Develop and complete a vulnerability assessment tool to be used to conduct a survey of a home, business, faith institution or other physical facility of your choice.
The paper is expected to include:
1) Cover page with student’s name, course title and number, and date submitted.
2) Body of paper:
A. Introduction that provides the purpose of the paper;
B. Homework help – Discussion of the site selection and the rationale for the site selected;
C. Components of the vulnerability assessment; and
D. Suggestions and recommendations of security counter-measures to mitigate and reduce the risk of identified vulnerabilities to an acceptable level.
3) Reference list.
4) Appendix that provides a copy of the vulnerability assessment tool that you assembled and used for the project.
All papers should be submitted to the assignment folder and adhere to APA guidelines. It should be a minimum of five (5) to ten (10) computer-generated, double-spaced pages and use a 12-point font. Margins are to be 1 inch (top, bottom, right, and left). This does NOT include the vulnerability assessment tool that will be added as an appendix.
Vulnerability Assessment: Era Church, City, State
Site Selection and Rationale
This vulnerability assessment was conducted at Era Church (“Era”), 429 State Street, City, State 90909, on the dates of September 25 – 28, 2017, and was followed up with subsequent interviews of relevant church personnel. The site was chosen for multiple reasons including the potential for a violent incident such as a mass shooting, and the potential for fraud or other financial crime. A vulnerability is defined as “weakness[ ] or gap[ ] in a security program that can be exploited by threats to gain unauthorized access to an asset” (Threat Analysis Group, 2017). Threats are events or persons, such as a natural disaster, fire, criminal act, or terrorist incident, that can exploit a vulnerability (Threat Analysis Group, 2017). A vulnerability assessment “evaluates all opportunities that may be exploited by a threat” and through a detailed process identifies areas where vulnerabilities can be mitigated to lower the risk (DiMarino, 2017). Risk is defined as “the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability” (Threat Analysis Group, 2017). The vulnerability assessment at Era Church covers multiple areas to include physical, operational, technological, and financial vulnerabilities. While Era has taken measures to mitigate vulnerabilities, there are some recommendations in each area that could further mitigate risk.
Religion is a contentious and polarizing topic in the United States, which makes churches prime targets for groups or individuals who want to make a statement. Perhaps the most infamous church shooting in recent memory is when white supremacist Dylann Roof shot and killed nine African-American church members of Emanuel African Methodist Episcopal Church in Charleston, SC, on June 17, 2015 (Blinder & Sack, 2017). Roof brought a .45-caliber semiautomatic handgun into the church in a waist pouch, and attended the Bible study for approximately 40 minutes before he shot and killed the members using seven magazines and over 70 rounds (Blinder & Sack, 2017). This incident is just one of many violent incidents at places of worship. There is no sure-fire way to completely avoid incidents such as this shooting, but there are steps that can be taken to help minimize or avoid a large-scale incident.
In addition to the threat of violence, churches are also prime targets for fraud, both from internal and external threats. For instance, the Center for the Study of Global Christianity reports that in 2014 churches lost an estimated $39 billion to internal financial fraud (Thomason, 2016). Theft and embezzlement of church funds are two significant risks faced by faith-based institutions. (Thomason, 2016). In addition to an insider threat, there is the ever-present threat of bank accounts or email accounts being compromised and money being stolen. Just like individuals or businesses, churches can fall victim to account takeovers or ransomware. In one example, the Catholic Diocese of Des Moines, IA, lost $600,000 when their bank account was compromised and money was transferred to “money mule” accounts all over the United States (McGlasson, 2010). It should be noted that the Diocese had insurance that protects them from the loss, but not all churches are so lucky.
