Confidential Proposal · April 2026

Cyber Security
for the Diocese of
Wollongong

A comprehensive security engagement covering Essential Eight maturity assessment, a bespoke Incident Response Plan, and facilitated Tabletop Workshop — purpose-built for mission-critical Catholic organisations.

Prepared For Reuben Bardak, CTO
Organisation Catholic Diocese of Wollongong
Reference HL-2026-DOW-001
Investment AUD $38,500 + GST
View Details
Scroll
Introduction

Protecting What Matters Most

The Catholic Diocese of Wollongong operates a mission-critical digital environment spanning schools, parishes, aged care facilities, and social services across the Illawarra and South Coast. Your systems hold student records, health information, financial data, and deeply confidential personal matters. Trust is earned — and defended — through strong security.

🎯
Elevated Threat Landscape
Ransomware groups actively target education institutions and not-for-profit organisations. The Diocese's broad digital footprint — schools, parishes, welfare — presents multiple attack surfaces.
🔐
Sensitive Data at Stake
Student records, health information, financial data, and confidential personal matters require rigorous protection under the Privacy Act, NDB scheme, and sector-specific obligations.
A Three-Part Solution
This engagement delivers a structured maturity assessment, a bespoke Incident Response Plan, and a facilitated Tabletop Workshop — sequenced to build capability in a logical, practical order.
Engagement Overview

Three Components. One Cohesive Programme.

Each component is designed to build on the last — the assessment identifies gaps, the IR Plan addresses them with documented procedures, and the workshop stress-tests both under realistic conditions.

1
⏱ 5 business days
Essential Eight Assessment
Benchmark your current security posture against the ACSC Essential Eight Maturity Model. Identify gaps, prioritise remediation, and get a clear executive roadmap.
2
⏱ 5 business days
Incident Response Plan
A Diocese-branded IR Plan with playbooks, contact trees, regulatory checklists, and decision frameworks — ready to activate when it matters most.
3
⏱ Half-day (4 hrs)
Tabletop Workshop
Stress-test your plan and people against realistic ransomware and BEC scenarios. Build muscle memory before the real thing happens at 11pm on a Friday.
Component 1

Cyber Security
Framework Assessment

A structured assessment against the ACSC Essential Eight Maturity Model — the benchmark framework mandated for Australian Government agencies and widely adopted across the education and NFP sector.

🗺️
Identify
Asset inventory, data classification, third-party risk, governance
🛡️
Protect
Access controls, patching, app whitelisting, MFA, backups
🔍
Detect
Logging, monitoring, SIEM/alerting capabilities
Respond & Recover
IR capability, backup integrity, recovery time objectives
Methodology

How We Assess

1
Stakeholder Interviews
Structured sessions with IT leads, operations staff, and senior leadership to understand current controls, processes, and pain points from the people who live them daily.
2
Document Review
Review of existing policies, procedures, network diagrams, asset registers, and any prior security documentation to validate stated controls against documented evidence.
3
Technical Spot-Checks
Targeted technical verification of key controls — patch levels, MFA configuration, backup integrity, logging coverage — to confirm reality matches documentation.
4
Maturity Benchmarking
Each Essential Eight control rated against Maturity Levels 0–3 using the official ACSC methodology, providing a precise and defensible baseline for prioritisation.
📄 Deliverables
  • Written assessment report with maturity ratings per Essential Eight control
  • Gap analysis with severity ratings: Critical / High / Medium / Low
  • Prioritised remediation roadmap with effort/impact matrix
  • Executive summary suitable for board and leadership briefing
  • Duration: 5 business days from kick-off
Component 2

Incident Response
Plan Development

A bespoke, Diocese-branded Incident Response Plan — not a template, not a checklist. A living operational document your team can actually use when the pressure is on and time is running out.

⚠️
Incident Classification
Severity levels with clear triggers and escalation paths. Your team will know immediately whether they're dealing with a minor event or a full crisis requiring board notification.
Severity Levels Escalation Paths
👥
Response Team Structure
Defined roles and responsibilities covering IT, operations, communications, legal, and Diocese leadership. Everyone knows their job before the incident happens.
Roles & Responsibilities Contact Trees
📋
Scenario Playbooks
Step-by-step playbooks for the Diocese's highest-risk scenarios: ransomware, Business Email Compromise, data breach (student/parishioner records), and supplier compromise.
Ransomware BEC Data Breach Supplier Risk
⚖️
Regulatory Obligations
Embedded regulatory checklists covering Privacy Act APP 11, Notifiable Data Breaches scheme, ACSC reporting thresholds, and insurance notification requirements.
NDB Scheme APP 11 ACSC
🔄
Recovery Procedures
Backup restoration priorities, system rebuild sequencing, and business continuity procedures to get critical services — schools, parishes, welfare — back online first.
Backup Restoration RTOs Continuity
📡
Communications Protocols
Escalation scripts, board notification templates, media statements, and parent/community communication frameworks — drafted and ready, not written under pressure.
Media Templates Board Notify
📄 Deliverables
  • Diocese-branded Incident Response Plan in Word and PDF format
  • All scenario playbooks (ransomware, BEC, data breach, supplier compromise)
  • Contact trees and escalation decision frameworks
  • Regulatory notification checklists (NDB, APP 11, ACSC, insurance)
  • Post-incident review template
  • Duration: 5 business days from kick-off
Component 3

Tabletop Incident
Response Workshop

A facilitated half-day (4-hour) scenario-based workshop bringing together IT leads, operations, communications, and senior leadership. Real scenarios. Real decisions. Safe environment to discover the gaps before they discover you.

