Develop and complete a vulnerability assessment tool to be used to conduct a survey of a home, business, faith institution or other physical facility of your choice.The paper is expected to include:1) Cover page with student’s name, course title and number, and date submitted.2) Body of paper:A. Introduction that provides the purpose of the paper;B. Discussion of the site selection and the rationale for the site selected;C. Components of the vulnerability assessment; andD. Suggestions and recommendations of security counter-measures to mitigate and reduce the risk of identified vulnerabilities to an acceptable level.3) Reference list.4) Appendix that provides a copy of the vulnerability assessment tool that you assembled and used for the project.All papers should be submitted to the assignment folder and adhere to APA guidelines. It should be a minimum of five (5) to ten (10) computer-generated, double-spaced pages and use a 12-point font. Margins are to be 1 inch (top, bottom, right, and left). This does NOT include the vulnerability assessment tool that will be added as an appendix.Running Head: VULNERABILITY ASSESSMENT
Jane Q. Student
(Submission Date)
CJMS 630 90XX
Seminar in Security Management (2XXX)
Vulnerability Assessment: Era Church, City, State
1
VULNERABILITY ASSESSMENT
2
Site Selection and Rationale
This vulnerability assessment was conducted at Era Church (“Era”), 429 State Street,
City, State 90909, on the dates of September 25 – 28, 2017, and was followed up with
subsequent interviews of relevant church personnel. The site was chosen for multiple reasons
including the potential for a violent incident such as a mass shooting, and the potential for fraud
or other financial crime. A vulnerability is defined as “weakness[ ] or gap[ ] in a security
program that can be exploited by threats to gain unauthorized access to an asset” (Threat
Analysis Group, 2017). Threats are events or persons, such as a natural disaster, fire, criminal
act, or terrorist incident, that can exploit a vulnerability (Threat Analysis Group, 2017). A
vulnerability assessment “evaluates all opportunities that may be exploited by a threat” and
through a detailed process identifies areas where vulnerabilities can be mitigated to lower the
risk (DiMarino, 2017). Risk is defined as “the potential for loss, damage or destruction of an
asset as a result of a threat exploiting a vulnerability” (Threat Analysis Group, 2017). The
vulnerability assessment at Era Church covers multiple areas to include physical, operational,
technological, and financial vulnerabilities. While Era has taken measures to mitigate
vulnerabilities, there are some recommendations in each area that could further mitigate risk.
Religion is a contentious and polarizing topic in the United States, which makes churches
prime targets for groups or individuals who want to make a statement. Perhaps the most
infamous church shooting in recent memory is when white supremacist Dylann Roof shot and
killed nine African-American church members of Emanuel African Methodist Episcopal Church
in Charleston, SC, on June 17, 2015 (Blinder & Sack, 2017). Roof brought a .45-caliber
semiautomatic handgun into the church in a waist pouch, and attended the Bible study for
approximately 40 minutes before he shot and killed the members using seven magazines and
VULNERABILITY ASSESSMENT
3
over 70 rounds (Blinder & Sack, 2017). This incident is just one of many violent incidents at
places of worship. There is no sure-fire way to completely avoid incidents such as this shooting,
but there are steps that can be taken to help minimize or avoid a large-scale incident.
In addition to the threat of violence, churches are also prime targets for fraud, both from
internal and external threats. For instance, the Center for the Study of Global Christianity reports
that in 2014 churches lost an estimated $39 billion to internal financial fraud (Thomason, 2016).
Theft and embezzlement of church funds are two significant risks faced by faith-based
institutions. (Thomason, 2016). In addition to an insider threat, there is the ever-present threat of
bank accounts or email accounts being compromised and money being stolen. Just like
individuals or businesses, churches can fall victim to account takeovers or ransomware. In one
example, the Catholic Diocese of Des Moines, IA, lost $600,000 when their bank account was
compromised and money was transferred to “money mule” accounts all over the United States
(McGlasson, 2010). It should be noted that the Diocese had insurance that protects them from
the loss, but not all churches are so lucky.
