Running Head: VULNERABILITY ASSESSMENT 1 VULNERABILITY ASSESSMENT 2 Jane Q. Student (Submission Date) CJMS 630 90XX Seminar in Security Management (2XXX) Vulnerability Assessment: Era Church, City, State Site Selection and Rationale This vulnerability assessment was conducted at Era Church (“Era”), 429 State Street, City, State 90909, on the dates of September 25 - 28, 2017, and was followed up with subsequent interviews of relevant church personnel. The site was chosen for multiple reasons including the potential for a violent incident such as a mass shooting, and the potential for fraud or other financial crime. A vulnerability is defined as “weakness[ ] or gap[ ] in a security program that can be exploited by threats to gain unauthorized access to an asset” (Threat Analysis Group, 2017). Threats are events or persons, such as a natural disaster, fire, criminal act, or terrorist incident, that can exploit a vulnerability (Threat Analysis Group, 2017). A vulnerability assessment “evaluates all opportunities that may be exploited by a threat” and through a detailed process identifies areas where vulnerabilities can be mitigated to lower the risk (DiMarino, 2017). Risk is defined as “the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability” (Threat Analysis Group, 2017). The vulnerability assessment at Era Church covers multiple areas to include physical, operational, technological, and financial vulnerabilities. While Era has taken measures to mitigate vulnerabilities, there are some recommendations in each area that could further mitigate risk. Religion is a contentious and polarizing topic in the United States, which makes churches prime targets for groups or individuals who want to make a statement. Perhaps the most infamous church shooting in recent memory is when white supremacist Dylann Roof shot and killed nine African-American church members of Emanuel African Methodist Episcopal Church in Charleston, SC, on June 17, 2015 (Blinder & Sack, 2017). Roof brought a .45-caliber semiautomatic handgun into the church in a waist pouch, and attended the Bible study for approximately 40 minutes before he shot and killed the members using seven magazines and over 70 rounds (Blinder & Sack, 2017). This incident is just one of many violent incidents at places of worship. There is no sure-fire way to completely avoid incidents such as this shooting, but there are steps that can be taken to help minimize or avoid a large-scale incident. In addition to the threat of violence, churches are also prime targets for fraud, both from internal and external threats. For instance, the Center for the Study of Global Christianity reports that in 2014 churches lost an estimated $39 billion to internal financial fraud (Thomason, 2016). Theft and embezzlement of church funds are two significant risks faced by faith-based institutions. (Thomason, 2016). In addition to an ins.

1. Running Head: VULNERABILITY ASSESSMENT 1
VULNERABILITY ASSESSMENT 2
Jane Q. Student
(Submission Date)
CJMS 630 90XX
Seminar in Security Management (2XXX)
Vulnerability Assessment: Era Church, City, State
Site Selection and Rationale
This vulnerability assessment was conducted at Era Church
(“Era”), 429 State Street, City, State 90909, on the dates of
September 25 - 28, 2017, and was followed up with subsequent
interviews of relevant church personnel. The site was chosen
for multiple reasons including the potential for a violent

2. incident such as a mass shooting, and the potential for fraud or
other financial crime. A vulnerability is defined as “weakness[
] or gap[ ] in a security program that can be exploited by threats
to gain unauthorized access to an asset” (Threat Analysis
Group, 2017). Threats are events or persons, such as a natural
disaster, fire, criminal act, or terrorist incident, that can exploit
a vulnerability (Threat Analysis Group, 2017). A vulnerability
assessment “evaluates all opportunities that may be exploited by
a threat” and through a detailed process identifies areas where
vulnerabilities can be mitigated to lower the risk (DiMarino,
2017). Risk is defined as “the potential for loss, damage or
destruction of an asset as a result of a threat exploiting a
vulnerability” (Threat Analysis Group, 2017). The vulnerability
assessment at Era Church covers multiple areas to include
physical, operational, technological, and financial
vulnerabilities. While Era has taken measures to mitigate
vulnerabilities, there are some recommendations in each area
that could further mitigate risk.
Religion is a contentious and polarizing topic in the United
States, which makes churches prime targets for groups or
individuals who want to make a statement. Perhaps the most
infamous church shooting in recent memory is when white
supremacist Dylann Roof shot and killed nine African-American
church members of Emanuel African Methodist Episcopal
Church in Charleston, SC, on June 17, 2015 (Blinder & Sack,
2017). Roof brought a .45-caliber semiautomatic handgun into
the church in a waist pouch, and attended the Bible study for
approximately 40 minutes before he shot and killed the
members using seven magazines and over 70 rounds (Blinder &
Sack, 2017). This incident is just one of many violent incidents
at places of worship. There is no sure-fire way to completely
avoid incidents such as this shooting, but there are steps that
can be taken to help minimize or avoid a large-scale incident.
In addition to the threat of violence, churches are also
prime targets for fraud, both from internal and external threats.
For instance, the Center for the Study of Global Christianity