Description of Facility
Era is a smaller church associated with the Southern Baptist Convention. Era began in 2005 with the intent of establishing a church in the center city to further the restoration and revitalization of the city. downtown (Era Church, 2017). Era purchased their current facility through a mortgage and has occupied the building for approximately two years. The building has two floors, and approximately 12,000 square feet. There is the main sanctuary, the children’s ministry area, the second-floor ministry area, the office area, and an attached warehouse area that is not in use. There are currently 104 dedicated members, and on an average Sunday approximately 150 adults and children attend the service. The Sunday service begins at 10:30 AM, lasts until approximately 11:45 AM, and people remain at the church until approximately 1:00 PM. The lead pastors are John Smith and David Jones. The vulnerability assessment interviews were conducted with Smith, Jones, and two separate church members who handle security and finances respectively.
Critical Assets
Era’s primary assets in order of importance are church members/ visitors (children); church members/ visitors (adults); church building; church finances (money); and additional contents in the church. Era is not a large church so the money it has available is extremely important to them and their mission. Purchasing the building was a big decision for the members and losing the building would be a devastating loss.
Evaluation of Neighborhood, Crime Data, and Prior Incidents
The church is situated in downtown AnyCity, which has a history of crime and is considered one of the most violent small cities in the country. There is foot traffic around the church, and a Department of Veterans Affairs clinic is next door in addition to some homeless shelters and other outreach organizations nearby. Era purposely situated themselves in this environment to make a positive impact on the community. Fortunately, Era has not been the victim of any crimes since moving into the building. There have not been any car break ins during the Sunday service, nor have there been any break ins during the week. There have not been any threats made against the church. The main threats that were considered while conducting this assessment were violent crime, misdemeanor crime, fire, and fraud. Currently, there are no elevated risks at Era, and all threats were taken into consideration when conducting the vulnerability assessment.
Evaluation of Physical Vulnerabilities
The first area addressed during the vulnerability assessment was the physical vulnerabilities. The building is constructed with cinder blocks and a brick exterior. There is a large drain located outside the building that does back up during heavy rain and can cause some water to enter the building. Overall the building has held up against any acts of nature. There are three entrances to the building on the first floor. Two entrances open to the main sanctuary, and the third entrance opens to the back hallway between the children’s ministry and warehouse. All three doors are locked when the building is unoccupied, or during the week when church staff are the only individuals in the building. The side entrance is locked on Sundays at 10:30 AM when the church service begins. Only the front door facing Main Street is unlocked once the service begins. The third door remains locked during the service. A person can exit the building even when the doors are locked. There are additional doors inside the building that lock including the entrance to the office area and the two pastors’ offices. Important paperwork is secured in a locked pastor’s office. The front of the building facing State Street has windows that line the building and reach from the top of the first floor to the bottom. Because of the design of the windows, individuals cannot see through the windows during the day, and one is able to see through the windows at night. There are blinds that remain down when the building is unoccupied. These blinds are closed when the Sunday service begins. The building was inspected prior to occupation and is periodically inspected by the Fire Marshall. All electrical work was done by a professional. The second floor was recently renovated, but permits were not required because of the size of the renovation and where it took place within the building.
Current Physical Security Counter Measures
The building has a security system that is monitored by a security company. The company provides 24/7 monitoring services. The security system consists of motion detectors and fire alarms. The fire alarms will be addressed in the next paragraph. The motion detectors are located throughout the building. There are no glass break sensors in the building, but with the number of motion sensors, glass break sensors are not needed. The two pastors, a cleaning service employee, and a former employee have the code for the security system. Smith and Jones both receive text message alerts when the alarm is activated or deactivated. There is a cellular phone application that can be used to access and operate the system. The system has a battery backup and communicates using cellular towers. There is a separate Internet Protocol (IP) camera system that is located throughout the building. Smith and Jones can access the cameras remotely via a cellular phone application that can be viewed in real time. There are also cameras located outside the building including the front door, which can be viewed to identify visitors during the week before letting them inside the building.
