Enablers Association Information Security Policy

Version: 1.0
Effective Date: 1January 2026
Approved by: Enablers Mission Circle
Questions? [email protected]

Why This Policy Exists

When we work with clients, we handle information about their people – names, roles, performance feedback, coaching notes. Our clients trust us to keep this information safe. This policy explains the simple security practices all members must follow to protect client information.

This is not complicated. We’re not asking you to become IT experts. We’re asking you to follow basic professional practices that protect our clients and our reputation.

Who This Applies To

This policy applies to all Active Members and Associates when working on Association client projects.

Seven Simple Security Rules

Rule 1: Use Secure Tools for Client Work

For email:

Use your Enablers Google Workspace email when you have one
If using your own email, use a professional provider (Gmail, Outlook, ProtonMail)
These providers automatically encrypt emails in transit – no extra steps needed

For file sharing:

Official project documents: Use Google Drive (our shared workspace)
Large files: Google Drive or Dropbox are fine
Participant information: Never use WeTransfer or email attachments
Why: WeTransfer and email attachments are not secure enough for personal data

For documents:

Microsoft Office (Word, Excel, PowerPoint) and Google Docs are both fine
Save official project documents to the Google Drive shared folders

Rule 2: Protect Documents with Participant Information

If a document contains participant names, feedback, or personal information:

In Microsoft Office (Word/Excel/PowerPoint):

Click File → Info → Protect Document → Encrypt with Password
Choose a strong password (8+ characters, mix letters and numbers)
Share the password separately (phone call or separate message, never in same email as file)

In Google Docs:

Don’t put participant names in Google Docs titles
Use Google Drive sharing controls (only share with people who need access)
If sending outside Google Drive, download as Word and password-protect it

Examples of what needs protection:

Workshop feedback with names
Coaching session notes
Team assessment results
Participant contact lists
Any document that could identify someone

Rule 3: Lock Your Laptop

When you leave your laptop (even for 5 minutes):

Mac: Press Control + Command + Q or close the lid
Windows: Press Windows key + L or close the lid

Set automatic lock:

Mac: System Preferences → Security & Privacy → Set to lock after 10 minutes
Windows: Settings → Accounts → Sign-in options → Set screen timeout to 10 minutes

Why: If your laptop is unlocked at a coffee shop or client site, anyone can see client information.

Rule 4: Don’t Work on Sensitive Information in Public

When in coffee shops, trains, planes, co-working spaces:

Don’t open documents with participant names or feedback
Don’t have coaching calls where others can hear
Don’t leave papers with participant information on tables
Be aware of people looking over your shoulder

At client sites:

Follow the same rules
Don’t leave documents in meeting rooms
Log out of client computers when finished

At home: You’re fine to work on sensitive information (it’s private)

Rule 5: Use Your Work Devices, Be Careful with Personal Ones

Your company laptop: Use this for all client work (preferred)

Personal devices:

Try to avoid using personal phones/tablets for participant information
If you must use WhatsApp for quick coordination: No participant names, just logistics
Never forward participant information to personal email

Why: Company devices are easier to manage if something goes wrong (lost/stolen)

Rule 6: Delete Project Information When Done

Within 30 days of project completion:

Delete from your laptop:
- Coaching notes with participant names
- Workshop feedback documents
- Any emails with participant information
Keep on Google Drive (official records):
- Final reports (if needed for Association records)
- Contracts and invoices
- These are stored securely in our shared workspace
What you can keep forever:
- Anonymous insights (remove all names first)
- General learnings from the project
- Your own professional development notes (without client specifics)

How to delete properly:

Empty your Trash/Recycle Bin after deleting files
Delete emails from Trash folder too

Rule 7: Keep Your Laptop Updated

Every month (or when prompted):

Install system updates for your Mac or Windows computer
Update Microsoft Office when prompted
Update your web browser (Chrome, Safari, Edge)

Why: Updates fix security problems. This takes 10-15 minutes per month and keeps you safe.

What to Do If Something Goes Wrong

If any of these happen, contact [email protected] within 24 hours:

Lost or stolen laptop/phone with client information
Accidentally sent participant information to wrong person
Accidentally shared document with wrong people
Client information was accessed by someone unauthorized
Suspicious emails that might be phishing attempts
Any other situation where client information might be at risk

Don’t panic. These things happen. We need to know quickly so we can:

Notify the client
Take steps to minimize problems
Learn how to prevent it next time

What happens next:

We’ll help you figure out what to do
We’ll notify the client if needed
No blame, just learning

Annual Security Check

Once per year (around January):

Make sure you’ve deleted old project information (Rule 6)
Verify your laptop lock is set to 10 minutes (Rule 3)
Update your laptop fully (Rule 7)
Confirm you still have a secure email account (Rule 1)

You’ll receive a reminder email from [email protected].