3. reports that in 2014 churches lost an estimated $39 billion to
internal financial fraud (Thomason, 2016). Theft and
embezzlement of church funds are two significant risks faced by
faith-based institutions. (Thomason, 2016). In addition to an
insider threat, there is the ever-present threat of bank accounts
or email accounts being compromised and money being stolen.
Just like individuals or businesses, churches can fall victim to
account takeovers or ransomware. In one example, the Catholic
Diocese of Des Moines, IA, lost $600,000 when their bank
account was compromised and money was transferred to “money
mule” accounts all over the United States (McGlasson, 2010).
It should be noted that the Diocese had insurance that protects
them from the loss, but not all churches are so lucky.
Description of Facility
Era is a smaller church associated with the Southern Baptist
Convention. Era began in 2005 with the intent of establishing a
church in the center city to further the restoration and
revitalization of the city. downtown (Era Church, 2017). Era
purchased their current facility through a mortgage and has
occupied the building for approximately two years. The
building has two floors, and approximately 12,000 square feet.
There is the main sanctuary, the children’s ministry area, the
second-floor ministry area, the office area, and an attached
warehouse area that is not in use. There are currently 104
dedicated members, and on an average Sunday approximately
150 adults and children attend the service. The Sunday service
begins at 10:30 AM, lasts until approximately 11:45 AM, and
people remain at the church until approximately 1:00 PM. The
lead pastors are John Smith and David Jones. The vulnerability
assessment interviews were conducted with Smith, Jones, and
two separate church members who handle security and finances
respectively.
Critical Assets
Era’s primary assets in order of importance are church
members/ visitors (children); church members/ visitors (adults);
church building; church finances (money); and additional

4. contents in the church. Era is not a large church so the money it
has available is extremely important to them and their mission.
Purchasing the building was a big decision for the members and
losing the building would be a devastating loss.
Evaluation of Neighborhood, Crime Data, and Prior Incidents
The church is situated in downtown AnyCity, which has a
history of crime and is considered one of the most violent small
cities in the country. There is foot traffic around the church,
and a Department of Veterans Affairs clinic is next door in
addition to some homeless shelters and other outreach
organizations nearby. Era purposely situated themselves in this
environment to make a positive impact on the community.
Fortunately, Era has not been the victim of any crimes since
moving into the building. There have not been any car break
ins during the Sunday service, nor have there been any break ins
during the week. There have not been any threats made against
the church. The main threats that were considered while
conducting this assessment were violent crime, misdemeanor
crime, fire, and fraud. Currently, there are no elevated risks at
Era, and all threats were taken into consideration when
conducting the vulnerability assessment.
Evaluation of Physical Vulnerabilities
The first area addressed during the vulnerability assessment was
the physical vulnerabilities. The building is constructed with
cinder blocks and a brick exterior. There is a large drain
located outside the building that does back up during heavy rain
and can cause some water to enter the building. Overall the
building has held up against any acts of nature. There are three
entrances to the building on the first floor. Two entrances open
to the main sanctuary, and the third entrance opens to the back
hallway between the children’s ministry and warehouse. All
three doors are locked when the building is unoccupied, or
during the week when church staff are the only individuals in
the building. The side entrance is locked on Sundays at 10:30
AM when the church service begins. Only the front door facing

