Treasury Operations — Security Checklist

Governance, access control, transaction verification, DeFi/staking risk, operational security, monitoring, vendor risk, and accounting.
Org:
Owner:
Date:

1. Governance & Treasury Architecture

  • Documented Treasury Security Policies
    Do you maintain documented security policies that define how treasury operations are conducted (e.g., access control principles, transaction verification requirements, incident response procedures)?
  • Accountability for Treasury Operations
    Is there an individual or team accountable for treasury operations (e.g., policy upkeep, reviews, operational hygiene)?
  • Treasury Infrastructure Change Management
    Do you maintain formal change management procedures for treasury infrastructure modifications (e.g., wallet setups, custody configurations, signer permissions, protocol integrations)?
  • Treasury Wallet Risk Classification
    Do you have a documented process to classify treasury wallets (e.g. multisigs) and accounts based on risk level and assign appropriate security controls?
  • Custodial vs Non-Custodial Rationale
    Do you have documented rationale for choosing between custodial and non-custodial treasury solutions and technology choice like MPC, HSM?
  • Fund Allocation Limits and Triggers
    Do you have documented policies for maximum fund allocations per wallet type and rebalancing triggers?
Notes:

2. Access Control & Authentication

  • Custody Platform Security Configurations
    Do you maintain documented security configurations for custody platforms, including: Transaction policy rules, Multi-approval workflows and thresholds, Address whitelisting configurations, Velocity Limits)?
  • Treasury Platform Authentication Requirements
    Do you maintain documented authentication requirements for treasury platforms (e.g., multi-factor authentication standards, session management)?
  • Credential and Secret Management Procedures
    Do you have procedures for managing credentials and secrets used in treasury operations (e.g., API keys, service accounts)?
  • Access Review for Treasury Systems
    Do you conduct periodic reviews of who has access to treasury systems to ensure only authorized personnel retain access?
  • Treasury Network Security Controls
    Do you implement network security controls for treasury access (IP whitelisting, VPN requirements, Geographic access restrictions)?
  • Isolate Owner Account Credentials
    Do you implement controls to isolate owner account credentials?
Notes:

3. Transaction Security & Verification

  • Transaction Security and Verification Procedures
    Do you maintain documented procedures for transaction security and verification?
  • Training for All Signers
    Do you conduct traning programs with all signers?
  • Pre-Execution Transaction Verification Procedures
    Do you have procedures for verifying transaction details before execution (e.g., recipient address validation, amount verification, network confirmation, test transactions, simulation requirements)?
  • Secure Communication Procedures for Treasury
    Do you maintain secure communication procedures for coordinating treasury operations and verifying requests?
  • Documented Funds Receiving Procedures
    Do you have documented procedures for receiving funds?
  • Procedures for OTC Transactions
    Do you maintain procedures for conducting OTC (over-the-counter) transactions?
Notes:

4. DeFi Risk Assessment

  • DeFi Protocol Evaluation and Monitoring
    Do you maintain documented procedures for evaluating and monitoring DeFi protocols where treasury funds are deployed?
  • Documented Procedures for DeFi Positions
    Do you have documented procedures for managing DeFi positions (e.g., emergency withdrawal procedures, alternative access methods if UIs are unavailable)?
  • Exposure Limits for Protocol Deployments
    Do you define and enforce exposure limits for protocol deployments (e.g., per protocol, chain, category)?
  • Verifying Contract Addresses and Approvals
    Do you have procedures for verifying smart contract addresses and managing token approvals?
Notes:

5. Staking Risk Assessment

  • Evaluating and Monitoring Staking Solutions
    Do you maintain documented procedures for evaluating and monitoring staking solutions where treasury funds are deployed?
  • Staking Position Management Procedures
    Do you have documented procedures for managing staking positions (e.g., unstaking procedures, emergency exit methods, alternative access if primary UIs are unavailable)?
  • Exposure Limits for Staking Deployments
    Do you define and enforce exposure limits for staking deployments (e.g. per staking provider, per liquid staking protocol, etc)?
  • Verifying Smart Contract Addresses
    Do you have procedures for verifying smart contract addresses?
Notes:

6. Operational Security

  • Operational Security Requirements for Treasury Personnel
    Do you maintain documented operational security requirements for treasury personnel (signing device setup, device security requirements, etc)?
  • Treasury Sensitive Information Security Policy
    Do you have policies for secure storage and handling of sensitive treasury information (e.g., credentials, hardware wallets, backup materials)?
  • Travel Security Procedures for Treasury Personnel
    Do you have travel security procedures for treasury personnel with signing/access capabilities?
Notes:

7. Monitoring & Incident Response

  • Monitoring Treasury Transactions for Anomalies
    Do you monitor treasury transactions and account states for anomalous activity?
  • Treasury Security Incident Response Procedures
    Do you maintain security incident response procedures specific to treasury operations (e.g., severity levels, escalation, containment, fund protection)?
  • External Threat Intelligence for Treasury
    Do you track external threat intelligence relevant to your treasury holdings and infrastructure (e.g., protocol vulnerabilities, DeFi risks)?
  • Regular Security Drills and Exercises
    Do you conduct regular security drills and exercises to test incident response capabilities?
  • Vendor Availability and Service Notifications Monitoring
    Do you monitor for vendor availability and service notifications (e.g., custody platform status, infrastructure provider alerts)?
  • Transactions and Wallet Addresses Monitoring
    Do you monitor transactions and wallet addresses for compliance risk?
Notes:

8. Vendor & Infrastructure Security

  • Third-Party Services Security Evaluation
    Do you maintain security evaluation criteria for third-party services critical to treasury operations, including initial due diligence and ongoing monitoring?
  • Vendor Security Control
    Do you have procedures to verify vendors are implementing the security controls they contractually committed to?
  • Backup and Alternate Access
    Do you have backup infrastructure and alternate access methods for treasury continuity?
Notes:

9. Accounting & Financial Reporting

  • Transaction Recording Procedures
    Do you maintain procedures for recording all treasury transactions in your accounting system with appropriate categorization and documentation?
  • Periodic Reconciliation
    Do you conduct periodic reconciliation between Custody platform records, Blockchain balances, Accounting records, etc?
  • Documented Procedures
    Do you have documented procedures for treasury-related financial reporting?
  • Insurance Coverage
    Do you maintain insurance coverage appropriate for your treasury operations?
Notes: