The Digital and Physical Sanctuary. Cyber, financial, and physical safety in one framework.

Mandatory MFA on all staff and volunteer accounts — authenticator apps preferred over SMS. Covers ChMS, financial portals, banking access, and all cloud collaboration tools.

An organization-wide password manager generates and stores long, unique credentials for every account. Passwords in spreadsheets, sticky notes, or browser text files are prohibited — the single most common root cause of small-org credential compromise.

A universal 15-character minimum for every workforce account. Length over arbitrary complexity — a long passphrase defeats brute-force and credential-stuffing far better than P@ssw0rd!-style rules ever did.

Workstations and devices auto-lock after 10–15 minutes of inactivity and require re-authentication. Stops an unattended laptop in a church office from becoming an open door to donor and counseling records.

Role-scoped permissions ensure a children's ministry volunteer cannot view giving history or counseling records. EvangelOS enforces this at the data layer by default.

All devices and infrastructure patched immediately on release. Manual patch cycles leave the window open too long — automation is required.

Guest Wi-Fi fully isolated from the staff and financial networks. A compromised congregant device cannot move laterally to financial systems or the ChMS database.

No single individual holds purchase authorization, banking access, transaction record-keeping, and asset custody. Eliminates opportunity — the only leg of the Fraud Triangle a program can actually control.

At least two unrelated individuals present for collection and counting of cash and checks. Counters rotate periodically; funds remain in dual custody until deposited or secured in a safe.

Two signatures required on checks above a defined threshold (typically $1,000). Pre-signed blank checks and signature stamps strictly prohibited. Approval workflow tied to a documented purchase policy with named approvers.

Periodic rotation of counters, bookkeepers, and financial administrators detects collusion and long-running irregularities that single-tenure roles can hide. Standard cadence: 12–24 months.

Employee dishonesty insurance protects against losses caused by theft or embezzlement. Most carriers require evidence of C08–C11 controls in force before binding — making the financial-integrity stack a prerequisite, not optional.

An independent CPA or board-appointed finance committee reviews annual financial statements and tests internal controls. The strongest signal of integrity a ministry can show its donors, regulators, and insurers.

Identify high-value data targets — counseling notes, giving history, child-safety records — and encrypt at rest and in transit. Each tier carries specific encryption and access requirements.

Online giving platforms must meet PCI standards. Using Stripe Connect or a compliant ChMS reduces local burden, but the access environment — staff devices and network — must still be secured.

Three copies of data, two media types, one offline or secure cloud copy. The only way to recover from ransomware without negotiating with criminals.

Disable user accounts and revoke physical and digital access immediately upon a staff member or volunteer's departure. The last day of work is the last day of access — no exceptions, no grace periods.

A robust system using unique matching tags, photo ID verification, or QR codes ensures children are only released to authorized guardians. The first line of defense in children's ministry.

A strict policy: at least two unrelated, background-checked adults are present at all times with children. No adult is ever alone with a minor — protecting both the children and the volunteers from harm and from accusation.

All children's classrooms, nurseries, and gathering spaces are in plain view through interior windows or open-door policies. Eliminates the unobserved isolated spaces where inappropriate interactions can occur.

Interior-controlled deadbolts on every children's-ministry door so a teacher can lock an intruder out without stepping into the hallway. Combined with C25 panic buttons, gives the room a defensible posture in under five seconds.

Limit unlocked entrances during services while remaining fire-code compliant. Greeter/security hybrids guide visitors to monitored main entrances and watch for "planning behavior" — an attacker's pre-attack reconnaissance.

Real-time camera monitoring with AI video analytics detects loitering, unauthorized entry into restricted areas, and suspicious parking-lot behavior. The safety team is alerted without requiring constant human attention to monitors.

Consistent, high-quality lighting across parking lots, walkways, and all entrances. Discourages unwanted behavior, supports surveillance effectiveness, and ensures safe arrivals and departures after dark.

Panic buttons in administrative offices, hallways, and classrooms that immediately notify law enforcement during a crisis. Tested quarterly; staff trained on activation criteria so the alarm isn't deferred during the moments that matter.

The safety team is equipped with two-way radios for instant coordination — medical emergencies, disruptive incidents, weather events. Communication doesn't depend on cell service or shared cellular networks during a crisis.

Mandatory criminal history and reference checks for all staff and volunteers — especially those with access to funds, sensitive data, or children. Paired with signed Acceptable Use and Child Protection policies, reviewed annually.

Active-shooter response training using ALICE — Alert, Lockdown, Inform, Counter, Evacuate. Replaces passive lockdowns with scenario-based decision-making for the safety team and the wider congregation.

Church-context training covers VIP spoofing of senior pastors, gift-card fraud, vendor invoice changes, and personal-device risks. Simulations build real recognition for both cyber phishing and social-engineering fraud.

A plain-language policy telling members what data is collected, how it is used, and how to request deletion. Fulfills both ethical stewardship and GDPR/CCPA legal requirements.

Documented Red Cross / AHA training for safety team and key staff. AEDs deployed at primary gathering points with quarterly checks. The most likely emergency on a Sunday morning is medical, not violent — readiness matches the risk.

Documented, well-communicated plans for medical emergencies, severe weather, fires, and active assailants. Annual drills with the safety team; printed copies on-site at every entrance.

A documented, printed plan for cybersecurity breaches, financial irregularities, and physical incidents. Digital-only copies are inaccessible during a network-wide compromise. Tested annually via tabletop exercise.

Quarterly technical scans of the digital environment. Annual physical security walk-throughs — ideally with local first responders so they're familiar with the layout before they're called to it. Annual financial-controls review.

A senior practitioner on retainer provides expert leadership and auditable oversight without an executive-level salary — ensuring the ministry can answer to boards, donors, insurers, and regulators with the same authority an enterprise can.