5. Main Street is unlocked once the service begins. The third door
remains locked during the service. A person can exit the
building even when the doors are locked. There are additional
doors inside the building that lock including the entrance to the
office area and the two pastors’ offices. Important paperwork is
secured in a locked pastor’s office. The front of the building
facing State Street has windows that line the building and reach
from the top of the first floor to the bottom. Because of the
design of the windows, individuals cannot see through the
windows during the day, and one is able to see through the
windows at night. There are blinds that remain down when the
building is unoccupied. These blinds are closed when the
Sunday service begins. The building was inspected prior to
occupation and is periodically inspected by the Fire Marshall.
All electrical work was done by a professional. The second
floor was recently renovated, but permits were not required
because of the size of the renovation and where it took place
within the building.
Current Physical Security Counter Measures
The building has a security system that is monitored by a
security company. The company provides 24/7 monitoring
services. The security system consists of motion detectors and
fire alarms. The fire alarms will be addressed in the next
paragraph. The motion detectors are located throughout the
building. There are no glass break sensors in the building, but
with the number of motion sensors, glass break sensors are not
needed. The two pastors, a cleaning service employee, and a
former employee have the code for the security system. Smith
and Jones both receive text message alerts when the alarm is
activated or deactivated. There is a cellular phone application
that can be used to access and operate the system. The system
has a battery backup and communicates using cellular towers.
There is a separate Internet Protocol (IP) camera system that is
located throughout the building. Smith and Jones can access the

6. cameras remotely via a cellular phone application that can be
viewed in real time. There are also cameras located outside the
building including the front door, which can be viewed to
identify visitors during the week before letting them inside the
building.
As previously mentioned there are smoke detectors located
throughout the first floor of the building that are connected to
the security system, and will alert the company if they are
triggered. There are no smoke detectors located on the newly
renovated second floor. There are also no observable smoke
detectors in the warehouse area of the building. There is a
smoke detector located by the two fire doors that separate the
main sanctuary from the children’s area. If those smoke
detectors are activated the fire doors close automatically
helping to contain a fire. The wall between the main sanctuary
and the children’s area on the first floor is considered a fire
wall, and would help stop the spread of a fire. There is no
sprinkler system located inside the building. A sprinkler system
is not required due to the size of the building, and would cost
$45,000, which is cost prohibitive for Era. There are fire
extinguishers in the main sanctuary and the children’s area, but
they are not mounted on the wall.
Evaluation of Operational Vulnerabilities
The second area examined was the existence of operational
vulnerabilities. Era has a security team, which is responsible
for security on Sunday mornings. There are two members that
monitor the parking lot from approximately 10:15 AM until
10:45 AM. After 10:45 AM, the two members monitor the
sanctuary from the back of the room. These same individuals
ensure the side entrance is locked at 10:30 AM so all foot
traffic must come through the front door. Though it is not a
regularly scheduled duty, some individuals will position
themselves outside the children’s area at the end of the service
while parents are picking up their children. The individual in
charge of the security team noted that there is a balance that
must be struck between making everyone feel welcome and still

7. remaining vigilant. There is a key fob that will immediately
contact the local police that is connected to the security system,
and is sometimes carried by a member of the security team.
There is a first aid kit on site and multiple members of the
church work in the medical field. Era hires a uniformed police
officer for larger church events that take place at night.
The most important asset at Era is the children, and the
children’s ministry has multiple rules in place to help protect
them. The children’s ministry is located in a separate area, and
only parents with children are allowed in the area. All children
are checked in via a computer and receive a sticker that is
placed on their back. The sticker has a randomly generated
code that is given to the parents for pick up. The stickers also
contain any food allergies for the child. All volunteers in the
children’s ministry have their background checked and are
required to provide multiple references. The references are not
always contacted depending on how well the person is known to
the church staff. Each Sunday school classroom has at least two
volunteers. At least one individual is a teacher trained by the
church staff. Spouses are not allowed to volunteer in the same
classroom so that there is always a viable witness should an
incident occur. All of the doors to the classroom have a top and
bottom. The bottom remains closed, but the top is either open
or can be opened at any time. Three of the four classrooms are
connected and allow all three classrooms to be easily evacuated
through the third door to the building, which leads to the back-
parking lot. The fourth classroom is located right next to the
classroom where all the remaining children will be exiting and
also easily leads to the same door, which leads to the back-
parking lot. In the event of a fire or other incident all of the
children’s rooms can be evacuated without having to cross
windows or the main sanctuary. All of the children’s
classrooms are also windowless and could serve as a shelter
during a tornado.
Evaluation of Existing Security Policies
There are no specific protocols in place to respond to a mass