As previously mentioned there are smoke detectors located throughout the first floor of the building that are connected to the security system, and will alert the company if they are triggered. There are no smoke detectors located on the newly renovated second floor. There are also no observable smoke detectors in the warehouse area of the building. There is a smoke detector located by the two fire doors that separate the main sanctuary from the children’s area. If those smoke detectors are activated the fire doors close automatically helping to contain a fire. The wall between the main sanctuary and the children’s area on the first floor is considered a fire wall, and would help stop the spread of a fire. There is no sprinkler system located inside the building. A sprinkler system is not required due to the size of the building, and would cost $45,000, which is cost prohibitive for Era. There are fire extinguishers in the main sanctuary and the children’s area, but they are not mounted on the wall.
Evaluation of Operational Vulnerabilities
The second area examined was the existence of operational vulnerabilities. Era has a security team, which is responsible for security on Sunday mornings. There are two members that monitor the parking lot from approximately 10:15 AM until 10:45 AM. After 10:45 AM, the two members monitor the sanctuary from the back of the room. These same individuals ensure the side entrance is locked at 10:30 AM so all foot traffic must come through the front door. Though it is not a regularly scheduled duty, some individuals will position themselves outside the children’s area at the end of the service while parents are picking up their children. The individual in charge of the security team noted that there is a balance that must be struck between making everyone feel welcome and still remaining vigilant. There is a key fob that will immediately contact the local police that is connected to the security system, and is sometimes carried by a member of the security team. There is a first aid kit on site and multiple members of the church work in the medical field. Era hires a uniformed police officer for larger church events that take place at night.
The most important asset at Era is the children, and the children’s ministry has multiple rules in place to help protect them. The children’s ministry is located in a separate area, and only parents with children are allowed in the area. All children are checked in via a computer and receive a sticker that is placed on their back. The sticker has a randomly generated code that is given to the parents for pick up. The stickers also contain any food allergies for the child. All volunteers in the children’s ministry have their background checked and are required to provide multiple references. The references are not always contacted depending on how well the person is known to the church staff. Each Sunday school classroom has at least two volunteers. At least one individual is a teacher trained by the church staff. Spouses are not allowed to volunteer in the same classroom so that there is always a viable witness should an incident occur. All of the doors to the classroom have a top and bottom. The bottom remains closed, but the top is either open or can be opened at any time. Three of the four classrooms are connected and allow all three classrooms to be easily evacuated through the third door to the building, which leads to the back-parking lot. The fourth classroom is located right next to the classroom where all the remaining children will be exiting and also easily leads to the same door, which leads to the back-parking lot. In the event of a fire or other incident all of the children’s rooms can be evacuated without having to cross windows or the main sanctuary. All of the children’s classrooms are also windowless and could serve as a shelter during a tornado.
Evaluation of Existing Security Policies
There are no specific protocols in place to respond to a mass shooting or an act of violence. Nor are there any specific protocols in place for a fire or tornado beyond how the children’s ministry would be evacuated. There are at least three members of the church who regularly carry a concealed weapon. One member is the head of the security team, while the other two individuals are members of the law enforcement community. It should be noted that one of the two members of the law enforcement community is this author. This state is an open carry state, and there are no specific rules prohibiting open carry in a church. There has been at least one individual in the past who openly carried a pistol in church, most likely to make a political statement. The members of the security team watched him closely and decided that it was best to let the individual come and go as opposed to making a scene and possibly having the church be used to make a political statement in favor of open carry in churches.
Evaluation of Cyber Security Vulnerabilities
The fourth area examined was cybersecurity vulnerabilities. Era has a public and private wireless network and both are password protected. Both networks operate on the same hardware and are air gapped. Most of the staff computers at Era are Mac laptops that go home with the staff at night. The laptops do not have anti-virus because they are Apple products, but they do have add blocker software. The computers at Era are all password protected. The children’s ministry computer that is used to check in and out children is password protected and the program is web based and requires a password. The church uses a mainstream tech company to host their email, which is all password protected as well. The church website is hosted by a local company, and any changes are made via Word Press, which requires a password.