Description of Facility
Era is a smaller church associated with the Southern Baptist Convention. Era began in
2005 with the intent of establishing a church in the center city to further the restoration and
revitalization of the city. downtown (Era Church, 2017). Era purchased their current facility
through a mortgage and has occupied the building for approximately two years. The building
has two floors, and approximately 12,000 square feet. There is the main sanctuary, the
children’s ministry area, the second-floor ministry area, the office area, and an attached
warehouse area that is not in use. There are currently 104 dedicated members, and on an average
Sunday approximately 150 adults and children attend the service. The Sunday service begins at
VULNERABILITY ASSESSMENT
4
10:30 AM, lasts until approximately 11:45 AM, and people remain at the church until
approximately 1:00 PM. The lead pastors are John Smith and David Jones. The vulnerability
assessment interviews were conducted with Smith, Jones, and two separate church members who
handle security and finances respectively.
Critical Assets
Era’s primary assets in order of importance are church members/ visitors (children);
church members/ visitors (adults); church building; church finances (money); and additional
contents in the church. Era is not a large church so the money it has available is extremely
important to them and their mission. Purchasing the building was a big decision for the members
and losing the building would be a devastating loss.
Evaluation of Neighborhood, Crime Data, and Prior Incidents
The church is situated in downtown AnyCity, which has a history of crime and is
considered one of the most violent small cities in the country. There is foot traffic around the
church, and a Department of Veterans Affairs clinic is next door in addition to some homeless
shelters and other outreach organizations nearby. Era purposely situated themselves in this
environment to make a positive impact on the community. Fortunately, Era has not been the
victim of any crimes since moving into the building. There have not been any car break ins
during the Sunday service, nor have there been any break ins during the week. There have not
been any threats made against the church. The main threats that were considered while
conducting this assessment were violent crime, misdemeanor crime, fire, and fraud. Currently,
there are no elevated risks at Era, and all threats were taken into consideration when conducting
the vulnerability assessment.
VULNERABILITY ASSESSMENT
5
Evaluation of Physical Vulnerabilities
The first area addressed during the vulnerability assessment was the physical
vulnerabilities. The building is constructed with cinder blocks and a brick exterior. There is a
large drain located outside the building that does back up during heavy rain and can cause some
water to enter the building. Overall the building has held up against any acts of nature. There
are three entrances to the building on the first floor. Two entrances open to the main sanctuary,
and the third entrance opens to the back hallway between the children’s ministry and warehouse.
All three doors are locked when the building is unoccupied, or during the week when church
staff are the only individuals in the building. The side entrance is locked on Sundays at 10:30
AM when the church service begins. Only the front door facing Main Street is unlocked once
the service begins. The third door remains locked during the service. A person can exit the
building even when the doors are locked. There are additional doors inside the building that lock
including the entrance to the office area and the two pastors’ offices. Important paperwork is
secured in a locked pastor’s office. The front of the building facing State Street has windows
that line the building and reach from the top of the first floor to the bottom. Because of the
design of the windows, individuals cannot see through the windows during the day, and one is
able to see through the windows at night. There are blinds that remain down when the building
is unoccupied. These blinds are closed when the Sunday service begins. The building was
inspected prior to occupation and is periodically inspected by the Fire Marshall. All electrical
work was done by a professional. The second floor was recently renovated, but permits were not
required because of the size of the renovation and where it took place within the building.
VULNERABILITY ASSESSMENT
6
Current Physical Security Counter Measures
The building has a security system that is monitored by a security company. The
company provides 24/7 monitoring services. The security system consists of motion detectors
and fire alarms. The fire alarms will be addressed in the next paragraph. The motion detectors
are located throughout the building. There are no glass break sensors in the building, but with
the number of motion sensors, glass break sensors are not needed. The two pastors, a cleaning
service employee, and a former employee have the code for the security system. Smith and
Jones both receive text message alerts when the alarm is activated or deactivated. There is a
cellular phone application that can be used to access and operate the system. The system has a
battery backup and communicates using cellular towers. There is a separate Internet Protocol
(IP) camera system that is located throughout the building. Smith and Jones can access the
cameras remotely via a cellular phone application that can be viewed in real time. There are also
cameras located outside the building including the front door, which can be viewed to identify
visitors during the week before letting them inside the building.
As previously mentioned there are smoke detectors located throughout the first floor of
the building that are connected to the security system, and will alert the company if they are
triggered. There are no smoke detectors located on the newly renovated second floor. There are
also no observable smoke detectors in the warehouse area of the building. There is a smoke
detector located by the two fire doors that separate the main sanctuary from the children’s area.
