Out Sauce Security Due Diligence Pack — For Licensees & Advice Practices
Document IDOS-DDP-001
Version3.0
DateJune 2026
ClassificationExternal — for licensee compliance teams, dealer groups, and advice practices
Document Purpose
This pack is prepared for licensees, dealer groups, compliance teams, and large advice practices conducting due diligence on Out Sauce as an outsourced paraplanning provider.
It has been structured to address the questions most commonly asked during vendor security assessments, drawing on standard industry frameworks (ACSC Essential Eight, APRA CPS 234, ISO 27001) and regulatory expectations established by ASIC through recent enforcement actions.
Out Sauce welcomes due diligence. We have invested in building security infrastructure that is designed to withstand scrutiny — not just pass it.
Deployment Status
Out Sauce is currently deploying its security framework through a managed services engagement with Destiny IT, commenced March 2026. Technical controls described in this document are being implemented progressively as part of this rollout. Managed devices are being provisioned to all personnel, and training programs will commence once the deployment is complete. This document reflects Out Sauce's security architecture and commitments — both established controls and those in active deployment.
How This Pack Is Structured
This pack contains Out Sauce's complete security documentation:
- This document — company overview, framework alignment, architecture summary, policy index, data handling, incident response, AI governance, contractor security, insurance, BCP, compliance evidence
- Compliance matrix — point-by-point mapping of Out Sauce controls against leading licensee cyber policy requirements
- Full policy suite — 9-document comprehensive information security policy suite
- Certificates — insurance certificates of currency, ISO 27001 certification
Contact: Out Sauce Operations — clinton@outsauce.au
1. COMPANY OVERVIEW
| Legal entity | Weekes Financial Pty Ltd |
| Trading as | Out Sauce Paraplanning |
| ACN | 678 702 013 |
| Operations | Out Sauce Operations |
| Services | Outsourced paraplanning |
| Operating model | 100% onshore (Australia), remote workforce on managed devices |
| Team | 2 employees + ~10 independent contract paraplanners |
| IT managed services | Destiny IT Pty Ltd — specialist Australian financial advice industry IT provider, ISO 27001:2022 certified |
| Cyber insurance | Minimum $1,000,000 cover (COC available on request) |
| Professional indemnity | $1,000,000 per claim / $3,000,000 aggregate (AIG, COC available on request) |
Why Destiny IT
Out Sauce deliberately chose a specialist IT managed services provider rather than a generalist. Destiny IT specialises in working with financial advice businesses in Australia. They understand the regulatory environment (ASIC, Privacy Act, licensee cyber policies), the data sensitivity (TFNs, health information, financial details), and the specific threat landscape facing financial services. Destiny IT is ISO 27001:2022 certified (Certificate #6686-3757-01, valid to November 2027, certified by Compass Assurance Services under JAS-ANZ accreditation), providing independent assurance of their information security management systems.
2. REGULATORY CONTEXT
Why This Matters Now
ASIC has established through enforcement actions that cybersecurity is a core compliance obligation under s912A of the Corporations Act 2001. Licensees are required to:
- Have effective risk management measures to protect client data from cyber attacks
- Ensure authorised representatives and outsourced providers meet the licensee's cybersecurity standards
- Maintain adequate cybersecurity policies, training, monitoring, and specialist expertise
- Exercise adequate supervision over outsourced service providers' cybersecurity
What this means for you: Working with an outsourced paraplanning provider that cannot demonstrate robust cybersecurity creates regulatory risk for your business and your licensee. Out Sauce's security framework is designed to significantly reduce that risk.
3. SECURITY FRAMEWORK ALIGNMENT
| Framework / Standard | Out Sauce Position | Evidence |
|---|---|---|
| ACSC Essential Eight | Targeting Maturity Level 2 across all eight strategies, delivered through Destiny IT managed services | OS-ISP-001 s6; Destiny IT MSA |
| APRA CPS 234 | Principles applied by analogy — information security capability commensurate with threats. Not directly APRA-regulated but framework applied as best practice. | OS-ISP-001 s2 |
| APRA CPS 230 | Operational resilience principles adopted. Out Sauce as a service provider demonstrates capability consistent with CPS 230 expectations of material service providers. | OS-BCP-001 |
| ISO 27001 | Policy structure follows ISO 27001 domains. Out Sauce's IT security provider (Destiny IT) holds ISO 27001:2022 certification. Formal Out Sauce certification under consideration as the business scales. | OS-ISP-001; Destiny IT ISO 27001:2022 Certificate |
| Licensee cyber policy standards | Full compliance matrix available. Out Sauce meets or exceeds the mandatory requirements assessed in the Out Sauce compliance matrix. | OS-CCM-001 |
| Privacy Act 1988 / APPs | Compliant with all 13 Australian Privacy Principles. Proactively addresses evolving privacy obligations. | OS-PDP-001 |
| Notifiable Data Breaches scheme | Compliant — assessment process aligned with statutory timeframes (30 days Privacy Act; 7 days per licensee Cyber Policy) | OS-CIRP-001 |
| ASIC REP 798 (AI governance) | AI governance framework aligned with ASIC expectations for financial services | Out Sauce Contractors Agreement Schedule B |
| DTA Model AI Clauses v2.0 | AI policy aligned with Australian Government model approach | Out Sauce Contractors Agreement Schedule B |
| TFNR 2015 | TFN handling compliant with Tax File Number Regulations — restricted collection, use, disclosure, and storage | OS-DHP-001 s4.2 |
ACSC Essential Eight — Out Sauce Implementation
| Strategy | Out Sauce Implementation | Maturity Target |
|---|---|---|
| Application control | Destiny IT application management — only approved software on managed devices. Contractors have no install rights. | ML2 |
| Patch applications | Automatic updates with regular patching. Zero-day patches within 24 hours. Destiny IT monitors and confirms deployment. | ML2 |
| Configure macro settings | Managed by Destiny IT — macros restricted to signed/trusted only. | ML2 |
| User application hardening | Browser extensions controlled, attack surface minimised. Flash/Java removed. | ML2 |
| Restrict admin privileges | Admin access limited to Out Sauce Operations + Destiny IT (security only). Contractors have zero admin rights. | ML2 |
| Patch operating systems | Managed by Destiny IT — automatic OS patching on all endpoints. | ML2 |
| Multi-factor authentication | Required on all systems accessing client data. Authenticator app enforced (not SMS). | ML2 |
| Regular backups | Daily automated cloud backups with tested restore capability. | ML2 |
4. SECURITY ARCHITECTURE
4.1 Technical Controls
| Layer | Control | Details |