Evaluation of Financial Vulnerabilities
The final assessment focused on financial vulnerabilities. There are three members of the finance team that are responsible for handling the church finances. The pastors do not have any control over church finances. An outside accountant assists with taxes. Era does not have any credit cards. Era does their banking at a local bank that has online banking. The three members of the finance team have the username and pw. There is a dedicated Era email address that is attached to the bank account. They do not have two-factor authentication established for online banking. A daily account balance is sent to the email address and checked regularly, but they do not receive text message alerts. Era uses automatic bill pay, but does not have any need to wire money. The finance team is not sure if they have the ability to wire money. There is a cap on the daily use of the debit card and withdrawals. There is no protocol in place to regularly change passwords. There is a dedicated finance computer at the church, but it is unknown what type of anti-virus software is on the machine. The bank account is also accessed online via personal computers belonging to members of the finance team.
Era uses church management software to facilitate online giving. The software is password protected and the finance team has access to the financial portion of the software. The software is linked to the same Era email address. There is a payment processor that works in connection with the software to facilitate the donations and tithes. The payment processor has two-factor authentication with a username and password along with cellular phone notification. Since the software and payment processor both send notifications, the information should corroborate one another. Era keeps very little cash on hand at the church, and tithes are deposited weekly at the bank. Era also uses an online payroll company to pay its employees. The finance team has the username and password. The same dedicated email address is attached to the payroll account as well. The payroll company sends notifications via email when there are changes or a payroll is released. There is no two-factor authentication established. A member of the finance team releases the payroll every two weeks.
Security Recommendations
The Threat Analysis Group (2017) states that “risk is a function of threats exploiting vulnerabilities to obtain, damage or destroy assets.” They explain that threats will always exist, but if there are no vulnerabilities than there is little or no risk (Threat Analysis Group, 2017). In a similar fashion, there are situations where there is a vulnerability, but no threat so there is no risk (Threat Analysis Group, 2017). Unfortunately, it is not possible to completely eliminate the threat of fire, church violence, or crime against the church so recommendations and changes should be made to mitigate the vulnerabilities and thus reduce the risk as much as possible.
The physical security steps that Era has taken are a good start, but there are some vulnerabilities that need to be addressed. There should be additional smoke detectors placed on the second floor and in the warehouse. If a fire occurs in those areas, it would have to spread to the rest of the building before the security company would become aware. A sprinkler system would be an added benefit, but the firewall and additional smoke detectors would help ensure that the fire company is notified immediately and the fire is contained. All of the fire extinguishers should be mounted on the wall where they can be easily located. A few seconds delay in deploying a fire extinguisher could prove to be devastating. Security system sensors should also be considered for the three doors, because it ensures that all three doors are closed before the alarm can be activated. The two main pastors should have their own security code for the system, and secondary codes should be established for other individuals. When those individuals no longer work at the church, those codes should be removed from the security system. Finally, Era has a post office box, and to avoid mail theft, all mail should be directed to the post office box as opposed to being sent to the physical address.
There are additional operational vulnerabilities that can be addressed to further ensure the safety of the church. Locking the side entrance at 10:30 AM should continue and helps ensure that there is only one way inside the church once the service starts. The members of the security team that stand in the back of the sanctuary should always position themselves so they have visibility of the front door. Their backs should never be to the door. The front of the hallway between the sanctuary and the children’s ministry is an excellent position. Protocols need to be developed and recorded in the event of an active shooter, fire, and tornado. Once the protocols are developed, the church members should be briefed during a member’s meeting. It is understandable to not want to discuss it on a Sunday morning, but the church members should know what plans are in place. Many parents’ instinct during a fire or active shooter situation is going to be to run to the children’s ministry when in fact the children will be evacuated during a fire, or locked down during an active shooter event. The members need to know what will occur in specific situations. Someone in the church, whether it is a pastor, someone in the back of the church, or a member of the security team should carry the key fob that summonses the police department. Currently, the three members of the church that are armed know one another. Periodically, it should be assessed if there are additional members of the church who are armed. The children’s ministry has many robust security measures in place, but there are a few suggestions for area. Teachers and volunteers should be trained using a standard children’s ministry policy. The policy should include appropriate ways to handle children, discipline, and other areas such as the fire, active shooter, and tornado protocols. Children’s stickers should also be removed from their backs when they are picked up by their parents. This will help everyone identify a child that has left the area without being properly picked up. It also removes the child’s name in case a stranger tries to use it to lure them away. It is also recommended that a pastor call at least one reference on each person’s background check sheet. There are issues that a background check cannot identify, which could be revealed by a reference check.