If those smoke detectors are activated the fire doors close automatically helping to contain a fire.
The wall between the main sanctuary and the children’s area on the first floor is considered a fire
wall, and would help stop the spread of a fire. There is no sprinkler system located inside the
building. A sprinkler system is not required due to the size of the building, and would cost
VULNERABILITY ASSESSMENT
7
$45,000, which is cost prohibitive for Era. There are fire extinguishers in the main sanctuary and
the children’s area, but they are not mounted on the wall.
Evaluation of Operational Vulnerabilities
The second area examined was the existence of operational vulnerabilities. Era has a
security team, which is responsible for security on Sunday mornings. There are two members
that monitor the parking lot from approximately 10:15 AM until 10:45 AM. After 10:45 AM,
the two members monitor the sanctuary from the back of the room. These same individuals
ensure the side entrance is locked at 10:30 AM so all foot traffic must come through the front
door. Though it is not a regularly scheduled duty, some individuals will position themselves
outside the children’s area at the end of the service while parents are picking up their children.
The individual in charge of the security team noted that there is a balance that must be struck
between making everyone feel welcome and still remaining vigilant. There is a key fob that will
immediately contact the local police that is connected to the security system, and is sometimes
carried by a member of the security team. There is a first aid kit on site and multiple members of
the church work in the medical field. Era hires a uniformed police officer for larger church
events that take place at night.
The most important asset at Era is the children, and the children’s ministry has multiple
rules in place to help protect them. The children’s ministry is located in a separate area, and only
parents with children are allowed in the area. All children are checked in via a computer and
receive a sticker that is placed on their back. The sticker has a randomly generated code that is
given to the parents for pick up. The stickers also contain any food allergies for the child. All
volunteers in the children’s ministry have their background checked and are required to provide
multiple references. The references are not always contacted depending on how well the person
VULNERABILITY ASSESSMENT
8
is known to the church staff. Each Sunday school classroom has at least two volunteers. At least
one individual is a teacher trained by the church staff. Spouses are not allowed to volunteer in
the same classroom so that there is always a viable witness should an incident occur. All of the
doors to the classroom have a top and bottom. The bottom remains closed, but the top is either
open or can be opened at any time. Three of the four classrooms are connected and allow all
three classrooms to be easily evacuated through the third door to the building, which leads to the
back-parking lot. The fourth classroom is located right next to the classroom where all the
remaining children will be exiting and also easily leads to the same door, which leads to the
back-parking lot. In the event of a fire or other incident all of the children’s rooms can be
evacuated without having to cross windows or the main sanctuary. All of the children’s
classrooms are also windowless and could serve as a shelter during a tornado.
Evaluation of Existing Security Policies
There are no specific protocols in place to respond to a mass shooting or an act of
violence. Nor are there any specific protocols in place for a fire or tornado beyond how the
children’s ministry would be evacuated. There are at least three members of the church who
regularly carry a concealed weapon. One member is the head of the security team, while the
other two individuals are members of the law enforcement community. It should be noted that
one of the two members of the law enforcement community is this author. This state is an open
carry state, and there are no specific rules prohibiting open carry in a church. There has been at
least one individual in the past who openly carried a pistol in church, most likely to make a
political statement. The members of the security team watched him closely and decided that it
was best to let the individual come and go as opposed to making a scene and possibly having the
church be used to make a political statement in favor of open carry in churches.
VULNERABILITY ASSESSMENT
9
Evaluation of Cyber Security Vulnerabilities
The fourth area examined was cybersecurity vulnerabilities. Era has a public and private
wireless network and both are password protected. Both networks operate on the same hardware
and are air gapped. Most of the staff computers at Era are Mac laptops that go home with the
staff at night. The laptops do not have anti-virus because they are Apple products, but they do
have add blocker software. The computers at Era are all password protected. The children’s
ministry computer that is used to check in and out children is password protected and the
program is web based and requires a password. The church uses a mainstream tech company to
host their email, which is all password protected as well. The church website is hosted by a local
company, and any changes are made via Word Press, which requires a password.