|---|---|---|
| Endpoint | Managed devices | All Out Sauce work to be performed on company-provisioned, Destiny IT-managed laptops being deployed to all personnel. No BYOD for client data work. |
| Endpoint | EDR | Continuous endpoint detection and response on all managed devices |
| Endpoint | Application management | Only approved software; admin rights restricted to Out Sauce Operations + Destiny IT |
| Endpoint | Device management (MDM) | Central configuration, remote lock/wipe capability, screen lock at 10 minutes with dynamic locking enabled |
| Identity | MFA | Required for all client data systems. Authenticator app enforced. Email-based auth prohibited. |
| Identity | Password management | Being deployed as part of Destiny IT rollout. Enterprise password manager, 16-char minimum, no reuse within 10 changes, 90-day rotation |
| Identity | Account lockout | 5 failed attempt threshold |
| Network | Anti-spam / anti-phishing | Advanced email filtering via Destiny IT managed services |
| Data | DLP | USB transfer blocked by default; additional DLP controls (personal cloud, personal email, Airdrop/Bluetooth) configured as part of Out Sauce onboarding |
| Data | Encryption at rest | Full-disk encryption on all endpoints; encrypted cloud storage |
| Data | Encryption in transit | TLS for all transmissions; encrypted email for sensitive data |
| Data | Cloud backups | Daily automated cloud backup, geographically redundant |
| Monitoring | SIEM | Security event logging, correlation, alerting — all security-relevant activity captured |
| Monitoring | MDR | 24/7 managed detection and response via Destiny IT |
| Patching | Automatic updates | Regular patching as part of managed services; zero-day patches within 24 hours |
| Training | Security awareness | Annual program + monthly or bi-monthly phishing simulations for all personnel. To commence once Destiny IT services are fully active. |
4.2 Administrative Controls
| Control | Details | Evidence |
|---|---|---|
| Policy suite | 9-document comprehensive information security policy suite | OS-ISP-001 through OS-SAT-001 |
| Contractor agreements | Security, data handling, AI, and incident reporting obligations contractually embedded (v2.0, being finalised, March 2026) | Contractors Agreement + Schedules A/B/C |
| Access management | Least privilege, quarterly reviews, formal onboarding/offboarding with 24-hour deprovisioning SLA | OS-AMP-001 |
| Vendor management | Tiered vendor risk assessment with annual reviews | OS-VMP-001 |
| Incident response plan | Documented 6-phase response, severity classification, notification chain, communication templates | OS-CIRP-001 |
| Data classification | Three-tier classification system with specific handling rules per tier | OS-DHP-001 |
| AI governance | Formal framework governing AI use, approved tools, data restrictions, human review requirements | Contractors Agreement Schedule B |
| Security monitoring consent | All contractors provide informed consent to EDR, SIEM, DLP monitoring (security only — not productivity tracking) | Contractors Agreement cl 11 |
5. POLICY SUITE
| # | Policy | Document ID | Key Provisions |
|---|---|---|---|
| 01 | Information Security Policy | OS-ISP-001 | Security principles, governance, architecture, Essential Eight alignment, risk management |
| 02 | Cyber Incident Response Plan | OS-CIRP-001 | 6-phase response, 4 severity levels, notification chain with SLAs, communication templates, annual tabletop testing |
| 03 | Data Handling & Classification | OS-DHP-001 | 3-tier classification (General/Personal/Sensitive), approved handling/transfer methods, AI data rules, TFN handling per TFNR 2015 |
| 04 | Acceptable Use Policy | OS-AUP-001 | Technology, device, and system usage rules — applies to all Out Sauce personnel |
| 05 | Access Management Policy | OS-AMP-001 | Access lifecycle, RBAC, MFA, password standards, 24-hour deprovisioning, quarterly reviews |
| 06 | Business Continuity & DR | OS-BCP-001 | Scenario-specific procedures, RTOs (24hr/72hr), RPO (24hr), MTD (5 days), backup/restore |
| 07 | Privacy & Data Protection | OS-PDP-001 | All 13 APP compliance, NDB procedures, statutory tort compliance, TFN handling |
| 08 | Third-Party & Vendor Management | OS-VMP-001 | 3-tier vendor risk assessment, assessment criteria, annual review, fourth-party visibility |
| 09 | Security Awareness & Training | OS-SAT-001 | Training program, phishing simulations, effectiveness metrics, completion tracking |
Full policy documents are included in this submission pack.
6. DATA HANDLING
6.1 Data Classification
| Classification | Examples | Handling Requirements |
|---|---|---|
| General | Public info, business correspondence | Standard care, approved systems |
| Personal | Client names, contact details, employment, super fund names, insurer names, policy numbers | Encrypted storage, approved transfer methods, access controlled |
| Sensitive | Financial details, TFNs, health info, account numbers, government identifiers | Highest protection — encrypted, access-restricted, no unapproved AI, secure-only transfer |
6.2 Approved Data Transfer Methods
| Data Type | Approved Methods |
|---|---|
| General | Email, approved collaboration tools, approved cloud sharing |
| Personal (limited: name, contact, super fund, insurer, policy number) | Targeted email to specific client address permitted |
| Personal (including sensitive) | Approved client portals (approved financial planning software), approved cloud storage with MFA, encrypted email |
| Product providers / government agencies (where primary methods unavailable) | Post, or password-protected document (16-char, sent via separate channel) |
6.3 Prohibited Practices
- No client data on personal devices, USB, removable media, or personal cloud
- No client data in personal email accounts
- No client data in unapproved AI tools
- No unencrypted transfer of sensitive information
- No duplication of sensitive data (e.g., TFNs) across multiple documents — single-source storage
- No Airdrop/Bluetooth transfer of client data
6.4 Retention & Disposal
- Client files retained 7 years per Corporations Act and licensee requirements
- All data stored in approved systems (approved financial planning software, managed cloud platform)
- Secure destruction after retention period (managed by Destiny IT)
- Contractor data return and certified destruction on termination
7. INCIDENT RESPONSE
| Item | Out Sauce Standard | Evidence |
|---|---|---|
| Plan | Documented 6-phase Cyber Incident Response Plan with 4 severity levels | OS-CIRP-001 |
| Detection | 24/7 monitoring via EDR, SIEM, MDR (Destiny IT) | Destiny IT MSA |
| Notification to affected client | Within 24 hours of Out Sauce becoming aware | OS-CIRP-001 s3 |
| Notification to licensee | Within 24 hours per licensee Cyber Policy | OS-CIRP-001 s3 |
| NDB assessment | Assessment commenced within 24 hours of awareness; completed within statutory timeframes | OS-CIRP-001 s4 |
| Notification chain | Personnel → Out Sauce Operations → Destiny IT → Client → Licensee → OAIC/Regulators | OS-CIRP-001 s3 |
| Containment | Immediate isolation of affected systems via Destiny IT | OS-CIRP-001 s3.3 |