Module 1
30 min
Threat Briefing
Current threat landscape targeting education institutions and NFPs across Australia. Regulatory context and notification obligations. Sets the scene with real-world cases — organisations similar to the Diocese that got hit and what happened next.
Module 2
2.5 hrs
Scenario Play
Two realistic, Diocese-specific scenarios played out in real time. Participants make actual decisions — containment, communications, ransom, regulatory notification — and learn from the choices they make and the ones they miss.
Module 3
1 hr
Debrief & Action Planning
Structured debrief covering what worked, what didn't, and the specific gaps exposed. Each participant leaves with a personalised action list. Written report delivered within 5 business days.
Scenarios

Two Diocese-Specific Crisis Simulations

Developed specifically for the Diocese — not generic scenarios. The details, the stakeholders, the complications are all tailored to your organisation.

🔒
Scenario A — Ransomware in Schools Network
Friday night. 11pm. Everything offline.
Phishing email opens ransomware payload at 11pm Friday
Student records, financial systems, and email go offline
Attacker claims data exfiltration and posts proof online
Monday morning: parents calling, media at the door
Teams Work Through
Containment Parent Comms School Continuity Ransom Decision NDB Notification Media Response
💸
Scenario B — Business Email Compromise
$180,000. Gone. Two weeks ago.
BEC attacker impersonates Bishop's office via spoofed email
$180k fraudulent transfer authorised by finance team
Fraud discovered two weeks later during reconciliation
Recovery window may already be closed
Teams Work Through
Forensics Bank Notification Accountability Insurance Claim Regulatory Board Comms
📄 Deliverables
  • Facilitated half-day (4hr) workshop on-site at Diocese facilities
  • Customised scenario injects and facilitator materials
  • Participant workbooks and decision frameworks
  • Post-workshop action report with individual action items (within 5 days)
0 +
Penetration
Tests
0 +
IR Engagements
Per Year
0 +
Years
Experience
0 %
Australian
Owned
Investment

Transparent, All-Inclusive Pricing

Fixed-fee pricing with no hidden costs. All work performed by CREST Certified and ASD Assessed consultants. Travel within the Illawarra is included.

Service Investment
Cyber Security Framework Assessment
ACSC Essential Eight Maturity Model assessment · Stakeholder interviews, document review, technical spot-checks · Written report with gap analysis and remediation roadmap · 5 business days
 AUD $18,000
Incident Response Plan Development
Bespoke Diocese-branded IR Plan · Playbooks for ransomware, BEC, data breach · Regulatory checklists (NDB, APP 11, ACSC) · Contact trees and decision frameworks · 5 business days
 AUD $14,000
Tabletop Incident Response Workshop
Facilitated half-day workshop on-site · Two custom Diocese scenarios · All participant materials · Post-workshop action report within 5 days
 AUD $6,500
Total Investment AUD $38,500
All fees are exclusive of GST. GST of 10% is applicable to Australian entities.
Optional Add-Ons
Phishing Simulation (500 users)
Full campaign with reporting and staff training recommendations
Optional AUD $4,500
Travel — Outside Illawarra Region
Travel within Illawarra is included. Travel outside the region charged at cost.
At Cost If required
Why HackLabs

Australia's Most Credentialled
Cyber Security Team

Not a national consulting firm with a cyber team bolted on. Not a reseller with borrowed credentials. HackLabs was purpose-built for this — 17 years doing nothing else.

🏆
CREST Certified
Australia's gold standard in penetration testing
🛡️
ASD Assessed
Australian Signals Directorate — highest national accreditation
🇦🇺
100% Australian Owned
No foreign ownership. Your data never leaves Australia.
🎓
Deep Sector Experience
Extensive experience with education institutions, not-for-profits, government agencies, and healthcare organisations — the sectors that face the greatest compliance pressure and the most determined attackers.
🔧
Practical, Not Theoretical
Every deliverable is designed to be used — not filed. Playbooks written by people who've responded to real incidents. Recommendations sized to real organisational budgets and capabilities.
🚨
Emergency IR Response
If something happens during the engagement — or after it — you have a direct line to our incident response team. 250+ IR engagements per year means we've seen everything and can move fast.
Next Steps

Getting Started Is Simple

From acceptance to kick-off in under two weeks. HackLabs handles the engagement letter, scoping, and scheduling — you focus on making the call.

1
Review & Confirm Scope
Review this proposal, confirm the three-component scope is aligned to your current priorities, and raise any questions with our team.
2
Engagement Letter + SOW
HackLabs issues the Engagement Letter and Statement of Work within one business day of acceptance. Simple, clear, no surprises.
3
Kick-Off Call
A 60-minute scoping call within 5 business days to align on timelines, stakeholders, access requirements, and deliverable formats.
4
Assessment Commences
Work begins within two weeks of the signed engagement letter. Your consultant will be in contact throughout to keep you informed and minimise disruption.
✉️
chris@hacklabs.com.au
📞
1300 01 1337
🌐
hacklabs.com.au
Electronic Acceptance

Accept & Sign
This Proposal

By signing below you confirm your acceptance of this proposal and authorise HackLabs to proceed with preparation of the Engagement Letter and Statement of Work.

Client
Catholic Diocese of Wollongong
Reference
HL-2026-DOW-001
Total Investment
AUD $38,500 + GST
Valid Until
30 June 2026
I confirm I am authorised to accept this proposal on behalf of Catholic Diocese of Wollongong, and I accept the scope, pricing, and terms as described in proposal reference HL-2026-DOW-001. I understand HackLabs will issue a formal Engagement Letter and Statement of Work prior to work commencing.
Proposal Accepted!

Thank you. Your acceptance has been recorded and an email has been prepared for your team at HackLabs. Please send it to confirm your submission. A member of the HackLabs team will be in contact within one business day to issue the Engagement Letter and Statement of Work.

Reference: HL-2026-DOW-001
Contact: chris@hacklabs.com.au · 1300 01 1337