Evaluation of Financial Vulnerabilities
The final assessment focused on financial vulnerabilities. There are three members of the
finance team that are responsible for handling the church finances. The pastors do not have any
control over church finances. An outside accountant assists with taxes. Era does not have any
credit cards. Era does their banking at a local bank that has online banking. The three members
of the finance team have the username and pw. There is a dedicated Era email address that is
attached to the bank account. They do not have two-factor authentication established for online
banking. A daily account balance is sent to the email address and checked regularly, but they do
not receive text message alerts. Era uses automatic bill pay, but does not have any need to wire
money. The finance team is not sure if they have the ability to wire money. There is a cap on
the daily use of the debit card and withdrawals. There is no protocol in place to regularly change
passwords. There is a dedicated finance computer at the church, but it is unknown what type of
VULNERABILITY ASSESSMENT
10
anti-virus software is on the machine. The bank account is also accessed online via personal
computers belonging to members of the finance team.
Era uses church management software to facilitate online giving. The software is
password protected and the finance team has access to the financial portion of the software. The
software is linked to the same Era email address. There is a payment processor that works in
connection with the software to facilitate the donations and tithes. The payment processor has
two-factor authentication with a username and password along with cellular phone notification.
Since the software and payment processor both send notifications, the information should
corroborate one another. Era keeps very little cash on hand at the church, and tithes are
deposited weekly at the bank. Era also uses an online payroll company to pay its employees.
The finance team has the username and password. The same dedicated email address is attached
to the payroll account as well. The payroll company sends notifications via email when there are
changes or a payroll is released. There is no two-factor authentication established. A member of
the finance team releases the payroll every two weeks.
Security Recommendations
The Threat Analysis Group (2017) states that “risk is a function of threats exploiting
vulnerabilities to obtain, damage or destroy assets.” They explain that threats will always exist,
but if there are no vulnerabilities than there is little or no risk (Threat Analysis Group, 2017). In
a similar fashion, there are situations where there is a vulnerability, but no threat so there is no
risk (Threat Analysis Group, 2017). Unfortunately, it is not possible to completely eliminate the
threat of fire, church violence, or crime against the church so recommendations and changes
should be made to mitigate the vulnerabilities and thus reduce the risk as much as possible.
VULNERABILITY ASSESSMENT
11
The physical security steps that Era has taken are a good start, but there are some
vulnerabilities that need to be addressed. There should be additional smoke detectors placed on
the second floor and in the warehouse. If a fire occurs in those areas, it would have to spread to
the rest of the building before the security company would become aware. A sprinkler system
would be an added benefit, but the firewall and additional smoke detectors would help ensure
that the fire company is notified immediately and the fire is contained. All of the fire
extinguishers should be mounted on the wall where they can be easily located. A few seconds
delay in deploying a fire extinguisher could prove to be devastating. Security system sensors
should also be considered for the three doors, because it ensures that all three doors are closed
before the alarm can be activated. The two main pastors should have their own security code for
the system, and secondary codes should be established for other individuals. When those
individuals no longer work at the church, those codes should be removed from the security
system. Finally, Era has a post office box, and to avoid mail theft, all mail should be directed to
the post office box as opposed to being sent to the physical address.
There are additional operational vulnerabilities that can be addressed to further ensure the
safety of the church. Locking the side entrance at 10:30 AM should continue and helps ensure
that there is only one way inside the church once the service starts. The members of the security
team that stand in the back of the sanctuary should always position themselves so they have
visibility of the front door. Their backs should never be to the door. The front of the hallway
between the sanctuary and the children’s ministry is an excellent position. Protocols need to be
developed and recorded in the event of an active shooter, fire, and tornado. Once the protocols
are developed, the church members should be briefed during a member’s meeting. It is
understandable to not want to discuss it on a Sunday morning, but the church members should
VULNERABILITY ASSESSMENT
12
know what plans are in place. Many parents’ instinct during a fire or active shooter situation is
going to be to run to the children’s ministry when in fact the children will be evacuated during a
fire, or locked down during an active shooter event. The members need to know what will occur
in specific situations. Someone in the church, whether it is a pastor, someone in the back of the
church, or a member of the security team should carry the key fob that summonses the police
department. Currently, the three members of the church that are armed know one another.
Periodically, it should be assessed if there are additional members of the church who are armed.