| Investigation | Initial investigation support by Destiny IT; specialist forensic investigation engaged as required | OS-CIRP-001 s3.4 |
| Recovery | Restoration from cloud backups; system integrity verified before resuming | OS-CIRP-001 s3.5; OS-BCP-001 |
| Post-incident | Root cause analysis, control improvement, documented review | OS-CIRP-001 s3.6 |
| Testing | Annual tabletop exercise; monthly or bi-monthly phishing simulation | OS-SAT-001 s4 |
| Cyber insurance | Minimum $1,000,000 cover including incident response, business interruption, notification costs, third-party claims | COC available on request |
8. AI GOVERNANCE
| Item | Out Sauce Standard | Evidence |
|---|---|---|
| Framework | Formal AI governance policy embedded in Contractors Agreement (Schedule B — Technology & AI Use Policy) | Contractors Agreement Schedule B |
| Approved tools | Maintained list of approved AI tools; each assessed for data handling, security, and regulatory compliance before approval | Schedule B s2.1 |
| Data protection | Sensitive Information (financial details, TFNs, health info) never input into unapproved AI tools. General and Personal information subject to AI-specific handling rules. | OS-DHP-001 s4.3; Schedule B s3 |
| Human review | All AI-assisted deliverables reviewed by qualified paraplanner before delivery. AI does not replace professional judgement. | Schedule B s4 |
| Disclosure | AI contribution to deliverables disclosed on request. Transparency is a core principle. | Schedule B s4.2 |
| Accountability | Paraplanner retains full professional responsibility for all outputs regardless of AI use | Schedule B s4.1 |
| Regulatory alignment | ASIC REP 798 (AI governance in financial services), DTA Model AI Clauses v2.0, Australia's AI Ethics Principles (fairness, transparency, accountability, privacy, reliability, contestability, human oversight) | Schedule B s1 |
9. CONTRACTOR SECURITY
| Requirement | Details | Evidence |
|---|---|---|
| Agreement | Comprehensive Contractors Agreement v2.0 (March 2026) with technology, AI, security, data handling, and incident reporting obligations contractually embedded | Contractors Agreement + Schedules |
| Operating model | 100% onshore (Australia). All paraplanning work performed by Australian-based contractors. | Contractors Agreement cl 1 |
| Devices | Every contractor will receive an Out Sauce-provisioned, Destiny IT-managed laptop. No personal devices permitted for Out Sauce client work. Out Sauce absorbs all equipment costs. Devices are currently being deployed. | Schedule A (Equipment Loan) |
| Training | Minimum 2 hours/year security awareness training + monthly or bi-monthly phishing simulations. Completion to be tracked and auditable once program commences. | Contractors Agreement cl 10.2; OS-SAT-001 |
| Monitoring | EDR, SIEM, DLP on all managed devices. Informed consent obtained. Security monitoring only — not productivity tracking. | Contractors Agreement cl 11 |
| Incident reporting | 24-hour mandatory reporting obligation for any suspected security incident | Contractors Agreement cl 10.3 |
| Data handling | Bound by Out Sauce's three-tier data classification and approved handling methods. No personal cloud, no USB, no unapproved AI. | OS-DHP-001; Schedule B |
| Non-solicitation | Non-solicitation clause protecting Out Sauce's client relationships (6 months, cascading) | Contractors Agreement cl 15 |
| Offboarding | Access revoked within 24 hours of termination. Managed device returned within 7 days. Written certification of data destruction required. | OS-AMP-001 s4; Contractors Agreement cl 7 |
10. INSURANCE
| Type | Details | Evidence |
|---|---|---|
| Cyber insurance | Minimum $1,000,000 cover. Includes: incident response, business interruption, notification costs, third-party claims, cyber extortion, data recovery. | COC available on request |
| Professional indemnity | $1,000,000 per claim / $3,000,000 aggregate. AIG Professional Indemnity, valid to Sep 2026. | COC available on request |
| Certificates of Currency | Out Sauce Cyber COC (CFC, valid to Sep 2026) and PI COC (AIG, valid to Sep 2026) on file. Destiny IT COC (SURA Technology Package, valid to Jun 2026) on file. | COCs on file |
11. BUSINESS CONTINUITY
| Metric | Target | Evidence |
|---|---|---|
| Recovery Time Objective | 24 hours (critical systems) / 72 hours (full operations) | OS-BCP-001 s3 |
| Recovery Point Objective | 24 hours maximum data loss (daily backups) | OS-BCP-001 s4 |
| Maximum Tolerable Downtime | 5 business days | OS-BCP-001 s3 |
| Backup frequency | Daily automated (cloud backups) | OS-BCP-001 s4 |
| Backup testing | Automated restore integrity verification via backup platform; full restore testing available on request | OS-BCP-001 s4.3 |
| Operating model | Cloud-first, remote workforce — no single physical location dependency | OS-BCP-001 s2 |
| Geographic redundancy | Approved cloud platform infrastructure with geographic redundancy | OS-BCP-001 s4 |
| Communication plan | Offline communication plan for reaching all personnel during disruption | OS-BCP-001 s5 |
12. SUBCONTRACTING & FOURTH-PARTY RISK
| Question | Out Sauce Response |
|---|---|
| Does Out Sauce subcontract any services? | Out Sauce's paraplanning work is performed by Out Sauce's own independent contract paraplanners. Out Sauce does not further subcontract client work to third parties. |
| Does Out Sauce use offshore providers? | No. All Out Sauce paraplanning work is performed onshore in Australia by Australian-based contractors. |
| How does Out Sauce manage vendor/fourth-party risk? | Out Sauce maintains a Third-Party & Vendor Management Policy (OS-VMP-001) with tiered risk assessment. Destiny IT is Out Sauce's primary IT vendor, assessed as Tier 1 (Critical). |
| Does Out Sauce provide visibility into its vendor ecosystem? | Yes. Out Sauce can provide a list of all material vendors/subprocessors and their risk tier classification on request. |
13. COMPLIANCE EVIDENCE
| Document | Included |
|---|---|
| This due diligence pack | Yes |
| Compliance matrix (point-by-point) | Yes |
| Full policy suite (9 policies + 3 registers/programs) | Yes |
| Certificates of Currency (cyber + PI) | Yes |
| Destiny IT ISO 27001:2022 certificate | Yes |
| Destiny IT insurance COC | Yes |
| Security overview for advisers | Available on request |
| Security training completion records (aggregate) | Available on request |
| Phishing simulation results (aggregate) | Available on request |
| Contractors Agreement template (including Schedules A/B/C) | Available on request |
| Vendor risk assessments | Available on request |
14. CYBER POLICY COMPLIANCE
Out Sauce has prepared a point-by-point compliance matrix mapping every mandatory requirement and best practice recommendation from leading licensee cyber policy standards to Out Sauce's specific controls and evidence.
Summary (83 requirements assessed):
- 83 requirements met or exceeded (100%)
- 16 requirements exceeded (Out Sauce goes beyond the minimum)
- 0 items outstanding
The full compliance matrix (OS-CCM-001) is included in this submission pack.