Finally, the recommendations to address cybersecurity and financial vulnerabilities overlap. The long-term goal should be to have two completely separate, air gapped public and private wireless networks. It adds a layer of security to the church computers. Having three members on the finance team fosters accountability and should continue. All of the online accounts to include the bank, payroll company, software management company, and payment processor should have two-factor authentication enabled. Many times, when an account is compromised, the threat will spam the email account to hide any change notifications. In addition, since Era does not have a need to regularly wire money, it is recommended that the ability to wire money be disabled. This removes the threat of a large wire transfer leaving the account empty. The finance team should also explore the possibility of obtaining insurance to protect the church from financial loss. All computers that are used to access the accounts, both Era computers and personal computers should always have the most up to date anti-virus software. There are many effective anti-virus programs that are free to the public and would add an extra layer of protection. Passwords should also be changed at least once or twice a year. Any member of the finance team that uses his home computer to access any accounts should also ensure his anti-virus software is up to date. If there is suspicion that a computer has been compromised, then all passwords should be changed. The chance of Era being targeted directly is small, but the chances that Era being unknowingly targeted are much greater and the aforementioned recommendations will help lower the chances that a threat is successful.
Conclusion
This vulnerability assessment surveyed physical, operational, cybersecurity, and financial vulnerabilities. While the staff and members have already taken measures to increase security, there are additional actions that can be taken to further lessen the chance a threat is successful. It is impossible to completely eliminate all threats, and unrealistic to think there any actions that can completely stop individuals from attempting malicious activities. However, Era can help reduce the risk by following the recommendations outlined in this assessment. It is understandable that Era needs to find the balance between making everyone feel welcome, while still remaining vigilant. These recommendations will allow Era to accomplish that goal and keep their most important assets safe.
References
Blinder, A., & Sack, K. (2017, January 10). Dylann Roof is sentenced to death in Charleston
church massacre. The New York Times. Retrieved from https://www.nytimes.com/2017/01/10/us/dylann-roof-trial-charleston.html?_r=0/
DiMarino, F. (2017). Module 4: Vulnerability assessments. Document posted in University of
Maryland University College CJMS 630 9040 Seminar in Security Management (2175) online classroom, archived at https://learn.umuc.edu/d2l/le/content/223077/viewContent/9190918/View/
Era Church. (2017). Welcome to Era church! Retrieved from http://erachchurch.org/
McGlasson, L. (2010, September 1). Church latest victim of ACH fraud. Bank Info Security.
Retrieved from https://monkessays.com/write-my-essay/bankinfosecurity.com/church-latest-victim-ach-fraud-a-2888/
Threat Analysis Group. (2017). Threat, vulnerability, risk – commonly mixed up terms.
Retrieved from https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/
Thomason, S. (2016, August 24). Prevent church fraud with better controls. The Tennessean.
