Free Security Assessment

Phase 1: Regulatory Context

1 of 18

Where is your organisation primarily based?

Your jurisdiction determines which regulatory frameworks are mandatory vs. voluntary.

Australia

Subject to Privacy Act, APRA (if financial), SOCI Act (if critical infra), ASD Essential Eight

New Zealand

Subject to NZ Privacy Act 2020, NZISM, CERT NZ guidance

United States

Subject to NIST frameworks, state privacy laws, sector-specific (HIPAA, SOX, GLBA)

EU / UK

Subject to GDPR, NIS2 Directive, Cyber Resilience Act, UK Cyber Essentials

Asia-Pacific (Other)

Singapore (PDPA/MAS TRM), India (DPDP Act), Japan (APPI), regional frameworks

Multi-jurisdictional

Operating across multiple countries — need to comply with overlapping regulations

Phase 1: Regulatory Context

2 of 18

Which industry best describes your organisation?

Why this matters: Different industries have sector-specific regulations that mandate certain security frameworks. A hospital must comply with health data laws, while a bank faces prudential standards — choosing the wrong framework wastes time and budget.

Government / Defence / Public Sector

Handles classified or sensitive government data, contracts with defence

Financial Services / Banking / Insurance

APRA-regulated, processes financial transactions, fiduciary obligations

Healthcare / Pharmaceutical / Life Sciences

Handles patient records, clinical data, health identifiers

Technology / SaaS / Cloud Services

Provides services to other businesses, handles customer data

Energy / Utilities / Critical Infrastructure

Operates essential services, SCADA/OT environments, public safety

Retail / E-Commerce / Hospitality

Processes consumer transactions, loyalty programs, POS systems

Education / Research

Student records, research data, institutional governance

Professional Services / Other

Legal, consulting, manufacturing, logistics, media

Phase 1: Regulatory Context

3 of 18

Does your organisation handle government data or hold government contracts?

Scenario: Your company wins a contract to build software for a federal agency. The contract requires you to handle PROTECTED-level data. You now need an IRAP assessment at PROTECTED level before you can access any government systems. Without it, the contract cannot proceed.

Yes — PROTECTED or above

We handle classified or PROTECTED government data (requires IRAP assessment)

Yes — OFFICIAL:Sensitive or below

We handle OFFICIAL or OFFICIAL:Sensitive data (ISM controls apply)

Government contractor (no classified data)

We supply services to government but don’t directly handle classified data

No government involvement

We don’t hold government contracts or handle government data

Phase 1: Regulatory Context

4 of 18

What types of sensitive data does your organisation process?

Select ALL that apply. Each data type triggers specific regulatory requirements.

Personal Identifiable Information (PII)

Names, addresses, emails, phone numbers, dates of birth

Financial / Payment Card Data

Credit card numbers, bank accounts, transaction records

Health / Medical Records

Patient records, clinical data, health identifiers, Medicare numbers

Authentication Credentials / Secrets

Passwords, API keys, certificates, MFA seeds, tokens

Intellectual Property / Trade Secrets

Source code, algorithms, product designs, research data

EU Resident Data

Any personal data of individuals in the EU/EEA (triggers GDPR)

Select all that apply

Phase 1: Data Privacy & Consent

5 of 18

How does your organisation manage data privacy obligations?

Scenario: A customer exercises their “right to be forgotten” under GDPR. Your team needs to locate every system that holds this person’s data, verify deletion, and provide evidence within 30 days. Without a privacy governance framework, this becomes a panicked, manual scramble across 20 systems — with no audit trail proving you complied.

No formal privacy programme

No privacy officer, no data mapping, reactive approach to requests

Basic privacy policy exists but limited operationalisation

Privacy policy on website, but no ROPA, no DSAR process, no consent tracking

Some privacy controls in place

Have a privacy officer, basic data mapping, but manual DSAR handling

Mature privacy programme

Automated DSARs, ROPA maintained, consent management, breach response plan, DPIAs conducted

Phase 1: Data Privacy & Consent

6 of 18

How do you manage user consent for data collection and processing?