8. shooting or an act of violence. Nor are there any specific
protocols in place for a fire or tornado beyond how the
children’s ministry would be evacuated. There are at least three
members of the church who regularly carry a concealed weapon.
One member is the head of the security team, while the other
two individuals are members of the law enforcement
community. It should be noted that one of the two members of
the law enforcement community is this author. This state is an
open carry state, and there are no specific rules prohibiting open
carry in a church. There has been at least one individual in the
past who openly carried a pistol in church, most likely to make
a political statement. The members of the security team
watched him closely and decided that it was best to let the
individual come and go as opposed to making a scene and
possibly having the church be used to make a political statement
in favor of open carry in churches.
Evaluation of Cyber Security Vulnerabilities
The fourth area examined was cybersecurity vulnerabilities.
Era has a public and private wireless network and both are
password protected. Both networks operate on the same
hardware and are air gapped. Most of the staff computers at Era
are Mac laptops that go home with the staff at night. The
laptops do not have anti-virus because they are Apple products,
but they do have add blocker software. The computers at Era
are all password protected. The children’s ministry computer
that is used to check in and out children is password protected
and the program is web based and requires a password. The
church uses a mainstream tech company to host their email,
which is all password protected as well. The church website is
hosted by a local company, and any changes are made via Word
Press, which requires a password.
Evaluation of Financial Vulnerabilities
The final assessment focused on financial vulnerabilities. There
are three members of the finance team that are responsible for
handling the church finances. The pastors do not have any
control over church finances. An outside accountant assists

9. with taxes. Era does not have any credit cards. Era does their
banking at a local bank that has online banking. The three
members of the finance team have the username and pw. There
is a dedicated Era email address that is attached to the bank
account. They do not have two-factor authentication
established for online banking. A daily account balance is sent
to the email address and checked regularly, but they do not
receive text message alerts. Era uses automatic bill pay, but
does not have any need to wire money. The finance team is not
sure if they have the ability to wire money. There is a cap on
the daily use of the debit card and withdrawals. There is no
protocol in place to regularly change passwords. There is a
dedicated finance computer at the church, but it is unknown
what type of anti-virus software is on the machine. The bank
account is also accessed online via personal computers
belonging to members of the finance team.
Era uses church management software to facilitate online
giving. The software is password protected and the finance
team has access to the financial portion of the software. The
software is linked to the same Era email address. There is a
payment processor that works in connection with the software to
facilitate the donations and tithes. The payment processor has
two-factor authentication with a username and password along
with cellular phone notification. Since the software and
payment processor both send notifications, the information
should corroborate one another. Era keeps very little cash on
hand at the church, and tithes are deposited weekly at the bank.
Era also uses an online payroll company to pay its employees.
The finance team has the username and password. The same
dedicated email address is attached to the payroll account as
well. The payroll company sends notifications via email when
there are changes or a payroll is released. There is no two-
factor authentication established. A member of the finance
team releases the payroll every two weeks.
Security Recommendations
The Threat Analysis Group (2017) states that “risk is a function

10. of threats exploiting vulnerabilities to obtain, damage or
destroy assets.” They explain that threats will always exist, but
if there are no vulnerabilities than there is little or no risk
(Threat Analysis Group, 2017). In a similar fashion, there are
situations where there is a vulnerability, but no threat so there
is no risk (Threat Analysis Group, 2017). Unfortunately, it is
not possible to completely eliminate the threat of fire, church
violence, or crime against the church so recommendations and
changes should be made to mitigate the vulnerabilities and thus
reduce the risk as much as possible.
The physical security steps that Era has taken are a good start,
but there are some vulnerabilities that need to be addressed.
There should be additional smoke detectors placed on the
second floor and in the warehouse. If a fire occurs in those
areas, it would have to spread to the rest of the building before
the security company would become aware. A sprinkler system
would be an added benefit, but the firewall and additional
smoke detectors would help ensure that the fire company is
notified immediately and the fire is contained. All of the fire
extinguishers should be mounted on the wall where they can be
easily located. A few seconds delay in deploying a fire
extinguisher could prove to be devastating. Security system
sensors should also be considered for the three doors, because it
ensures that all three doors are closed before the alarm can be
activated. The two main pastors should have their own security
code for the system, and secondary codes should be established
for other individuals. When those individuals no longer work at
the church, those codes should be removed from the security
system. Finally, Era has a post office box, and to avoid mail
theft, all mail should be directed to the post office box as
opposed to being sent to the physical address.
There are additional operational vulnerabilities that can be
addressed to further ensure the safety of the church. Locking
the side entrance at 10:30 AM should continue and helps ensure
that there is only one way inside the church once the service
starts. The members of the security team that stand in the back