The children’s ministry has many robust security measures in place, but there are a few
suggestions for area. Teachers and volunteers should be trained using a standard children’s
ministry policy. The policy should include appropriate ways to handle children, discipline, and
other areas such as the fire, active shooter, and tornado protocols. Children’s stickers should also
be removed from their backs when they are picked up by their parents. This will help everyone
identify a child that has left the area without being properly picked up. It also removes the
child’s name in case a stranger tries to use it to lure them away. It is also recommended that a
pastor call at least one reference on each person’s background check sheet. There are issues that
a background check cannot identify, which could be revealed by a reference check.
Finally, the recommendations to address cybersecurity and financial vulnerabilities
overlap. The long-term goal should be to have two completely separate, air gapped public and
private wireless networks. It adds a layer of security to the church computers. Having three
members on the finance team fosters accountability and should continue. All of the online
accounts to include the bank, payroll company, software management company, and payment
processor should have two-factor authentication enabled. Many times, when an account is
compromised, the threat will spam the email account to hide any change notifications. In
VULNERABILITY ASSESSMENT
13
addition, since Era does not have a need to regularly wire money, it is recommended that the
ability to wire money be disabled. This removes the threat of a large wire transfer leaving the
account empty. The finance team should also explore the possibility of obtaining insurance to
protect the church from financial loss. All computers that are used to access the accounts, both
Era computers and personal computers should always have the most up to date anti-virus
software. There are many effective anti-virus programs that are free to the public and would add
an extra layer of protection. Passwords should also be changed at least once or twice a year.
Any member of the finance team that uses his home computer to access any accounts should also
ensure his anti-virus software is up to date. If there is suspicion that a computer has been
compromised, then all passwords should be changed. The chance of Era being targeted directly
is small, but the chances that Era being unknowingly targeted are much greater and the
aforementioned recommendations will help lower the chances that a threat is successful.
Conclusion
This vulnerability assessment surveyed physical, operational, cybersecurity, and financial
vulnerabilities. While the staff and members have already taken measures to increase security,
there are additional actions that can be taken to further lessen the chance a threat is successful. It
is impossible to completely eliminate all threats, and unrealistic to think there any actions that
can completely stop individuals from attempting malicious activities. However, Era can help
reduce the risk by following the recommendations outlined in this assessment. It is
understandable that Era needs to find the balance between making everyone feel welcome, while
still remaining vigilant. These recommendations will allow Era to accomplish that goal and keep
their most important assets safe.
VULNERABILITY ASSESSMENT
14
References
Blinder, A., & Sack, K. (2017, January 10). Dylann Roof is sentenced to death in Charleston
church massacre. The New York Times. Retrieved from
DiMarino, F. (2017). Module 4: Vulnerability assessments. Document posted in University of
Maryland University College CJMS 630 9040 Seminar in Security Management (2175)
online classroom, archived at
https://learn.umuc.edu/d2l/le/content/223077/viewContent/9190918/View/
Era Church. (2017). Welcome to Era church! Retrieved from http://erachchurch.org/
McGlasson, L. (2010, September 1). Church latest victim of ACH fraud. Bank Info Security.
Retrieved from http://www.bankinfosecurity.com/church-latest-victim-ach-fraud-a-2888/
Threat Analysis Group. (2017). Threat, vulnerability, risk – commonly mixed up terms.
Retrieved from https://www.threatanalysis.com/2010/05/03/threat-vulnerability-riskcommonly-mixed-up-terms/
Thomason, S. (2016, August 24). Prevent church fraud with better controls. The Tennessean.
Retrieved from http://www.tennessean.com/story/sponsor-story/lbmc/2016/08/24/lbmcprevent-church-fraud-better-controls/89203972/
VULNERABILITY ASSESSMENT
15
Appendix
Vulnerability Assessment Survey
Physical Vulnerabilities
•
Building Information
o Size
o Floors
o Entrances/ Locks
o Windows/ Blinds
o Electrical Work
o Inspections/ Building Code
Observations
The building is 1200 sq. ft. and 2 floors. There are 3
entrances on the 1st floor. There are glass windows that
line the building top to bottom on the main street side of the
building. At night and during the Sunday service the blinds
are closed. All electrical work is done by professionals and
up to code. Prior to putting the building in use, it was
inspected and the fire marshall conducts period inspections.