Retrieved from https://monkessays.com/write-my-essay/tennessean.com/story/sponsor-story/lbmc/2016/08/24/lbmc-prevent-church-fraud-better-controls/89203972/
Appendix
Vulnerability Assessment Survey
Physical Vulnerabilities Observations
• Building Information The building is 1200 sq. ft. and 2 floors. There are 3 entrances on the 1st floor. There are glass windows that line the building top to bottom on the main street side of the building. At night and during the Sunday service the blinds are closed. All electrical work is done by professionals and up to code. Prior to putting the building in use, it was inspected and the fire marshall conducts period inspections. There are exterior lights around the entire building that operate on at timer at night. The interior of the building has additional locked doors including the pastors’ offices.
o Size
o Floors
o Entrances/ Locks
o Windows/ Blinds
o Electrical Work
o Inspections/ Building Code
o Exterior Lighting
• Security System There are IP based cameras that operate separately from the security system. The cameras can be accessed via the Internet an app on a phone. The security system is monitored by an outside company. The two main pastors and cleaning person have the code. There are multiple motion detectors throughout the building. There is no glass break detectors because the number of motion detectors make it unnecessary. The two pastors receive text message notifications. The system has a battery backup and operates on cellular communication system.
o Company
o Cameras
o Motion Detectors
o Glass Break
o Smoke Detectors
o Battery Backup
o Access Codes
o Devices used to access system
• Fire Detection System The fire alarms are connected to the security system and are monitored 24/7 by the outside company. There are multiple fire alarms on the first floor including one that is connected to fire doors that close in the event of a fire. The doors and surrounding wall are considered a fire wall that helps prevent fire from spreading. There is no sprinkler system. The building size does not require it and it would cost approx. $45,000. There are fire extinguishers in the separate parts of the building but they are not mounted. There is NO fire alarm on the renovated 2nd floor or in the warehouse(?)
o Sprinklers
o Smoke Detectors
o Fire Walls
o Fire Extinguishers
• Additional Information During the week the doors are locked even if the building is occupied (they still allow individuals to exit) and there are cameras to see who is knocking
o What entrances are locked during the week?
Cybersecurity Vulnerabilities Observations
• Wireless Networks There is a private and public wireless network at the church. The two networks have different pw. The private network is for church employees. The networks are not air gapped and reside on the same router.
o Private Network
o Public Network
o Are they physically separated?
• Types of computers The children’s ministry check in computer is pw protected and the program is web based w/ a pw. The two pastor lap tops are Mac Books that are taken home at night. The Mac Books do not have anti-virus but there is add blocker. The children’s ministry program does not have any PII. One or two additional computers remain at the church 24/7, but are pw protected.
o Anti-virus software
o Password protected
• Church Email The church email is hosted on a commercial program that is free but provides standard security services. The emails are pw protected.
o Who hosts the email service?
o Is it password protected?
• Church website The church website is hosted by a local company and changes are made via Word Press. A pw is required to make changes to the website.
o Who hosts the church website?
o Is a password required to make changes to the website?
• Additional Information
Operational Vulnerabilities Observations
• Are there any security protocols already in place? There is a security team at Era that ensures two individuals are in the parking lot area of the church every Sunday morning from about 1015A to 1045A (church starts at 1030A). The same individuals are responsible for ensuring that the side entrance is locked at 1030A. The same two individuals will stay towards the back of the church to be aware of any suspicious or out of place behavior. One individual will also move to outside the children’s area at the end of church to make sure no children run out unattended or there are adults in the area that should not be. Note a need to balance making everyone feel welcome while still being aware.
o Is there a specific plan in place to respond to an act of violence?
• Do you ever have the local police department provide security? For certain events that take place at night or are larger they will hire an off duty ATPD or ACSO officer.
• Is there a first aid kit on site? Yes
• What doors are locked on Sunday morning? The third entrance is locked. The side entrance is unlocked until 1030A. The front entrance is always unlocked. The side door is unlocked at the end of church for people to leave.