Getting Help

Questions about this policy? [email protected]

Common questions:

Q: I’m not technical. Can I still follow this?
A: Yes! These are simple steps. If you can lock your laptop and password-protect a Word document, you’re good. If you need help, just ask.

Q: What if I already sent participant info by email before reading this?
A: Going forward, use the secure methods. You’re not in trouble for past practices.

Q: Can I use WhatsApp for client project coordination?
A: Yes, for logistics (meeting times, locations, general updates). But no participant names or feedback.

Q: Do I need antivirus software?
A: Mac computers have built-in protection. Windows 10/11 has Windows Defender built in. This is sufficient. Don’t pay for extra antivirus unless you want to.

Q: What if the client has their own security requirements?
A: Follow their requirements if they’re stricter than ours. Let us know if they create problems.

Q: I work from client sites a lot. Any special rules?
A: Follow their security rules. Don’t connect to their networks with personal devices. Don’t leave documents in their offices.

Summary: The Basics

If you remember nothing else, remember these three things:

Password-protect documents with participant names
Lock your laptop when you leave it
Delete participant information within 30 days of project completion

Do these three things and you’re 90% compliant.

Acknowledgment: I have read and understood the Information Security Policy and agree to follow it when working on Association client projects.

Member Name:           ________________________
Signature:                    ________________________
Date:                           ________________________

APPENDIX A: Incident Response Procedure

What Counts as a Security Incident?

A security incident is any situation where client information might be accessed by someone who shouldn’t have it, or where we can’t protect it properly.

Common incidents:

Lost or stolen laptop, phone, or USB drive with client information
Sent email or document to wrong person (contains participant names/feedback)
Accidentally shared Google Drive folder with wrong people
Left papers with participant information somewhere
Laptop left unlocked and someone looked at client files
Suspicious email that you clicked on (phishing attempt)
Ransomware or malware infection on your laptop
Former member still has access to client information they shouldn’t

NOT incidents (don’t worry about these):

General spam emails that you didn’t click
Slow computer
Forgotten password (you can reset it)
Can’t access Google Drive (technical problem, not security)

What to Do (Step by Step)

Step 1: Stop and Contain (Immediately)

If laptop/phone is lost or stolen:

Change your passwords immediately (email, Google Drive)
Contact [email protected] right away
If you have Find My Device enabled, use it to lock/wipe device

If you sent something to wrong person:

Try to recall the email (Outlook) or delete from Google Drive
Contact the person who received it: “Please delete without opening”
Don’t send a corrective email explaining what was in it (makes it worse)

If someone accessed your unlocked laptop:

Log out immediately
Change your passwords
Note what was visible on screen when they accessed it

If suspicious email/malware:

Disconnect from internet (unplug ethernet, turn off WiFi)
Don’t click anything else
Take photo of screen with your phone (shows what happened)

Step 2: Report (Within 24 Hours)

Send email to: [email protected]

Subject line: Security Incident – [Your Name] – [Date]

Include in email:

What happened: Brief description (2-3 sentences)
When: Date and approximate time
What information was involved: Which client? Which participants? What type of information?
Who might have accessed it: Wrong person’s name/email, unknown (if stolen), etc.
What you’ve done so far: Steps you took to contain it
Your contact info: Phone number for follow-up

Example:

Subject: Security Incident – Jane Smith – 23 Dec 2025

What happened: I left my laptop unlocked in a coffee shop for 5 minutes.

When I returned, someone was looking at my screen.

When: Today (Dec 23) around 2pm

Information involved: Client ABC project. Had a Word document open with

workshop feedback from 15 participants (names and comments).

Who accessed: Unknown person at the coffee shop, only saw them from behind

What I’ve done: Closed laptop, changed passwords, left the location

Contact: +41 79 123 4567

Step 3: Follow Instructions from Compliance Contact

You’ll hear back within 24 hours. They might ask you to:

Provide more details
Check what information was actually accessed
Contact the client owner for the project
Wait while we notify the client

Do not contact the client directly unless instructed. We’ll coordinate this.