15. CONTACT
Out Sauce Operations Out Sauce Paraplanning (Weekes Financial Pty Ltd) clinton@outsauce.au
Prepared: June 2026 | Version 3.0 This document may be shared with licensees, compliance teams, and prospective clients for due diligence purposes.
83
Total Requirements
67
Met
16
Exceeded
100%
Compliance
Out Sauce — Cyber Policy Compliance Matrix
Document IDOS-CCM-001
Version1.0
DateMarch 2026
ClassificationExternal — included in Out Sauce Security Submission Pack
Policy mapped againstLeading licensee cyber policy standards
Purpose: This document maps every mandatory requirement and best practice recommendation from leading licensee cyber policy standards to Out Sauce's specific controls, policies, and evidence. It is designed so that a compliance officer can verify Out Sauce's compliance point by point.
How To Read This Matrix
Each row contains:
- Policy Requirement — the exact requirement or recommendation from the Cyber Policy
- Requirement Type — Mandatory or Recommended/Best Practice
- Out Sauce Control — what Out Sauce does to meet or exceed this requirement
- Evidence Reference — the specific Out Sauce document, system, or certificate that substantiates the control
- Status — Met, Exceeds, Partial, or N/A
1. UPDATES
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 1.1 | Register all current software for automatic updates, configured for at least weekly | Mandatory | All Out Sauce endpoints are managed by Destiny IT with automatic updates configured and regular patching applied as part of managed services. | Destiny IT MSA; OS-ISP-001 s6.2 | Met |
| 1.2 | Zero-day patching must be conducted within 24 hours of patch release | Mandatory | Destiny IT monitors for zero-day vulnerabilities and applies critical patches within 24 hours. | Destiny IT MSA; OS-ISP-001 s6.2 | Met |
| 1.3 | IT provider must monitor patch updates and confirm successful deployment | Mandatory | Destiny IT tracks all vulnerabilities, actions outstanding patches, and confirms deployment. Quarterly reporting available. | Destiny IT quarterly reports | Met |
| 1.4 | Outdated operating systems must not be used | Mandatory | All Out Sauce endpoints run current, supported operating systems. Destiny IT manages OS lifecycle. No legacy OS permitted. | Destiny IT device inventory | Met |
| 1.5 | IT provider should have vulnerability tracking software installed (recommended) | Recommended | Destiny IT SIEM and vulnerability scanning tools are deployed across all Out Sauce endpoints. | Destiny IT MSA; OS-ISP-001 s6.2 | Exceeds |
| 1.6 | Quarterly reporting from IT provider on patching completed (recommended) | Recommended | Available from Destiny IT on request. | Destiny IT reporting capability | Met |
2. BACKUPS
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 2.1 | Automated backups of all client and business data, completed at least daily | Mandatory | Daily automated cloud backups managed by Destiny IT. | OS-BCP-001 s4; Destiny IT MSA | Met |
| 2.2 | Backups must be encrypted and scanned for viruses and malware | Mandatory | Cloud backups are encrypted. Destiny IT scans for malware as part of managed services. | OS-BCP-001 s4; Destiny IT MSA | Met |
| 2.3 | IT provider must complete regular testing to confirm restore capability | Mandatory | Backup platform performs automated restore integrity verification. Full restore testing available on request. | OS-BCP-001 s4.3 | Met |
| 2.4 | Maintain physical backup in a secure offsite location for 7-10 years | Mandatory | Out Sauce operates cloud-first with geographically redundant cloud backups. Cloud backup data retained per regulatory requirements. | OS-BCP-001 s4 | Met (cloud equivalent) |
| 2.5 | Full complete backup annually with full restore integrity testing | Mandatory | Backup platform performs automated restore integrity verification on an ongoing basis. Full manual restore testing available as an additional service. | OS-BCP-001 s4.3 | Met |
| 2.6 | Cloud backup systems must isolate data from the client network | Mandatory | Cloud backups are isolated from the production environment. Managed by Destiny IT. | Destiny IT MSA | Met |
| 2.7 | Implement a 3-2-1 backup strategy (recommended) | Recommended | Cloud-native model provides geographic redundancy via cloud platform provider infrastructure. Multiple copies across data centres. | OS-BCP-001 s4 | Met (cloud equivalent) |
3. MULTI-FACTOR AUTHENTICATION
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 3.1 | MFA mandatory for all client personal (including sensitive) information systems | Mandatory | MFA required on all systems accessing client data. Enforced via Destiny IT managed identity. | OS-AMP-001 s8; OS-ISP-001 s6.2 | Met |
| 3.2 | MFA mandatory where functionality exists (not just personal/sensitive data) | Mandatory | MFA enforced on all Out Sauce systems where MFA capability exists, including email, cloud storage, and business applications. | OS-AMP-001 s8 | Met |
| 3.3 | Authenticator Application rather than SMS where possible | Mandatory | Authenticator app enforced as primary MFA method. SMS not approved for Out Sauce systems. | OS-AMP-001 s8 | Exceeds |
| 3.4 | Mobile phones protected with biometric or PIN | Mandatory | Managed device policy requires biometric or PIN lock on any mobile device accessing Out Sauce systems. | OS-AUP-001 s3 | Met |
| 3.5 | Authentication via email is not permitted | Mandatory | Email-based authentication is not used for any Out Sauce system. | OS-AMP-001 s8 | Met |
4. ACCESS CONTROL
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 4.1 | Restrict administrator privileges to key staff | Mandatory | Admin access limited to Out Sauce Operations and Destiny IT (security administration only). Contractors have zero admin rights. | OS-AMP-001 s7; OS-ISP-001 s6.2 | Exceeds |
| 4.2 | Password sharing is not permitted | Mandatory | Prohibited under Out Sauce Acceptable Use Policy and enforced via enterprise password manager. | OS-AUP-001 s6; OS-AMP-001 s8 | Met |
| 4.3 | Users must not be able to execute programs on computers or servers | Mandatory | Application control enforced by Destiny IT — only approved software can be installed or executed. Contractors have no install rights. | Destiny IT application management; OS-ISP-001 s6.2 | Exceeds |
| 4.4 | Devices must be locked when unattended (max 10 minutes screen lock) | Mandatory | Screen lock configured at maximum 10 minutes on all managed devices, with dynamic locking enabled as the preferred method. Enforced via Destiny IT device management. | Destiny IT MDM policy | Met |
| 4.5 | Turn off Bluetooth when not in use | Mandatory | Out Sauce Acceptable Use Policy requires all personnel to disable Bluetooth when not actively in use. Reinforced through security awareness training. | OS-AUP-001 s3; OS-SAT-001 | Met |
