SFC - Treasury Operations
The SEAL Framework Checklist (SFC) for Treasury Operations provides structured guidelines for securely managing and operating an organization's treasury covering governance, access control, transaction security, monitoring, and vendor management.
For more details on certifications or self-assessments, refer to the Certification Guidelines.
Section 1: Governance & Treasury Architecture
0/6
Documented Treasury Security Policies
Do you maintain documented security policies that define how treasury operations are conducted (e.g., access control principles, transaction verification requirements, incident response procedures)?
Accountability for Treasury Operations
Is there an individual or team accountable for treasury operations (e.g., policy upkeep, reviews, operational hygiene)?
Treasury Infrastructure Change Management
Do you maintain formal change management procedures for treasury infrastructure modifications (e.g., wallet setups, custody configurations, signer permissions, protocol integrations)?
Treasury Wallet Risk Classification
Do you have a documented process to classify treasury wallets (e.g. multisigs) and accounts based on risk level and assign appropriate security controls?
Custodial vs Non-Custodial Rationale
Do you have documented rationale for choosing between custodial and non-custodial treasury solutions and technology choice like MPC, HSM?
Fund Allocation Limits and Triggers
Do you have documented policies for maximum fund allocations per wallet type and rebalancing triggers?
Section 2: Access Control & Authentication
0/6
Custody Platform Security Configurations
Do you maintain documented security configurations for custody platforms, including: Transaction policy rules, Multi-approval workflows and thresholds, Address whitelisting configurations, Velocity Limits)?
Treasury Platform Authentication Requirements
Do you maintain documented authentication requirements for treasury platforms (e.g., multi-factor authentication standards, session management)?
Credential and Secret Management Procedures
Do you have procedures for managing credentials and secrets used in treasury operations (e.g., API keys, service accounts)?
Access Review for Treasury Systems
Do you conduct periodic reviews of who has access to treasury systems to ensure only authorized personnel retain access?
Treasury Network Security Controls
Do you implement network security controls for treasury access (IP whitelisting, VPN requirements, Geographic access restrictions)?
Isolate Owner Account Credentials
Do you implement controls to isolate owner account credentials?
Section 3: Transaction Security & Verification
0/6
Transaction Security and Verification Procedures
Do you maintain documented procedures for transaction security and verification?
Training for All Signers
Do you conduct traning programs with all signers?
Pre-Execution Transaction Verification Procedures
Do you have procedures for verifying transaction details before execution (e.g., recipient address validation, amount verification, network confirmation, test transactions, simulation requirements)?
Secure Communication Procedures for Treasury
Do you maintain secure communication procedures for coordinating treasury operations and verifying requests?
Documented Funds Receiving Procedures
Do you have documented procedures for receiving funds?
Procedures for OTC Transactions
Do you maintain procedures for conducting OTC (over-the-counter) transactions?
Section 4: DeFi Risk Assessment
0/4
DeFi Protocol Evaluation and Monitoring
Do you maintain documented procedures for evaluating and monitoring DeFi protocols where treasury funds are deployed?
Documented Procedures for DeFi Positions
Do you have documented procedures for managing DeFi positions (e.g., emergency withdrawal procedures, alternative access methods if UIs are unavailable)?
Exposure Limits for Protocol Deployments
Do you define and enforce exposure limits for protocol deployments (e.g., per protocol, chain, category)?
Verifying Contract Addresses and Approvals
Do you have procedures for verifying smart contract addresses and managing token approvals?
Section 5: Staking Risk Assessment
0/4
Evaluating and Monitoring Staking Solutions
Do you maintain documented procedures for evaluating and monitoring staking solutions where treasury funds are deployed?
Staking Position Management Procedures
Do you have documented procedures for managing staking positions (e.g., unstaking procedures, emergency exit methods, alternative access if primary UIs are unavailable)?
Exposure Limits for Staking Deployments
Do you define and enforce exposure limits for staking deployments (e.g. per staking provider, per liquid staking protocol, etc)?
Verifying Smart Contract Addresses
Do you have procedures for verifying smart contract addresses?
Section 6: Operational Security
0/3
Operational Security Requirements for Treasury Personnel
Do you maintain documented operational security requirements for treasury personnel (signing device setup, device security requirements, etc)?
Treasury Sensitive Information Security Policy
Do you have policies for secure storage and handling of sensitive treasury information (e.g., credentials, hardware wallets, backup materials)?
Travel Security Procedures for Treasury Personnel
Do you have travel security procedures for treasury personnel with signing/access capabilities?
Section 7: Monitoring & Incident Response
0/6
Monitoring Treasury Transactions for Anomalies
Do you monitor treasury transactions and account states for anomalous activity?
Treasury Security Incident Response Procedures
Do you maintain security incident response procedures specific to treasury operations (e.g., severity levels, escalation, containment, fund protection)?
External Threat Intelligence for Treasury
Do you track external threat intelligence relevant to your treasury holdings and infrastructure (e.g., protocol vulnerabilities, DeFi risks)?
Regular Security Drills and Exercises
Do you conduct regular security drills and exercises to test incident response capabilities?
Vendor Availability and Service Notifications Monitoring
Do you monitor for vendor availability and service notifications (e.g., custody platform status, infrastructure provider alerts)?
Transactions and Wallet Addresses Monitoring
Do you monitor transactions and wallet addresses for compliance risk?
Section 8: Vendor & Infrastructure Security
0/3
Third-Party Services Security Evaluation
Do you maintain security evaluation criteria for third-party services critical to treasury operations, including initial due diligence and ongoing monitoring?
Vendor Security Control
Do you have procedures to verify vendors are implementing the security controls they contractually committed to?
Backup and Alternate Access
Do you have backup infrastructure and alternate access methods for treasury continuity?
Section 9: Accounting & Financial Reporting
0/4
Transaction Recording Procedures
Do you maintain procedures for recording all treasury transactions in your accounting system with appropriate categorization and documentation?
Periodic Reconciliation
Do you conduct periodic reconciliation between Custody platform records, Blockchain balances, Accounting records, etc?
Documented Procedures
Do you have documented procedures for treasury-related financial reporting?
Insurance Coverage
Do you maintain insurance coverage appropriate for your treasury operations?