11. of the sanctuary should always position themselves so they have
visibility of the front door. Their backs should never be to the
door. The front of the hallway between the sanctuary and the
children’s ministry is an excellent position. Protocols need to
be developed and recorded in the event of an active shooter,
fire, and tornado. Once the protocols are developed, the church
members should be briefed during a member’s meeting. It is
understandable to not want to discuss it on a Sunday morning,
but the church members should know what plans are in place.
Many parents’ instinct during a fire or active shooter situation
is going to be to run to the children’s ministry when in fact the
children will be evacuated during a fire, or locked down during
an active shooter event. The members need to know what will
occur in specific situations. Someone in the church, whether it
is a pastor, someone in the back of the church, or a member of
the security team should carry the key fob that summonses the
police department. Currently, the three members of the church
that are armed know one another. Periodically, it should be
assessed if there are additional members of the church who are
armed. The children’s ministry has many robust security
measures in place, but there are a few suggestions for area.
Teachers and volunteers should be trained using a standard
children’s ministry policy. The policy should include
appropriate ways to handle children, discipline, and other areas
such as the fire, active shooter, and tornado protocols.
Children’s stickers should also be removed from their backs
when they are picked up by their parents. This will help
everyone identify a child that has left the area without being
properly picked up. It also removes the child’s name in case a
stranger tries to use it to lure them away. It is also
recommended that a pastor call at least one reference on each
person’s background check sheet. There are issues that a
background check cannot identify, which could be revealed by a
reference check.
Finally, the recommendations to address cybersecurity and
financial vulnerabilities overlap. The long-term goal should be

12. to have two completely separate, air gapped public and private
wireless networks. It adds a layer of security to the church
computers. Having three members on the finance team fosters
accountability and should continue. All of the online accounts
to include the bank, payroll company, software management
company, and payment processor should have two-factor
authentication enabled. Many times, when an account is
compromised, the threat will spam the email account to hide any
change notifications. In addition, since Era does not have a
need to regularly wire money, it is recommended that the ability
to wire money be disabled. This removes the threat of a large
wire transfer leaving the account empty. The finance team
should also explore the possibility of obtaining insurance to
protect the church from financial loss. All computers that are
used to access the accounts, both Era computers and personal
computers should always have the most up to date anti-virus
software. There are many effective anti-virus programs that are
free to the public and would add an extra layer of protection.
Passwords should also be changed at least once or twice a year.
Any member of the finance team that uses his home computer to
access any accounts should also ensure his anti-virus software is
up to date. If there is suspicion that a computer has been
compromised, then all passwords should be changed. The
chance of Era being targeted directly is small, but the chances
that Era being unknowingly targeted are much greater and the
aforementioned recommendations will help lower the chances
that a threat is successful.
Conclusion
This vulnerability assessment surveyed physical, operational,
cybersecurity, and financial vulnerabilities. While the staff and
members have already taken measures to increase security, there
are additional actions that can be taken to further lessen the
chance a threat is successful. It is impossible to completely
eliminate all threats, and unrealistic to think there any actions
that can completely stop individuals from attempting malicious
activities. However, Era can help reduce the risk by following

13. the recommendations outlined in this assessment. It is
understandable that Era needs to find the balance between
making everyone feel welcome, while still remaining vigilant.
These recommendations will allow Era to accomplish that goal
and keep their most important assets safe.
References
Blinder, A., & Sack, K. (2017, January 10). Dylann Roof is
sentenced to death in Charleston
church massacre. The New York Times. Retrieved from
https://www.nytimes.com/2017/01/10/us/dylann-roof-trial-
charleston.html?_r=0/
DiMarino, F. (2017). Module 4: Vulnerability assessments.
Document posted in University of
Maryland University College CJMS 630 9040 Seminar in
Security Management (2175) online classroom, archived at
https://learn.umuc.edu/d2l/le/content/223077/viewContent/9190
918/View/
Era Church. (2017). Welcome to Era church! Retrieved from
http://erachchurch.org/
McGlasson, L. (2010, September 1). Church latest victim of
ACH fraud. Bank Info Security.
Retrieved from http://www.bankinfosecurity.com/church-latest-
victim-ach-fraud-a-2888/
Threat Analysis Group. (2017). Threat, vulnerability, risk –
commonly mixed up terms.
Retrieved from
https://www.threatanalysis.com/2010/05/03/threat-vulnerability-
risk-commonly-mixed-up-terms/
Thomason, S. (2016, August 24). Prevent church fraud with
better controls. The Tennessean.
Retrieved from http://www.tennessean.com/story/sponsor-
story/lbmc/2016/08/24/lbmc-prevent-church-fraud-better-
controls/89203972/