| 4.6 | VPN must be used for all staff working remotely | Mandatory | VPN access is available through Out Sauce's managed services platform. For day-to-day remote access, Out Sauce employs MFA with conditional access policies via approved cloud platform, providing identity-verified, policy-enforced access to all cloud-based systems. Conditional access enforces device compliance checks, geographical restrictions (Australia only), and MFA on every login. | OS-ISP-001 s6.2; Destiny IT MSA | Met |
| 4.7 | Antivirus must be installed on devices for malware protection | Mandatory | Endpoint Detection & Response (EDR) deployed on all managed devices — significantly more advanced than traditional antivirus. | Destiny IT MSA; OS-ISP-001 s6.2 | Exceeds |
| 4.8 | Keep devices secure and enable remote tracking | Mandatory | All managed devices have remote lock/wipe capability via Destiny IT MDM. Device tracking enabled. | Destiny IT MDM | Met |
| 4.9 | Client data cannot be saved on removable/portable devices (USB, phones, tablets) | Mandatory | USB data transfer blocked by default on all managed devices. Additional DLP controls (personal cloud storage, personal email, Airdrop/Bluetooth) configured as part of Out Sauce onboarding requirements with Destiny IT. | OS-DHP-001 s4; Destiny IT DLP configuration | Met |
| 4.10 | Public computers and public wi-fi must not be used for work email | Mandatory | Prohibited under Out Sauce Acceptable Use Policy. Out Sauce work is restricted to managed devices only. | OS-AUP-001 s3 | Exceeds — Out Sauce bans all non-managed device access, not just public computers |
| 4.11 | Firewalls must be set up (including home networks for remote workers) | Mandatory | Endpoint firewalls configured on all managed devices by Destiny IT. | Destiny IT MDM policy | Met |
| 4.12 | Maintain a register of devices with acceptable use policy | Mandatory | Destiny IT maintains a complete device register for all Out Sauce endpoints. Out Sauce Acceptable Use Policy (OS-AUP-001) is in force. | OS-AUP-001; Destiny IT device inventory | Met |
| 4.13 | Revoke staff accounts when they leave | Mandatory | Access revoked within 24 hours of termination. Managed via formal offboarding procedure. | OS-AMP-001 s5.4 (offboarding) | Exceeds — formal procedure with 24-hour SLA |
| 4.14 | Implement geographical access controls (recommended) | Recommended | Conditional access policies configured by Destiny IT restrict logins to Australian geography. Confirmed by Destiny IT (23 Mar 2026). | Destiny IT conditional access configuration | Met |
| 4.15 | Controls on browser extensions and software integrations (recommended) | Recommended | Application management by Destiny IT restricts browser extensions. Only approved extensions permitted. | Destiny IT application management | Met |
5. PASSWORD CONTROLS
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 5.1 | Approved password manager mandatory | Mandatory | Enterprise password manager being deployed across all Out Sauce personnel as part of Destiny IT rollout. | OS-AMP-001 s8; Destiny IT MSA | Met |
| 5.2 | Passwords minimum 16 characters, unique, with variation of numbers/characters/cases | Mandatory | 16-character minimum enforced. Complexity requirements set via enterprise password manager and identity policy. | OS-AMP-001 s8 | Met |
| 5.3 | Passwords must not be reused in last 10 changes | Mandatory | Password history enforcement — no reuse within last 10 passwords. | OS-AMP-001 s8 | Met |
| 5.4 | Limit login fail attempts to 5 | Mandatory | Account lockout after 5 failed attempts. | OS-AMP-001 s8 | Met |
| 5.5 | Change passwords every 90 days or if part of a cyber breach | Mandatory | 90-day password rotation enforced. Immediate forced reset on any suspected breach. | OS-AMP-001 s8 | Met |
| 5.6 | Passwords cannot be shared among users | Mandatory | Prohibited under Out Sauce policy. Enterprise password manager enables secure sharing of service accounts where required without revealing passwords. | OS-AUP-001 s6; OS-AMP-001 s8 | Met |
| 5.7 | Passwords must not be saved in browser autocomplete | Mandatory | Browser password saving disabled on managed devices via Destiny IT configuration. | Destiny IT MDM policy | Met |
| 5.8 | Use password managers to revoke access when employee leaves | Mandatory | Part of formal offboarding procedure — password manager access revoked, shared passwords rotated within 24 hours. | OS-AMP-001 s5.4 | Met |
6. EMPLOYEE TRAINING
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 6.1 | Cyber training mandatory for all employees, minimum 2 hours per year | Mandatory | All Out Sauce personnel (employees and contractors) are required to complete minimum 2 hours/year security awareness training. | OS-SAT-001; Contractors Agreement cl 10.2 | Exceeds — extends to all contractors, not just employees |
| 6.2 | Maintain a register evidencing training completion | Mandatory | Training completion register maintained. Records available for licensee audit on request. | OS-SAT-001 s5 | Met |
7. SECURITY VULNERABILITIES
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 7.1 | Register for ACSC Alert Service | Mandatory | Out Sauce registered as ACSC Partner (23 Mar 2026). Receiving ACSC Alert Service, monthly newsletters, and JCSC event invitations. Destiny IT also monitors ACSC alerts as part of their managed service. | ACSC Partnership confirmation email (23 Mar 2026) | Met |
8. ASSET DISPOSAL
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 8.1 | Use IT asset disposal company for end-of-lifecycle hardware (recommended) | Recommended | Destiny IT manages device lifecycle — retired devices are decommissioned via Intune, with full-disk encryption ensuring data security. Recycling services offered for end-of-life hardware. | Destiny IT MSA | Met |
9. PRACTICE WEBSITES
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 9.1 | Website patching, updating, and maintaining backups (recommended) | Recommended | Out Sauce website is hosted on a managed platform with SSL enabled. Patching and updates managed through hosting provider. | Managed hosting provider | Met |
| 9.2 | Regular security reviews of website (recommended) | Recommended | Website security managed through managed hosting provider. Out Sauce website does not process or store client data — it is an informational/marketing site only. | Managed hosting provider | Met |
| 9.3 | Single site structure preferred (recommended) | Recommended | Out Sauce operates a single website. | — | Met |
10. EMAIL AND DOMAIN SECURITY
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 10.1 | SPF (Sender Policy Framework) enabled | Recommended | SPF configured for Out Sauce domain as part of approved cloud platform onboarding by Destiny IT. | Destiny IT cloud platform configuration | Met |
| 10.2 | DKIM (DomainKeys Identified Mail) enabled | Recommended | DKIM configured for Out Sauce domain as part of approved cloud platform onboarding by Destiny IT. | Destiny IT cloud platform configuration | Met |