Scenario: Your marketing team wants to email 50,000 customers about a new product. Legal asks: “Can you prove each person consented to marketing communications? Can you show when they consented, what they consented to, and whether any have withdrawn?” If your answer involves a spreadsheet, you have a consent management gap.

No formal consent tracking

No record of when/how consent was obtained, no withdrawal mechanism

Basic opt-in checkboxes on forms

Checkboxes exist but no centralised consent registry, no granular purposes

Cookie consent platform + email preferences

CMP for cookies, email unsubscribe, but no unified consent record

Centralised consent management with audit trail

Purpose-based consent, withdrawal support, consent receipts, legal basis documented

Phase 1: Data Privacy & Consent

7 of 18

Does your organisation transfer personal data across national borders?

Scenario: Your Australian company uses AWS US-East for hosting, Google Workspace (US-based), and a Philippines-based BPO for customer support. Under the Australian Privacy Act APP 8, you must ensure overseas recipients comply with the APPs. Under GDPR, transfers outside the EU require Standard Contractual Clauses. Violations carry fines up to 4% of global turnover.

All data stays in-country

Hosting, processing, and support all within our jurisdiction

Cloud services in other countries (SaaS, IaaS)

Using US/EU cloud providers but no formal transfer assessment done

Active cross-border transfers (BPO, offshore teams, global customers)

Data flows across multiple jurisdictions for business operations

Cross-border transfers with SCCs / adequacy agreements in place

Transfer Impact Assessments done, contractual safeguards documented

Phase 2: Threat & Risk Landscape

8 of 18

How many employees and managed identities does your organisation have?

Why this matters: An organisation with 50 employees managing 200 cloud accounts has fundamentally different identity governance needs than one with 20,000 employees across 15 countries. The scale determines whether manual processes will work or if you need automated lifecycle management.

Under 50 employees

Startup or small business. Identity management likely manual or ad-hoc.

50 – 500 employees

Growing team. Starting to feel pain of manual onboarding/offboarding.

500 – 5,000 employees

Mid-market. Multiple departments, locations, compliance requirements.

5,000+ employees

Enterprise. Complex org structure, multiple business units, global operations.

Phase 2: Threat & Risk Landscape

9 of 18

Has your organisation experienced a security incident in the last 24 months?

Scenario: After a phishing attack compromised an executive’s email, the attacker used their credentials to access the finance system and initiate fraudulent wire transfers. The board now demands a full security assessment and evidence that controls are in place to prevent recurrence.

Yes — significant breach (data loss, financial impact, regulatory notification)

Required to notify authorities, customers, or regulators

Yes — minor incident (contained, no external impact)

Phishing attempt caught, malware quarantined, near-miss events

Not sure — we don’t have good visibility

No formal incident tracking or SIEM in place

No known incidents

Clean record or unaware of any compromises

Phase 2: Threat & Risk Landscape

10 of 18

Do your clients or partners require you to demonstrate compliance?

Scenario: A Fortune 500 prospect sends you a vendor security questionnaire. They require a SOC 2 Type II report before they’ll sign the contract. Your competitor already has one. Without it, you lose the deal worth $2M annually.

Yes — clients ask for SOC 2 / audit reports

Prospects require third-party attestation before purchasing

Yes — clients require ISO 27001 certification

RFPs or contracts mandate ISO 27001 ISMS certification

Yes — we receive security questionnaires frequently

Ad-hoc vendor assessments but no formal certification required yet

Not currently — but anticipating it

Planning to pursue enterprise clients who will require compliance evidence

Phase 2: Threat & Risk Landscape

11 of 18

How many third-party SaaS applications and vendors have access to your data?

Why this matters: The MOVEit breach (2023) and Optus breach (2022) demonstrated how third-party supply chain risk can be catastrophic. Each vendor with access to your data is a potential attack vector that needs governance.

Under 10 vendors

Minimal SaaS footprint, mostly in-house

10 – 50 vendors

Growing SaaS adoption, some vendor management in place

50+ vendors

Extensive SaaS ecosystem, potential shadow IT, supply chain complexity

Phase 3: Current Security Posture

12 of 18

How do you currently manage user access and identity lifecycle?

