Security Proposal · April 2026
Cyber Security Framework,
Incident Response Plan &
Tabletop Workshop
Prepared for the Catholic Diocese of Wollongong
CREST Certified
ASD Assessed
17+ Years Experience
Australian Owned
01 — Introduction
Understanding Your Environment
The Catholic Diocese of Wollongong operates a complex, mission-critical digital environment spanning schools, parishes, aged care, social services, and administrative functions across the Illawarra and South Coast. The people you serve trust you with sensitive data: student records, health information, financial details, and the confidential matters of individuals at vulnerable points in their lives.
That trust is earned through strong, consistent security practice. In today's threat environment — where ransomware groups actively target educational institutions and not-for-profits, and regulatory obligations continue to tighten — good intentions are no longer enough.
HackLabs is proposing a three-component engagement designed to build lasting cyber resilience at the Diocese:
Component 01
Cyber Security Framework Assessment
Independent evaluation against ACSC Essential Eight — producing a prioritised gap analysis and remediation roadmap.
Component 02
Incident Response Plan
A practical, Diocese-specific IR plan covering detection, containment, communication, recovery, and regulatory notification.
Component 03
Tabletop Workshop
Facilitated scenario-based exercise testing your team's decision-making under real-world attack conditions.
02 — Cyber Security Framework Assessment
ACSC Essential Eight Evaluation
HackLabs consultants will conduct a structured assessment of the Diocese's current security controls against the Australian Cyber Security Centre's Essential Eight Maturity Model — the recognised Australian government baseline for organisational cyber resilience.
Assessment Coverage:
- Identify — asset inventory, data classification, third-party risk, governance structure
- Protect — access controls, patch management, application whitelisting, MFA, backup integrity
- Detect — logging, monitoring, SIEM/alerting capabilities, anomaly detection
- Respond & Recover — IR capability maturity, recovery time objectives, post-incident process
Deliverables
Written assessment report with current maturity rating per Essential Eight control · Prioritised gap analysis (Critical / High / Medium / Low) · Remediation roadmap with effort estimates · Executive summary for board reporting
Duration: 5 business days (combination of remote and on-site)
03 — Incident Response Plan
Diocese-Specific IR Plan Development
A bespoke Incident Response Plan designed for the Diocese's operational structure, regulatory obligations, and stakeholder landscape. Not a generic template — a practical document your team will actually use under pressure.
- Incident classification framework — severity levels, response triggers, escalation thresholds
- Response team structure — roles, responsibilities, and decision authority at each severity level
- Playbooks for key scenarios — ransomware, BEC, data breach (student/parishioner records), supplier compromise, physical security with cyber component
- Regulatory notification obligations — Privacy Act (APP 11), Notifiable Data Breaches scheme, ACSC reporting, Diocese insurance notification
- Recovery procedures — backup restoration, system rebuild priority, continuity during recovery
- Post-incident review process
Deliverables
Fully written, Diocese-branded IR Plan (Word + PDF) · All playbooks, contact trees, and decision frameworks · Ready for board approval · Duration: 5 business days
04 — Tabletop Workshop
Scenario-Based Cyber Crisis Simulation
A facilitated, scenario-based half-day workshop (4 hours) that tests your team's incident response capability in a safe environment. Designed for a mixed audience: IT leads, operations, communications, and senior leadership.
Module 1 — Threat Landscape Briefing30 minutes
Current threat landscape targeting educational institutions and NFPs in Australia. Recent real-world incidents from analogous organisations. Key regulatory obligations and notification timelines.
Module 2 — Scenario Play2.5 hours
Scenario A — Ransomware in the Schools Network
A phishing email targeting a school admin results in ransomware spreading across the diocesan network at 11pm Friday. Student records, financial systems, and email are offline by morning. The attacker claims to have exfiltrated student data.
Teams work through: Containment, parent/community communication, school continuity, ransom decision framework, regulatory notification, media response.
Scenario B — Business Email Compromise
A sophisticated BEC attack impersonates the Bishop's office. A finance officer approves a fraudulent transfer of $180,000. The fraud is discovered two weeks later when the real supplier chases payment.
Teams work through: Forensic investigation, bank notification, internal accountability, insurance claim, regulatory obligations, communication to Diocese leadership.
Module 3 — Debrief & Action Planning1 hour
Facilitated debrief covering what worked, what didn't, and specific gaps surfaced. Each participant receives a personal action list. Written post-workshop report delivered within 5 business days.
05 — Investment
Proposal Pricing
| Service | Duration | Investment (AUD, excl. GST) |
|---|
| Cyber Security Framework Assessment (ACSC Essential Eight) | 5 days | $18,000 |
| Incident Response Plan Development | 5 days | $14,000 |
| Tabletop Incident Response Workshop (Half Day) | 1 day | $6,500 |
| Total Investment | | $38,500 |
Optional add-on: Phishing Simulation (staff awareness baseline, up to 500 users) — $4,500
Travel and accommodation charged at cost for engagements outside the greater Illawarra region.
Accept & Sign
Accept This Proposal
By signing below, you confirm acceptance of this proposal and authorise HackLabs to proceed with the engagement as described.
🎉
Proposal Accepted!
Thank you . Your acceptance has been recorded and a confirmation sent to HackLabs.
Chris Gatford will be in touch within 1 business day to schedule the kick-off call.