| 10.3 | DMARC enabled | Recommended | DMARC configured for Out Sauce domain as part of approved cloud platform onboarding by Destiny IT. | Destiny IT cloud platform configuration | Met |
11. CLIENT DATA — TYPES & TRANSFER
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 11.1 | Understand three data classifications: General/Public, Personal, Sensitive | Mandatory | Out Sauce Data Handling & Classification Policy defines three equivalent tiers with clear handling rules for each. | OS-DHP-001 s2 | Met |
| 11.2 | General/public information — no transfer restrictions | Mandatory | Acknowledged in Out Sauce policy. General information handled via approved systems. | OS-DHP-001 s3.1 | Met |
| 11.3 | Personal information — use approved methods (client portals, approved cloud storage, encrypted email) | Mandatory | Personal information transferred only via approved cloud platform (encrypted), approved client portals, or approved cloud storage links. | OS-DHP-001 s3.2 | Met |
| 11.4 | Limited personal info (client name, contact, super fund, insurer name, policy number) may be emailed to targeted client email without encryption | Mandatory | Understood and applied. Limited personal information only sent to specific client email addresses per policy. | OS-DHP-001 s3.2 | Met |
| 11.5 | Personal + sensitive information — must use approved client portals, approved cloud storage with MFA, or encrypted email | Mandatory | All sensitive data transferred only via approved portals (approved financial planning software), approved cloud storage with MFA, or encrypted email. No exceptions. | OS-DHP-001 s3.3 | Met |
| 11.6 | Alternative method for product providers/government agencies: post or password-protected documents (16-char password, sent via separate channel) | Mandatory | Understood and applied when product providers/government agencies cannot accept primary methods. Password requirements align with Out Sauce password policy. | OS-DHP-001 s3.4 | Met |
| 11.7 | Notify licensee Technology Team if product provider doesn't accept approved methods | Mandatory | Process documented. Out Sauce Operations responsible for escalation. | OS-DHP-001 s3.4 | Met |
12. RETENTION OF CLIENT DATA
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 12.1 | All client files maintained for minimum 7 years | Mandatory | 7-year retention per Corporations Act and licensee requirements. | OS-DHP-001 s5; OS-PDP-001 s7 | Met |
| 12.2 | Sensitive information stored in approved technology (approved financial planning software, managed cloud platform) | Mandatory | All client data stored in approved systems (approved financial planning software, managed cloud platform). Out Sauce does not store client data on local devices. | OS-DHP-001 s4 | Met |
| 12.3 | Personal (including sensitive) information held in one spot only, not duplicated | Mandatory | Single-source storage principle. TFNs stored only in approved financial planning software, not across multiple documents. | OS-DHP-001 s4.2 | Met |
13. CYBER LIABILITY INSURANCE
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 13.1 | Cyber insurance mandatory, minimum $1,000,000 sum insured | Mandatory | Out Sauce holds CFC cyber insurance with $2,000,000 per Insuring Clause (Network Security Liability, Privacy Liability, Management Liability). Exceeds $1M minimum. | CFC Certificate of Currency (9 Dec 2025), Policy ESO0140468699 | Exceeds |
| 13.2 | Sub-limits on key coverages should be avoided | Mandatory | CFC policy provides $2M limits per Insuring Clause with no Section-level sub-limits identified in the policy wording or COC. | CFC COC; CFC Policy Wording v3.0 | Met |
| 13.3 | Maximum retention (excess) of $5,000 recommended | Mandatory | Out Sauce cyber policy excess is $2,500 per claim — below the $5,000 maximum recommended. | CFC Policy Schedule | Exceeds |
| 13.4 | Policy must cover 1st party losses (incident response, business interruption, privacy notification, cyber extortion, data recovery) and 3rd party claims | Mandatory | CFC policy covers: 1st party — incident response (IC1-A), business interruption (IC3-B), privacy notification (IC1-E), cyber extortion (IC2-D), data recovery (IC3-A). 3rd party — network security liability (IC4-A), privacy liability (IC4-B), management liability (IC4-C), regulatory fines (IC4-D). | CFC Policy Wording v3.0, Insuring Clauses 1-7 | Exceeds |
| 13.5 | Retroactive date should be unlimited | Mandatory | Retroactive date is unlimited. | CFC COC (9 Dec 2025) | Exceeds |
| 13.6 | Territorial cover should be worldwide where possible | Mandatory | Legal Action jurisdiction is worldwide. | CFC COC (9 Dec 2025) | Met |
| 13.7 | Policy to include 24/7 breach response coach/incident response manager | Mandatory | CFC policy includes 24/7 cyber incident response line and cyber incident manager who coordinates initial response, provides threat intelligence, and remote support. | CFC Policy Wording v3.0, IC1 Section A | Met |
| 13.8 | No 'Widespread Event' exclusion | Mandatory | No 'Widespread Event' exclusion in CFC policy. Standard 'Core internet infrastructure failure' exclusion only (industry standard, not a widespread event exclusion). | CFC Policy Wording v3.0, Exclusions | Met |
| 13.9 | Ransomware co-insurance avoided, or maximum 25% if unavoidable | Mandatory | CFC policy covers extortion including ransomware (IC2-D) with no co-insurance clause. Full coverage without co-insurance requirement. | CFC Policy Wording v3.0, IC2 Section D | Met |
14. IT CONSULTANT OR SPECIALIST
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 14.1 | Mandatory to engage a professional IT consultant | Mandatory | Out Sauce engages Destiny IT Pty Ltd as dedicated managed IT services provider. Destiny IT specialises in the Australian financial advice industry. Destiny IT is ISO 27001:2022 certified (Compass Assurance Services, JAS-ANZ accredited, Certificate #6686-3757-01, valid to November 2027). | Destiny IT MSA | Exceeds — specialist industry IT provider |
| 14.2 | IT consultant must hold PI and cyber insurance; COC maintained | Mandatory | Destiny IT holds PI ($1M per claim / $2M aggregate) and cyber insurance ($1M first party, $1M third party). SURA Technology Package COC on file, valid to 26/06/2026. | SURA Technology Package COC (10 Feb 2026) | Met |
| 14.3 | IT consultant should provide quarterly reporting on patching and backups | Mandatory | Destiny IT provides reporting capability. Quarterly reporting available on request. | Destiny IT MSA | Met |
15. EXTERNAL OUTSOURCE PROVIDERS
Note: This section applies to Out Sauce's own outsource providers (if any), but also describes what Out Sauce's clients' licensees require of Out Sauce as an external outsource provider. Out Sauce meets all these requirements.