Scenario: An employee resigned last Friday. On Monday, their Active Directory account is still active, their Jira access is unchanged, and their GitHub repos still have their SSH keys. HR sent an email to IT, but nobody actioned it yet. Sound familiar?

Spreadsheets / email requests / manual processes

No centralised IAM. Access requests via email, tickets, or verbal

Basic directory (AD / Entra ID / Google Workspace only)

Central directory for auth but no governance, no lifecycle automation

Multiple point solutions (some SSO, some PAM, no unified view)

Fragmented tools, no single pane of glass for identity governance

Enterprise IGA platform with automated lifecycle

Centralised governance, automated JML, access reviews, SoD

Phase 3: Current Security Posture

13 of 18

What is your infrastructure and cloud environment?

This determines your attack surface and which cloud security frameworks apply.

Predominantly on-premise

Physical data centres, on-prem AD, limited cloud adoption

Hybrid (on-premise + cloud)

Mix of on-prem and cloud workloads, hybrid identity (AD + Entra ID)

Cloud-first / Cloud-native

Primarily cloud workloads (AWS, Azure, GCP), cloud-native identity

Multi-cloud

Workloads across 2+ cloud providers, complex identity federation

Phase 3: Current Security Posture

14 of 18

Which security controls do you currently have in place?

Select ALL that apply. This helps us identify gaps against recommended frameworks.

Multi-Factor Authentication (MFA) enforced

Single Sign-On (SSO) for applications

Privileged Access Management (PAM)

SIEM / Security monitoring

Regular backups with tested recovery

Automated patch management

Documented Incident Response Plan

None of the above

Select all that apply

Phase 3: Current Security Posture

15 of 18

What keeps you up at night? Select your top identity security concern.

Scenario: Your CISO presents to the board. The first question is: “Can you tell me exactly who has access to our crown jewels right now?” If you can’t answer confidently in under 60 seconds, you have an identity governance problem.

No visibility into who has access to what

Can’t produce an access report for auditors on demand

Orphan accounts and access creep

Former employees still have active accounts, permissions accumulate

Joiner/Mover/Leaver is a nightmare

Onboarding takes days, offboarding is inconsistent, role changes are missed

Failing audits or can’t prove compliance

Auditors raise findings, evidence is scattered, manual collection takes weeks

Privileged access is ungoverned

Shared admin accounts, no session recording, no just-in-time access

Segregation of Duties violations

Same person can approve and execute payments, no conflict detection

Phase 4: Readiness & Priorities

16 of 18

Are any of these sector-specific regulations applicable to you?

Select ALL that apply. These trigger mandatory framework requirements.

CPS 234 (APRA-regulated entity)

Banks, insurers, super funds regulated by APRA

SOCI Act (Critical Infrastructure)

Energy, water, transport, health, communications, financial markets, data

PCI DSS (Payment Card Processing)

Process, store, or transmit credit card data

HIPAA (US Healthcare)

Handle Protected Health Information (PHI) in the US

None of these apply

Select all that apply

Phase 4: Readiness & Priorities

17 of 18

What is your approximate annual budget for security and compliance tooling?

Context: The average mid-market Australian company spends 5–8% of IT budget on cybersecurity. Legacy IGA platforms (e.g., on-premise solutions) typically cost A$80K–250K/year. Activitee delivers equivalent capability from A$8K/year.

No dedicated budget yet

Need to build a business case for investment

Under A$10,000 / year

Looking for affordable, high-value solutions

A$10,000 – A$50,000 / year

Ready to invest in proper governance tooling

A$50,000+ / year

Enterprise-grade budget for comprehensive security program

Phase 4: Readiness & Priorities

18 of 18

What is driving the urgency for this assessment?

Understanding your timeline helps us prioritise recommendations.

Post-incident response — need to demonstrate remediation

Board/regulator requiring evidence of security improvements

Upcoming audit or certification deadline

Assessment due within 1–3 months

Client or prospect requirement

Need compliance evidence to close a deal or retain a customer

Proactive — building a security program

No immediate deadline, planning for long-term security maturity

Just exploring options

Early-stage research, gathering information

AI-Powered Security Assessment