I trust you’re all well. I’m new here and I’m getting ready to take up the IT Director role at my church. Been wondering and searching the Internet, but haven’t really found an answer to this question.
Are Church IT Departments subject to any regulatory compliance? If so, what are they?
Your assistance in this matter would be greatly appreciated, thanks all.
This could vary state by state and by country, but generally no compliance requirements specific to church.
That being said you could fall under PCI compliance if your church accepts credit cards. You could also fall under GDPR compliance for EU citizens *even in the US.
In general my goal is to be at least at industry standards such as IS OR 27000 or NIST.
Additionally- again depending on local, state, and federal regulations - you may have regulatory issues related to HIPAA Privacy and Security if your church provides clinical counseling (as opposed to just pastoral counseling) and/or if you happen to self-insure. And while there may not be a specific regulatory requirement, failure to provide appropriate security and privacy controls can result in a significant loss of confidence across your membership if there is a data or privacy breach. Privacy and confidentiality are an expectation these days, not an option. That being said, you want your IT controls to be accepted and adopted as more “lifeguard at the beach” rather than “warden at the penitentiary”… Communicate openly and consistently throughout the year across all ministry areas as to why controls are necessary to protect your ministry. And don’t forget to monitor for compliance and remediation/re-education opportunities once controls are implemented.