Step 4: Learn and Document

After the incident is resolved:

Write down what happened and how you’ll prevent it next time
Update your practices (e.g., always lock laptop in public places)
No blame – we all learn from mistakes

Response Times

From you: Report within 24 hours of discovering the incident

From [email protected]:

Urgent incidents (active breach, lost device): Response within 4 hours
Other incidents: Response within 24 hours

To client: We’ll notify client within 72 hours if their data was actually compromised (not just at risk)

Who Does What

You (the member):

Notice and report the incident
Take immediate containment steps
Provide information for investigation
Implement lessons learned

Compliance Contact:

Coordinate response
Decide if client notification needed
Document the incident
Report to Network Development Circle if serious

Client Owner (project lead):

Communicate with client if needed
Support member through process
Help implement preventive measures

Network Development Circle:

Review serious incidents
Update policies if needed
Decide on additional training

Prevention Checklist

Most incidents are preventable. Quick monthly check:

Laptop locks automatically after 10 minutes
I lock my laptop every time I leave it
I password-protect documents with participant information
I don’t work on sensitive information in public places
I delete old project information within 30 days
My laptop software is updated
I don’t click on suspicious emails

APPENDIX B: Password Requirements Guide

Why Passwords Matter

Passwords protect client information on your laptop, documents, and online accounts. Weak passwords are easy to guess or crack.

Password Requirements

For all work-related accounts and documents:

Minimum requirements:

At least 8 characters long
Mix of uppercase and lowercase letters (Example: Mix not mix)
At least one number (0-9)
Consider adding a symbol (!@#$%^&*) for extra security

Examples:

✅ Coach2025! (8 characters, upper/lower, number, symbol)
✅ Enablers#March (14 characters, upper/lower, symbol)
✅ MyLaptop99 (10 characters, upper/lower, number)
❌ password (too weak, common word)
❌ 12345678 (too weak, just numbers)
❌ enablers (too weak, no variety)

Creating Strong Passwords

Method 1: Passphrase Use a phrase you’ll remember with substitutions:

“I love coaching in 2025” → ILoveCoaching2025!
“Coffee and meetings” → Coffee&Meetings24

Method 2: First Letters Take first letters from a sentence:

“My daughter was born in March 1995” → MdwbiM1995!
“Enablers helps leaders achieve extraordinary” → Ehlae#2025

Method 3: Word + Number + Symbol Combine a word with numbers and symbols:

Butterfly#42
Mountain$2024
Ocean!Wave99

What NOT to Do

Never use:

Your name or company name alone (JohnSmith, Enablers)
Common words alone (password, admin, welcome)
Sequential numbers (12345678, 11111111)
Your birthday (19851103)
Same password for everything (if one is compromised, all are)
Passwords written on sticky notes on your laptop

Password Management

For your laptop:

Mac: Set in System Preferences → Users & Groups
Windows: Set in Settings → Accounts → Sign-in options
Change at least once per year

For password-protected documents:

Use different password than your laptop
Share password separately from document (phone call, separate message)
Write it down temporarily if needed, but store securely
Delete the written password after recipient confirms receipt

For Google Workspace / email accounts:

Should already meet requirements (Google enforces this)
Enable 2-factor authentication if available (extra security)
Never share your email password with anyone

Password Reset Process

If you forget a password:

Laptop password:

Mac: Use your Apple ID to reset
Windows: Use your Microsoft account or local reset options
Contact IT support if needed (your own, not Enablers)

Google Workspace:

Use Google’s password recovery
Contact [email protected] if you have an official Enablers email

Password-protected documents:

If you created it: No recovery possible, file is lost
If someone sent it to you: Ask them for the password again
This is why we keep originals on Google Drive (no password needed)

Annual Password Update

Every January (or when you join):

Change your laptop password
Review which documents you have password-protected
Delete passwords for old projects (documents should be deleted anyway)
Update this checklist

Quick Reference Card

Cut this out and keep it visible (but not passwords themselves!):

PASSWORD CHECKLIST

□ At least 8 characters

□ Uppercase AND lowercase

□ At least one number

□ Consider a symbol

□ Not a common word

□ Not your name/birthday

NEED HELP?

[email protected]

APPENDIX C: Approved Tools List

Purpose

This list specifies which tools members should use for client work. Using approved tools ensures we maintain security standards and can support you if problems arise.

All tools listed here meet our security requirements. If you want to use something not on this list, contact [email protected] first.

Email (Client Communication)

✅ APPROVED

Google Workspace (Enablers accounts)

Example: [email protected]
Best choice – official Enablers email
Automatically secure, encrypted in transit
Backed up by Enablers

Gmail (Personal accounts)

Example: [email protected]
Acceptable for members without official Enablers email
Automatically encrypted in transit
Use only if you don’t have Enablers account

Microsoft Outlook / Microsoft 365

Example: [email protected]
Acceptable if this is your company email
Automatically encrypted in transit

ProtonMail

Extra secure option if you prefer
End-to-end encryption available

❌ NOT APPROVED

Free email services (Yahoo, AOL, Hotmail)
Temporary email services
Unencrypted email providers

Rule: Use your Enablers email if you have one. Otherwise, use Gmail or your company’s Outlook email.