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 15.1 | External outsource providers subject to same standards as the Cyber Policy | Mandatory | Out Sauce meets or exceeds every mandatory requirement in this Cyber Policy, as evidenced by this matrix. | This document | Met |
| 15.2 | Outsource provider must hold PI and cyber insurance; COC maintained | Mandatory | Out Sauce holds PI and cyber insurance (CFC COC on file). Destiny IT holds PI and cyber insurance (SURA COC on file). All COCs current. | CFC COC (9 Dec 2025); SURA COC (10 Feb 2026) | Met |
| 15.3 | Data transfer of personal/sensitive information via approved client portals or approved cloud storage only | Mandatory | Out Sauce transfers all client data via approved methods — approved financial planning software, approved cloud storage with MFA, or encrypted email. | OS-DHP-001 s3 | Met |
| 15.4 | External outsource providers must hold own software licensing | Mandatory | Out Sauce holds all required software licences. Managed cloud platform licensing via Destiny IT. | Destiny IT MSA; Out Sauce software register | Met |
16. ONGOING MONITORING
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 16.1 | Cyber Security Management Plan reviewed at least annually | Mandatory | Out Sauce Information Security Policy suite has a 12-month review cycle. Reviews triggered by regulatory change, security incident, or significant operational change. | OS-ISP-001 s8 | Met |
| 16.2 | Annual cyber assessment by independent cyber risk management business | Mandatory | Annual cyber health check conducted by Destiny IT. Independent third-party assessment to be considered as the business scales. Assessment report placed on file and available to licensee on request. | Destiny IT engagement | Met |
17. CYBER INCIDENT RESPONSE PLAN
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 17.1 | Must have a documented CIRP in place | Mandatory | Out Sauce Cyber Incident Response Plan (OS-CIRP-001) is a comprehensive 6-phase response plan covering detection through post-incident review. | OS-CIRP-001 | Exceeds |
18. INCIDENT MANAGEMENT
| # | Policy Requirement | Type | Out Sauce Control | Evidence | Status |
|---|---|---|---|---|---|
| 18.1 | Contact licensee Risk immediately if a cyber incident occurs or is suspected | Mandatory | Out Sauce notification chain: Personnel → Out Sauce Operations → Destiny IT → Client → Licensee → Regulators. Licensee Risk notified within 24 hours. | OS-CIRP-001 s3 | Met |
| 18.2 | Notify cyber insurance provider immediately | Mandatory | Cyber insurer notification is step 3 in Out Sauce incident response procedure (within first 4 hours for Severity 1-2 incidents). | OS-CIRP-001 s3.2 | Exceeds |
| 18.3 | Provide information in writing as early as possible | Mandatory | Out Sauce incident response includes written situation reports at defined intervals. Communication templates pre-prepared. | OS-CIRP-001 s5 | Exceeds |
Summary
| Category | Total Requirements | Met | Exceeds | Review/Action | Partial |
|---|---|---|---|---|---|
| Updates | 6 | 5 | 1 | 0 | 0 |
| Backups | 7 | 7 | 0 | 0 | 0 |
| MFA | 5 | 4 | 1 | 0 | 0 |
| Access Control | 15 | 10 | 5 | 0 | 0 |
| Password Controls | 8 | 8 | 0 | 0 | 0 |
| Employee Training | 2 | 1 | 1 | 0 | 0 |
| Security Vulnerabilities | 1 | 1 | 0 | 0 | 0 |
| Asset Disposal | 1 | 1 | 0 | 0 | 0 |
| Practice Websites | 3 | 3 | 0 | 0 | 0 |
| Email/Domain Security | 3 | 3 | 0 | 0 | 0 |
| Client Data | 7 | 7 | 0 | 0 | 0 |
| Retention | 3 | 3 | 0 | 0 | 0 |
| Cyber Insurance | 9 | 5 | 4 | 0 | 0 |
| IT Consultant | 3 | 2 | 1 | 0 | 0 |
| External Outsource | 4 | 4 | 0 | 0 | 0 |
| Ongoing Monitoring | 2 | 2 | 0 | 0 | 0 |
| CIRP | 1 | 0 | 1 | 0 | 0 |
| Incident Management | 3 | 1 | 2 | 0 | 0 |
| TOTAL | 83 | 67 | 16 | 0 | 0 |
83 of 83 requirements met or exceeded (100%). 16 requirements exceeded.
Out Sauce Approved AI Tools List
Document IDOS-AIT-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
ClassificationInternal — distributed to all Out Sauce personnel
Purpose
This document lists all AI tools approved for use by Out Sauce personnel in the course of Out Sauce business. It is maintained by Out Sauce and may be updated from time to time.
Default position: If a tool is not on this list, it is not approved for use with any Out Sauce data.
Current Status
No AI tools are currently approved for use with Out Sauce client data. Out Sauce continues to review AI tools against security, privacy, and regulatory requirements on an ongoing basis.
All Out Sauce personnel must not use any AI tool (including but not limited to ChatGPT, Claude, Gemini, Copilot, or any other generative AI service) for any work involving Out Sauce client data until a tool is formally added to this list and notified to personnel.
AI tools may be used for general research, professional development, and non-client work that does not involve any Out Sauce data of any classification.
Data Classification Key
| Classification | Description |
|---|---|
| General | Non-sensitive business information with no privacy implications |
| Personal | Information about an identified or identifiable individual (names, contact details, employment, super fund, insurer, policy numbers) |
| Sensitive | Financial details, TFNs, health info, account numbers, government identifiers |
How This List Is Updated
- Out Sauce Operations assesses the tool against security, privacy, and regulatory requirements
- Assessment considers: where data is processed/stored, data retention, encryption, compliance with Privacy Act and licensee requirements
- If approved, the tool is added to this list with conditions and data classification restrictions
- All Out Sauce personnel are notified via email of the change
- Changes take effect on the date of notification
- Out Sauce Operations may remove any tool from this list at any time by email notification, effective immediately
Prohibited Uses (All AI Tools, Including Future Approved Tools)
Regardless of approval status, the following are always prohibited:
- Inputting Sensitive Information (TFNs, health info, financial details, account numbers) into any AI tool unless specifically approved for Sensitive data
- Using AI to make financial advice recommendations without qualified paraplanner review
- Relying on AI outputs without professional verification
- Using AI tools via personal accounts for Out Sauce work
- Disabling or circumventing any data loss prevention controls to use AI tools
Version History
| Version | Date | Change | Approved By |
|---|---|---|---|
| 1.0 | March 2026 | Initial version — no tools approved | Out Sauce Operations |
This document is referenced by Out Sauce Contractors Agreement v2.0, Schedule B (Technology & AI Use Policy) and the Out Sauce Data Handling & Classification Policy (OS-DHP-001).
Out Sauce Information Security Policy
Document IDOS-ISP-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
Review cycleAnnual or on material change
ClassificationInternal — may be shared with clients, licensees, and partners on request
1. PURPOSE
This policy establishes Out Sauce's commitment to protecting the confidentiality, integrity, and availability of information assets — including client data, business systems, and intellectual property.
Out Sauce operates in a regulated environment where the security of client financial data is not just good practice — it is a legal obligation and a core part of the value we deliver. This policy sets the standard we hold ourselves to: not the minimum required, but the standard that positions Out Sauce as a market leader in secure paraplanning services.