• Children’s Ministry All volunteers in the Children’s ministry are background checked by an outside company. On Sunday mornings, there is a check in/ out system that requires an adult to check in the child who gets a sticker on their back with a randomly generated code unique to the family. There is a separate pass for the adult that has the code and is required to pick up the children. All food allergies are documented on the child’s sticker and the snack is clearly displayed per classroom. There are trained teachers in each classroom in addition to a volunteer. The teachers have additional training from the staff. There is written policy but working to compile into a full policy. The children’s area has two separate glass doors from the main area. Each classroom has a two-part door so the bottom stays closed and the top can be opened at any time. Additional policy is spouses do not work in the same room together so there is always a viable witness for any actions taken by another. In additional to a background check will contact references depending if anyone at the church knows the person on a personal level.
o Background checks for volunteers?
o Check In/ Check Out System
o Document Food Allergies
o Additional protocols for volunteers
o Restricted access?
o Are there any armed members at the church? There are at least two armed members who are law enforcement (1 is this author) plus the head of the security team has a concealed carry license. Head of the security team has spoken with both members who are law enforcement.
• Additional Information There is a key fob as part of the security system that will automatically call police. Security team sometimes carries it.
Financial Vulnerabilities Observations
• Bank Bank A
• Who handles the finances? There is a 3-person finance team that handles the money. The two pastors do not handle the money and let the finance team handle those matters. The 3-person team creates accountability.
• Do you conduct online banking? The church conducts online banking and the 3 finance team members have the username and pw. There is a main finance computer at church that is just used for finance matters. Unknown at this time what anti-virus protection is on the computers. The three finance team members receive email notifications when changes are made to the account and receive daily account balance updates via email. Used to have treasury mgmt features but those are now disabled. Do not get text message alerts. Recommend using them. There is a dedicated Era email address for financial matters. Use personal computers at home to check bank account online.
o What computers are used to conduct online banking?
o Who has access to the username and password?
o Are there two factor authentications?
o Does anyone get notified when changes are made to the account? How?
o Is there a specific email address tied to the account?
• Are there any restrictions on money transfers? Do pay some bills with automatic bill pay. Used check to set up.
• Any specific protocols for wiring money? They do not need to wire money. Checking to see if they have the capability. Recommend disabling.
• Does anyone get notified when large transactions take place? Finance team members all have access to Era email account which is notified. NO cell phone notification.
• Payroll Company Use online payroll system with Company B. Same 3-person finance team has username and pw. Approximately soon to be 5 employees in system. Get notifications via email to finance email address when payroll paid. Go in and release funds every two weeks. Cannot find two-factor authentication or cell phone notification option. Will check with company. Any change notifications are received via email.
o What computers are used to make changes to the payroll account?
o Who has access to the username and password?
o Are there two factor authentications?
o Does anyone get notified when there are changes made to the account? How?
o What email address is tied to the payroll account?
• Tithes there is the option to deposit tithes via online giving system. It is pw protected church mgmt software. In addition, the payment processor is also pw protected. Managed by same 3-person finance team. Use same dedicated email address. Payment processor requires two factor authentication – username/pw and cell phone text message code. notified via email if there are changes made to account. there are multiple user groups in the church mgmt software so pastors and others do not have access to finance part of software. church mgmt software and payment processor both send notifications, etc. and should corroborate each other.
o How do you deposit tithes?
o Does the church keep any cash on hand?
o Who counts the tithes?
o What service do you use for online giving?
• where do you store sensitive documents? Sensitive documents are stored in a locked office in a filing cabinet.
• How much cash do you keep on hand at the church? Very little cash is kept at the church.
• Any auto-payments established? Most bills are on auto-pay or direct draft.
• Additional Information There is a cap on debit card use in day and withdrawals with debit card. Recommend creating overall cap. Personal and work computers used to access online accounts. No protocol in place to regularly change pw. Need to make sure all computers have up-to-date anti-virus protection. Outside accountant helps with taxes, provides extra layer.
General Questions Observations
• Has the church been a victim of crime in the past? No incidents in the past.
• Has there been any specific threats against the church? No threats against the church.
• Have there been any car break ins in the past – Sunday morning or other days? No car break ins.
• How long has the church occupied the building? approximately 2 years
• How many members attend the church? 104 members
• What is the average Sunday morning attendance? 150 people
• Where is the church’s mail delivered? Mail is delivered to the building and a PO Box.
Additional Information No protocols in place or written plans for a fire or tornado.