File Storage & Sharing

✅ APPROVED

Google Drive (Primary)

Use for: All official Association documents, project files, contracts
Why: This is our shared workspace, access controlled, backed up
Security: Password-protected sharing available, access logs
Location: Centrally managed by Enablers Association

Dropbox

Use for: Large file transfers when needed
Why: Reliable, secure, widely used
Security: Encryption in transit and at rest
Note: Use for file transfer, not long-term storage

⚠️ USE WITH CAUTION

WeTransfer

Use for: Non-sensitive files only (marketing materials, public documents)
DO NOT use for: Participant information, coaching notes, confidential client data
Why cautious: Files are not encrypted, links can be shared, limited control

❌ NOT APPROVED FOR CLIENT WORK

Personal USB drives (too easy to lose)
Personal email attachments for large files
Cloud services not listed here (Mega, MediaFire, etc.)

Rule:

Participant information: Google Drive only
Large non-sensitive files: Google Drive or Dropbox
Never: WeTransfer for anything with participant names

Document Creation

✅ APPROVED

Microsoft Office (Word, Excel, PowerPoint)

Desktop version or Office 365
Can password-protect documents (required for participant information)
Most commonly used, compatible with clients

Google Docs, Sheets, Slides

Part of Google Workspace
Good for collaboration
Automatically saved to Google Drive
Note: Download as Word/Excel and password-protect if sharing participant information

⚠️ ACCEPTABLE WITH CONDITIONS

Apple Pages, Numbers, Keynote

Acceptable if you’re Mac-only
Export to PDF or Office format when sharing with clients
Cannot password-protect as easily (convert to Office format first)

Communication & Collaboration

✅ APPROVED

Email (see Email section above)

Primary communication method
Use for all official client communication

WhatsApp

Use for: Quick coordination, logistics, scheduling
Examples: “Meeting starts in 10 min”, “Running 5 min late”, “Room changed to B3”
DO NOT use for: Participant names, feedback, sensitive information
Why allowed: Encrypted, widely used, convenient for quick coordination

Phone Calls

Always acceptable
Preferred for sensitive discussions
Use for sharing passwords (never write passwords in text/email)

⚠️ USE WITH CAUTION

Zoom / Microsoft Teams / Google Meet

Acceptable for virtual coaching sessions
Turn on waiting room
Don’t record without participant consent
Use secure meeting links (not generic open links)

❌ NOT APPROVED FOR CLIENT INFORMATION

Public social media (LinkedIn, Twitter, Facebook)
Open Slack channels
Any unencrypted messaging

Rule: Email for official communication. WhatsApp for logistics only (no participant info). Phone calls for sensitive topics.

Accounting & Finance

Outsourced Accountant

All financial matters handled by professional accountant
Don’t store financial information on your laptop
Send receipts/invoices through secure method (email to accountant’s official email)

File Backup

✅ APPROVED

Google Drive

Automatic backup for files stored there
Managed by Enablers Association

Time Machine (Mac) / Windows Backup

Acceptable for backing up your laptop
Use external hard drive, keep it secure (locked at home)
Remember: If your backup has client information, it must be encrypted

❌ NOT APPROVED

Cloud services not listed (iCloud, OneDrive personal, etc.)
USB drives carried around (too easy to lose)

Tools We Don’t Use (But Clients Might)

If a client requires you to use their tools:

Follow their security requirements
Use only for that specific client project
Don’t store their data on your personal laptop (use their systems)
Ask client IT for setup help

Common client tools:

SharePoint (Microsoft)
OneDrive (Microsoft)
Slack (workspace communication)
Client-specific portals

Requesting New Tools

Want to use something not on this list?

Email [email protected] with:

What tool you want to use
Why you need it
What you’ll use it for
Security features it has

We’ll review and update this list if appropriate.

Annual Review

This list is reviewed annually (January) and updated as needed. You’ll be notified of changes.

Quick Reference

DAILY USE:

✅ Email: Enablers email or Gmail
✅ Files: Google Drive
✅ Documents: MS Office or Google Docs
✅ Quick messages: WhatsApp (logistics only)

PARTICIPANT INFORMATION:

✅ Google Drive only
✅ Password-protected Office documents
❌ Never WeTransfer
❌ Never WhatsApp

Questions? [email protected]