There are exterior lights around the entire building that
operate on at timer at night. The interior of the building has
additional locked doors including the pastors’ offices.
o Exterior Lighting
•
Security System
o Company
o Cameras
o Motion Detectors
o Glass Break
o Smoke Detectors
o Battery Backup
o Access Codes
o Devices used to access system
There are IP based cameras that operate separately from the
security system. The cameras can be accessed via the
Internet an app on a phone. The security system is
monitored by an outside company. The two main pastors
and cleaning person have the code. There are multiple
motion detectors throughout the building. There is no glass
break detectors because the number of motion detectors
make it unnecessary. The two pastors receive text message
notifications. The system has a battery backup and operates
on cellular communication system.
•
Fire Detection System
o Sprinklers
o Smoke Detectors
o Fire Walls
o Fire Extinguishers
The fire alarms are connected to the security system and are
monitored 24/7 by the outside company. There are multiple
fire alarms on the first floor including one that is connected
to fire doors that close in the event of a fire. The doors and
surrounding wall are considered a fire wall that helps
prevent fire from spreading. There is no sprinkler system.
The building size does not require it and it would cost
approx. $45,000. There are fire extinguishers in the
separate parts of the building but they are not mounted.
There is NO fire alarm on the renovated 2nd floor or in the
warehouse(?)
•
Additional Information
o What entrances are locked during the
week?
During the week the doors are locked even if the building is
occupied (they still allow individuals to exit) and there are
cameras to see who is knocking
VULNERABILITY ASSESSMENT
16
Cybersecurity Vulnerabilities
• Wireless Networks
o Private Network
o Public Network
o Are they physically separated?
Observations
There is a private and public wireless network at the church.
The two networks have different pw. The private network
is for church employees. The networks are not air gapped
and reside on the same router.
•
Types of computers
o Anti-virus software
o Password protected
The children’s ministry check in computer is pw protected
and the program is web based w/ a pw. The two pastor lap
tops are Mac Books that are taken home at night. The Mac
Books do not have anti-virus but there is add blocker. The
children’s ministry program does not have any PII. One or
two additional computers remain at the church 24/7, but are
pw protected.
•
Church Email
o Who hosts the email service?
o Is it password protected?
The church email is hosted on a commercial program that is
free but provides standard security services. The emails are
pw protected.
•
Church website
o Who hosts the church website?
The church website is hosted by a local company and
changes are made via Word Press. A pw is required to
make changes to the website.
o Is a password required to make
changes to the website?
• Additional Information
Operational Vulnerabilities
• Are there any security protocols
already in place?
o Is there a specific plan in place to
respond to an act of violence?
• Do you ever have the local police
department provide security?
• Is there a first aid kit on site?
• What doors are locked on Sunday
morning?
Observations
There is a security team at Era that ensures two individuals
are in the parking lot area of the church every Sunday
morning from about 1015A to 1045A (church starts at
1030A). The same individuals are responsible for ensuring
that the side entrance is locked at 1030A. The same two
individuals will stay towards the back of the church to be
aware of any suspicious or out of place behavior. One
individual will also move to outside the children’s area at
the end of church to make sure no children run out
unattended or there are adults in the area that should not be.
Note a need to balance making everyone feel welcome
while still being aware.
For certain events that take place at night or are larger they
will hire an off duty ATPD or ACSO officer.
Yes
The third entrance is locked. The side entrance is unlocked
until 1030A. The front entrance is always unlocked. The
VULNERABILITY ASSESSMENT
17
side door is unlocked at the end of church for people to
leave.
•
Children’s Ministry
o Background checks for volunteers?
o Check In/ Check Out System
o Document Food Allergies
o Additional protocols for volunteers
o Restricted access?
o Are there any armed members at the
church?
•
Additional Information
Financial Vulnerabilities
• Bank
•
•
Who handles the finances?
Do you conduct online banking?
o What computers are used to conduct
online banking?
o Who has access to the username and
password?
All volunteers in the Children’s ministry are background
checked by an outside company. On Sunday mornings,
there is a check in/ out system that requires an adult to
check in the child who gets a sticker on their back with a
randomly generated code unique to the family. There is a
separate pass for the adult that has the code and is required
to pick up the children. All food allergies are documented
on the child’s sticker and the snack is clearly displayed per
classroom. There are trained teachers in each classroom in
addition to a volunteer. The teachers have additional
training from the staff. There is written policy but working
to compile into a full policy. The children’s area has two
separate glass doors from the main area. Each classroom
has a two-part door so the bottom stays closed and the top
can be opened at any time. Additional policy is spouses do
not work in the same room together so there is always a
viable witness for any actions taken by another. In
additional to a background check will contact references
depending if anyone at the church knows the person on a
personal level.
