An information security policy will be necessary for virtually every apostolate. The complexity of the policy will vary greatly based on the types of information and the number of persons who have access to the information. At the very least, there will be donor information which would need to be managed by at least one individual. Even in a seemingly simple case, a well thought-out and instituted policy is a first defense against a breach.
Here’s a slide show made available by Charles Garrett. The policy document outline page is especially useful.
And here’s an article which specifically pertains to nonprofits and their vulnerabilities with regard to hackers and cyber-attacks.