14. Appendix
Vulnerability Assessment Survey
Physical Vulnerabilities
Observations
Building Information
The building is 1200 sq. ft. and 2 floors. There are 3 entrances
on the 1st floor. There are glass windows that line the building
top to bottom on the main street side of the building. At night
and during the Sunday service the blinds are closed. All
electrical work is done by professionals and up to code. Prior
to putting the building in use, it was inspected and the fire
marshall conducts period inspections. There are exterior lights
around the entire building that operate on at timer at night. The
interior of the building has additional locked doors including
the pastors' offices.
o Size
o Floors
o Entrances/ Locks
o Windows/ Blinds
o Electrical Work
o Inspections/ Building Code
o Exterior Lighting
Security System
There are IP based cameras that operate separately from the
security system. The cameras can be accessed via the Internet

15. an app on a phone. The security system is monitored by an
outside company. The two main pastors and cleaning person
have the code. There are multiple motion detectors throughout
the building. There is no glass break detectors because the
number of motion detectors make it unnecessary. The two
pastors receive text message notifications. The system has a
battery backup and operates on cellular communication system.
o Company
o Cameras
o Motion Detectors
o Glass Break
o Smoke Detectors
o Battery Backup
o Access Codes
o Devices used to access system
Fire Detection System
The fire alarms are connected to the security system and are
monitored 24/7 by the outside company. There are multiple fire
alarms on the first floor including one that is connected to fire
doors that close in the event of a fire. The doors and
surrounding wall are considered a fire wall that helps prevent
fire from spreading. There is no sprinkler system. The building
size does not require it and it would cost approx. $45,000.
There are fire extinguishers in the separate parts of the building
but they are not mounted. There is NO fire alarm on the
renovated 2nd floor or in the warehouse(?)
o Sprinklers

16. o Smoke Detectors
o Fire Walls
o Fire Extinguishers
Additional Information
During the week the doors are locked even if the building is
occupied (they still allow individuals to exit) and there are
cameras to see who is knocking
o What entrances are locked during the week?
Cybersecurity Vulnerabilities
Observations
Wireless Networks
There is a private and public wireless network at the church.
The two networks have different pw. The private network is for
church employees. The networks are not air gapped and reside
on the same router.
o Private Network
o Public Network
o Are they physically separated?
Types of computers
The children's ministry check in computer is pw protected and
the program is web based w/ a pw. The two pastor lap tops are
Mac Books that are taken home at night. The Mac Books do not
have anti-virus but there is add blocker. The children's
ministry program does not have any PII. One or two additional
computers remain at the church 24/7, but are pw protected.
o Anti-virus software
o Password protected

17. Church Email
The church email is hosted on a commercial program that is free
but provides standard security services. The emails are pw
protected.
o Who hosts the email service?
o Is it password protected?
Church website
The church website is hosted by a local company and changes
are made via Word Press. A pw is required to make changes to
the website.
o Who hosts the church website?
o Is a password required to make changes to the website?
Additional Information
Operational Vulnerabilities
Observations
Are there any security protocols already in place?
There is a security team at Era that ensures two individuals are
in the parking lot area of the church every Sunday morning from
about 1015A to 1045A (church starts at 1030A). The same
individuals are responsible for ensuring that the side entrance is
locked at 1030A. The same two individuals will stay towards
the back of the church to be aware of any suspicious or out of
place behavior. One individual will also move to outside the
children's area at the end of church to make sure no children run
out unattended or there are adults in the area that should not be.
Note a need to balance making everyone feel welcome while
still being aware.
o Is there a specific plan in place to respond to an act of
violence?