There are at least two armed members who are law
enforcement (1 is this author) plus the head of the security
team has a concealed carry license. Head of the security
team has spoken with both members who are law
enforcement.
There is a key fob as part of the security system that will
automatically call police. Security team sometimes carries
it.
Observations
Bank A
There is a 3-person finance team that handles the money.
The two pastors do not handle the money and let the finance
team handle those matters. The 3-person team creates
accountability.
The church conducts online banking and the 3 finance team
members have the username and pw. There is a main
finance computer at church that is just used for finance
matters. Unknown at this time what anti-virus protection is
on the computers. The three finance team members receive
VULNERABILITY ASSESSMENT
o Are there two factor authentications?
o Does anyone get notified when
changes are made to the account? How?
o Is there a specific email address tied
to the account?
18
email notifications when changes are made to the account
and receive daily account balance updates via email. Used
to have treasury mgmt features but those are now disabled.
Do not get text message alerts. Recommend using them.
There is a dedicated Era email address for financial matters.
Use personal computers at home to check bank account
online.
• Are there any restrictions on money
transfers?
• Any specific protocols for wiring
money?
Do pay some bills with automatic bill pay. Used check to
set up.
• Does anyone get notified when large
transactions take place?
• Payroll Company
Finance team members all have access to Era email account
which is notified. NO cell phone notification.
o What computers are used to make
changes to the payroll account?
o Who has access to the username and
password?
o Are there two factor authentications?
o Does anyone get notified when there
are changes made to the account? How?
o What email address is tied to the
payroll account?
• Tithes
o How do you deposit tithes?
o Does the church keep any cash on
hand?
o Who counts the tithes?
o What service do you use for online
giving?
• where do you store sensitive
documents?
They do not need to wire money. Checking to see if they
have the capability. Recommend disabling.
Use online payroll system with Company B. Same 3person finance team has username and pw. Approximately
soon to be 5 employees in system. Get notifications via
email to finance email address when payroll paid. Go in
and release funds every two weeks. Cannot find two-factor
authentication or cell phone notification option. Will check
with company. Any change notifications are received via
email.
there is the option to deposit tithes via online giving system.
It is pw protected church mgmt software. In addition, the
payment processor is also pw protected. Managed by same
3-person finance team. Use same dedicated email address.
Payment processor requires two factor authentication username/pw and cell phone text message code. notified
via email if there are changes made to account. there are
multiple user groups in the church mgmt software so
pastors and others do not have access to finance part of
software. church mgmt software and payment processor
both send notifications, etc. and should corroborate each
other.
Sensitive documents are stored in a locked office in a filing
cabinet.
VULNERABILITY ASSESSMENT
• How much cash do you keep on hand
at the church?
• Any auto-payments established?
• Additional Information
General Questions
• Has the church been a victim of crime
in the past?
19
Very little cash is kept at the church.
Most bills are on auto-pay or direct draft.
There is a cap on debit card use in day and withdrawals
with debit card. Recommend creating overall cap. Personal
and work computers used to access online accounts. No
protocol in place to regularly change pw. Need to make
sure all computers have up-to-date anti-virus protection.
Outside accountant helps with taxes, provides extra layer.
Observations
No incidents in the past.
• Has there been any specific threats
against the church?
No threats against the church.
• Have there been any car break ins in
the past – Sunday morning or other days?
No car break ins.
• How long has the church occupied the
building?
• How many members attend the
church?
approximately 2 years
• What is the average Sunday morning
attendance?
• Where is the church’s mail delivered?
Additional Information
150 people
104 members
Mail is delivered to the building and a PO Box.
No protocols in place or written plans for a fire or tornado.
Purchase answer to see full
attachment
Why Choose Us
- 100% non-plagiarized Papers
- 24/7 /365 Service Available
- Affordable Prices
- Any Paper, Urgency, and Subject
- Will complete your papers in 6 hours
- On-time Delivery
- Money-back and Privacy guarantees
- Unlimited Amendments upon request
- Satisfaction guarantee
How it Works
- Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
- Fill in your paper’s requirements in the "PAPER DETAILS" section.
- Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
- Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
- From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.