Security Checklist for Originators What types of ACH-related information does your company store? (Check all that apply.)* Checks used as part of authorizations (including voided checks) Emails or other electronic correspondence with entry information Electronic NACHA formatted file sent to your FI for processing Paper files or entries Reports containing entry information from accounting software of other programs Authorization forms If you store authorization forms, how long do you retain these forms?Type response hereStored ACH-related information location (Check all that apply.)* Home office of employees Removable media sources (flash drive, CD, backup tapes/drives, etc.) Company website Outsourced technology service provder location/server File cabinet Desk drawer Binder Work PC/laptop Mobile device Other (list below) Other storage location (if applicable).Type response hereWho at your company has access to ACH-related information? (Check all that apply.)* All employees, including temporary workers Only those with ACH-related job duties Outside parties (cleaning companies, contractors, etc.) Managers/principals of the company Other (please list below) Does anyone else have access to ACH-related information?Type response hereWhich of the following controls do you have in place for the physical security of data? (Check all that apply.)* Locked storage space (file cabinet, drawer, etc.) Locked storage for backup drives or other removable media Key inventory to ensure limited staff access to sensitive information Clean desk policy Office security systems or alarms Other (please list below) Other security controls in place (if applicable).Type response hereWhich of the following controls do you have in place for the digital security of data? (Check all that apply.)* Unique user ID for each employee Restricted access to files on network by job duties Designated PC for any internet banking or funds transfer services, such as ACH Updated anti-virus and anti-malware programs Automatic software patches or upgrades, including operating system updates Restrictions on types of websites that can be accessed Firewall for office network Secure email for communications with customers/employees when sensitive information is being transmitted Encrypted or secured customer websites if used for accepting payment requests Encryption for laptops or other mobile devices “Self-destruct” or “remote clean” ability for lost or stolen mobile devices Controls for remote connections to and from the company (e.g. VPN connection) Password controls (length and character requirements, required change of passwords after a certain amount of days, etc.) Does your company provide training on information security to employees?* Yes No If you answered "yes" to the question above, please check the topics below that are covered in security training. Password security Social engineering (phishing, smishing, etc.) Acceptable use policies for internet and email Security of mobile devices/laptops when traveling Do you work with outside service providers to help with your technology and data security efforts?* Yes No If you answered "yes" to the question above, are the following topics considered before you start a new relationship with a service provider? (Check all that apply.) Research of potential new companies (financial history, references, internet search, etc.) Contract review regarding data security practices and confidentiality How a service provider would notify you of a possible breach and action plan Other steps taken to review potential service providers Other steps taken to review potential service providers (if applicable).Type response hereHow do you keep track of when documents can or should be destroyed?*Type response hereHow do you destroy physical information?*Type response hereHow do you destroy digital media sources that contain ACH information (hard drives from computers and/or copiers, flash drives, CDs, backup tapes, etc.)?*Type response hereDo you have a plan in place to respond if there is a data breach at your company, physical or digital?* Yes No If you answered "yes" to the question above, have you included steps to contact the following parties as needed? (Check all that apply.) Financial institution Legal counsel Law enforcement Customers/employees impacted Service providers to help clean or repair impacted devices Are pre-notes being used to verify routing number, account number, and account type?* Yes No If you answered "yes" to the question above, is a live dollar entry submitted no earlier than the third banking day following the settlement date of the pre-note entry? Yes No Does your ACH Return Item/Correction contact need to be changed? If you are unsure of the current contact you have listed, please give our team a call at (605) 335-5101* Yes No Updated Contact Name First Last Updated Contact PhoneUpdated Contact Email Thank you for completing the annual ACH audit review form!Company Name*Contact Name* First Last Job Title*Email* Phone*Application*Max. file size: 1 MB.Upload your filled out application. Transcript*Max. file size: 1 MB.Upload your transcript.