18. Do you ever have the local police department provide
security?
For certain events that take place at night or are larger they will
hire an off duty ATPD or ACSO officer.
Is there a first aid kit on site?
Yes
What doors are locked on Sunday morning?
The third entrance is locked. The side entrance is unlocked
until 1030A. The front entrance is always unlocked. The side
door is unlocked at the end of church for people to leave.
Children’s Ministry
All volunteers in the Children's ministry are background
checked by an outside company. On Sunday mornings, there is
a check in/ out system that requires an adult to check in the
child who gets a sticker on their back with a randomly
generated code unique to the family. There is a separate pass
for the adult that has the code and is required to pick up the
children. All food allergies are documented on the child's
sticker and the snack is clearly displayed per classroom. There
are trained teachers in each classroom in addition to a
volunteer. The teachers have additional training from the staff.
There is written policy but working to compile into a full
policy. The children's area has two separate glass doors from
the main area. Each classroom has a two-part door so the
bottom stays closed and the top can be opened at any time.
Additional policy is spouses do not work in the same room
together so there is always a viable witness for any actions
taken by another. In additional to a background check will
contact references depending if anyone at the church knows the
person on a personal level.
o Background checks for volunteers?
o Check In/ Check Out System
o Document Food Allergies

19. o Additional protocols for volunteers
o Restricted access?
o Are there any armed members at the church?
There are at least two armed members who are law enforcement
(1 is this author) plus the head of the security team has a
concealed carry license. Head of the security team has spoken
with both members who are law enforcement.
Additional Information
There is a key fob as part of the security system that will
automatically call police. Security team sometimes carries it.
Financial Vulnerabilities
Observations
Bank
Bank A
Who handles the finances?
There is a 3-person finance team that handles the money. The
two pastors do not handle the money and let the finance team
handle those matters. The 3-person team creates accountability.
Do you conduct online banking?
The church conducts online banking and the 3 finance team
members have the username and pw. There is a main finance
computer at church that is just used for finance matters.
Unknown at this time what anti-virus protection is on the
computers. The three finance team members receive email
notifications when changes are made to the account and receive
daily account balance updates via email. Used to have treasury
mgmt features but those are now disabled. Do not get text
message alerts. Recommend using them. There is a dedicated
Era email address for financial matters. Use personal
computers at home to check bank account online.
o What computers are used to conduct online banking?
o Who has access to the username and password?

20. o Are there two factor authentications?
o Does anyone get notified when changes are made to the
account? How?
o Is there a specific email address tied to the account?
Are there any restrictions on money transfers?
Do pay some bills with automatic bill pay. Used check to set
up.
Any specific protocols for wiring money?
They do not need to wire money. Checking to see if they have
the capability. Recommend disabling.
Does anyone get notified when large transactions take
place?
Finance team members all have access to Era email account
which is notified. NO cell phone notification.
Payroll Company
Use online payroll system with Company B. Same 3-person
finance team has username and pw. Approximately soon to be 5
employees in system. Get notifications via email to finance
email address when payroll paid. Go in and release funds every
two weeks. Cannot find two-factor authentication or cell phone
notification option. Will check with company. Any change
notifications are received via email.
o What computers are used to make changes to the payroll
account?
o Who has access to the username and password?
o Are there two factor authentications?
o Does anyone get notified when there are changes made to
the account? How?

21. o What email address is tied to the payroll account?
Tithes
there is the option to deposit tithes via online giving system. It
is pw protected church mgmt software. In addition, the payment
processor is also pw protected. Managed by same 3-person
finance team. Use same dedicated email address. Payment
processor requires two factor authentication - username/pw and
cell phone text message code. notified via email if there are
changes made to account. there are multiple user groups in the
church mgmt software so pastors and others do not have access
to finance part of software. church mgmt software and payment
processor both send notifications, etc. and should corroborate
each other.
o How do you deposit tithes?
o Does the church keep any cash on hand?
o Who counts the tithes?
o What service do you use for online giving?
where do you store sensitive documents?
Sensitive documents are stored in a locked office in a filing
cabinet.
How much cash do you keep on hand at the church?
Very little cash is kept at the church.
Any auto-payments established?
Most bills are on auto-pay or direct draft.
Additional Information
There is a cap on debit card use in day and withdrawals with
debit card. Recommend creating overall cap. Personal and
work computers used to access online accounts. No protocol in
place to regularly change pw. Need to make sure all computers
have up-to-date anti-virus protection. Outside accountant helps
with taxes, provides extra layer.

22. General Questions
Observations
Has the church been a victim of crime in the past?
No incidents in the past.
Has there been any specific threats against the church?
No threats against the church.
Have there been any car break ins in the past – Sunday
morning or other days?
No car break ins.
How long has the church occupied the building?
approximately 2 years
How many members attend the church?
104 members
What is the average Sunday morning attendance?
150 people
Where is the church’s mail delivered?
Mail is delivered to the building and a PO Box.
Additional Information
No protocols in place or written plans for a fire or tornado.