 23 — Responding to Security Incidents. Florida's data breach law requires prompt notification of affected individuals.

Stop using the platform immediately and do not attempt to delete the conversation independently - deletion may complicate any required documentation.

Notify IT and your direct LT member as soon as possible - same day if possible.

IT will document what was exposed, assess the scope, and determine whether legal counsel or external notification is required under Florida law.

No incident should be handled quietly or informally. Reporting is an act of protection - for the individual whose data was exposed and for the church.

Reporting an incident is never the wrong move. Silence is the only thing that makes it worse.

Volunteers, Contractors & Extended Team

At a Glance
Volunteers and contractors handling church data follow the same AI standards as paid staff.
Ministry leaders are responsible for communicating these expectations to their volunteer teams.

Volunteers, contractors, and ministry partners often handle the same information as paid staff. This policy extends to them.

Volunteers who regularly access member data, financial information, or pastoral records in the course of their ministry role are expected to follow the same standards as staff under this policy. Ministry leaders are responsible for communicating these expectations to their volunteer teams.

Contractors and vendors who perform work on behalf of Idlewild using church-provided data may not use AI tools to process that data without prior approval from IT.

Volunteers and contractors do not receive Idlewild-provisioned AI accounts unless specifically authorized by IT. When working with church data, the same standards in this policy apply.

Ongoing Discernment

At a Glance
This policy is reviewed annually as AI technology continues to evolve.
When a situation is not clearly addressed here, bring it to IT or your LT member before proceeding.
Every question raised helps strengthen this policy.

AI technology continues to evolve rapidly. Church leadership will review this policy annually and update it as tools, risks, and best practices develop. We approach this with hope and humility - eager to use what serves the mission well, and wise enough to protect what no tool should ever touch.

When a situation arises that this policy does not clearly address, bring it to IT or your LT member rather than proceeding alone. Every question raised helps make this policy stronger. Questions about specific tools are always welcome.

Guiding Principles

As people of faith using AI in service of the Gospel, we commit to:

  • Discern carefully - bringing thoughtful judgment to every AI output before acting on it.
  • Own our choices - embracing full responsibility for how we use, apply, and share AI-assisted work.
  • Choose wisely - valuing depth and formation over speed and knowing when not to use a tool at all.
  • Serve people - letting the dignity, privacy, and wellbeing of those we shepherd guide every decision.
  • Honor Christ - asking of every output, “Is this glorifying to God?” before we act on it, send it, or let it represent us.
  • This policy will be reviewed annually by IT and church leadership.
  • Questions? Contact IT or your LT member.