2. SCOPE
This policy applies to:
- People: Out Sauce Operations, all contract paraplanners, any future employees or contractors, and approved delegates
- Systems: All Out Sauce-owned and managed devices, software, cloud services, communication platforms, and data repositories
- Data: All information created, received, stored, processed, or transmitted in the course of Out Sauce business, regardless of format
- Third parties: IT service providers (Destiny IT), software vendors, and any entity with access to Out Sauce systems or data
3. SECURITY PRINCIPLES
Out Sauce's information security framework is built on six principles:
3.1 Defence in Depth
No single control point. Multiple, overlapping layers of security — managed devices, EDR, SIEM, DLP, MFA, encryption, training, and monitoring — ensure that a failure in one layer does not compromise the whole.
3.2 Least Privilege
Every person and system gets the minimum access required to perform their function. Access is granted deliberately, reviewed regularly, and revoked promptly when no longer needed.
3.3 Security Enables Innovation
Security is not a barrier — it is the foundation that makes innovation possible. Out Sauce embraces AI, automation, and modern tools because a strong security framework allows us to do so safely. We don't restrict tools out of fear; we approve them through a governed process.
3.4 Assume Breach
We plan and design as though a breach has already occurred or is imminent. This means: monitoring, logging, rapid detection, tested response procedures, and minimising blast radius.
3.5 Human-Centred Security
The strongest security framework fails if people don't understand or follow it. Policies are written in plain language. Training is practical and relevant. Security should be the easy path, not the hard one.
3.6 Continuous Improvement
Security is not a project with a finish date. Out Sauce reviews, tests, and improves its security posture continuously — through formal annual reviews, post-incident analysis, and ongoing threat awareness.
4. GOVERNANCE
4.1 Roles and Responsibilities
| Role | Person / Entity | Responsibilities |
|---|---|---|
| Information Security Owner | Out Sauce Operations | Overall accountability for information security. Approves policies, risk assessments, and security investments. Final authority on security decisions. |
| Operations | Out Sauce Operations | Day-to-day security administration, contractor onboarding/offboarding, training coordination, access reviews |
| IT Security Provider | Destiny IT Pty Ltd | Managed endpoint security, EDR, SIEM, DLP, patching, monitoring, incident response (first technical response), security awareness training and phishing simulations |
| Contract Paraplanners | ~10 independent contractors | Comply with policies, use managed devices, complete training, report incidents, handle data per classification |
| Licensees | Applicable licensee(s) | Set minimum cybersecurity standards via their cyber policies. Out Sauce reports incidents and maintains compliance evidence. |
4.2 Policy Review
- Annual review: Full policy suite reviewed every 12 months (anniversary of effective date)
- Triggered review: Policies reviewed out of cycle following:
- A security incident
- A material change in operations (e.g., new systems, significant growth)
- A regulatory change (e.g., new ASIC guidance, Privacy Act reform, licensee policy update)
- A change in threat landscape (e.g., new attack vector relevant to Out Sauce)
- Review record: Each review documented with date, reviewer, changes made, and next review date
4.3 Compliance and Enforcement
- All Out Sauce personnel (employees and contractors) must comply with this policy suite
- Non-compliance by contractors is addressed under the Contractors Agreement (material breach provisions)
- Non-compliance by employees is addressed through internal performance management
- Serious or repeated non-compliance may result in termination and reporting to regulators where required
5. REGULATORY FRAMEWORK
Out Sauce operates within the following regulatory framework. This policy suite is designed to meet or exceed all applicable requirements.
5.1 Primary Legislation
| Legislation / Standard | Relevance to Out Sauce |
|---|---|
| Corporations Act 2001 (s912A) | General obligations of financial services licensees. Adequate risk management, including cybersecurity, is a core obligation. Out Sauce supports licensees in meeting these obligations. |
| Privacy Act 1988 | Governs collection, use, storage, and disclosure of personal information. Australian Privacy Principles (APPs) apply. Notifiable Data Breaches (NDB) scheme requires assessment within 30 days and notification to OAIC/individuals if eligible breach. |
| AML/CTF Act 2006 | Client identification and verification requirements. Impacts data retention and handling of identity documents. |
5.2 Regulatory Guidance
| Guidance | Relevance |
|---|---|
| ASIC Report 429 — Cyber resilience | Establishes ASIC's expectation that financial services entities have cyber resilience capability |
| ASIC Report 798 — AI governance | Flags gaps in AI risk frameworks in financial services. Out Sauce's AI policy (Schedule B) addresses this proactively. |
| ASIC enforcement actions | ASIC has established through enforcement actions that cybersecurity failures are actionable breaches of s912A. Out Sauce's framework is designed to defend against these regulatory risks. |
5.3 Industry Standards (Applied by Analogy)
| Standard | How Out Sauce Applies It |
|---|---|
| ACSC Essential Eight | Out Sauce targets Maturity Level 2 across all eight strategies, delivered through Destiny IT's managed services |
| APRA CPS 234 | Although Out Sauce is not directly APRA-regulated, the principles of CPS 234 (information security capability commensurate with threats) inform our framework |
| ISO 27001 | Out Sauce's policy structure follows ISO 27001 domains without pursuing formal certification (disproportionate for current scale). Certification may be pursued as Out Sauce grows. Out Sauce's IT security provider (Destiny IT) holds ISO 27001:2022 certification. |
5.4 Licensee Requirements
| Requirement | Out Sauce Response |
|---|---|
| Licensee cyber policy standards | Out Sauce meets or exceeds all mandatory requirements across leading licensee cyber policy frameworks. See compliance matrix (OS-CCM-001). |
6. SECURITY ARCHITECTURE
Note: Out Sauce is currently deploying these controls as part of its engagement with Destiny IT managed services (commenced March 2026). Items are being implemented progressively during this rollout.
6.1 Overview
Out Sauce's security architecture is delivered through a partnership with Destiny IT, a specialist managed services provider for the Australian financial advice industry. Destiny IT is ISO 27001:2022 certified, providing independent assurance of their information security management systems. This provides enterprise-grade security at a scale appropriate for Out Sauce's operations.
6.2 Technical Controls
| Layer | Control | Provider | Details |
|---|---|---|---|
| Endpoint | Managed devices | Destiny IT | All Out Sauce work to be performed on company-provisioned, centrally managed laptops being deployed to all personnel |
| Endpoint | EDR (Endpoint Detection & Response) | Destiny IT | Continuous monitoring for malware, ransomware, and advanced threats |
| Endpoint | Application management | Destiny IT | Only approved software installed; admin rights restricted |
| Endpoint | Device management (MDM) | Destiny IT | Remote configuration, lock, and wipe capability |
| Identity | MFA (Multi-Factor Authentication) | Destiny IT / approved cloud platform | Required for all systems accessing client data. Authenticator app preferred over SMS. |
| Identity | Enterprise password management | Destiny IT | Being deployed across all Out Sauce personnel as part of Destiny IT rollout. 16-character minimum, no reuse, no browser storage. |
| Network | Advanced anti-spam | Destiny IT | Email filtering and phishing protection |
| Network | Remote access security | Destiny IT / approved cloud platform | VPN available via managed services platform; MFA with conditional access policies (device compliance, geographical restrictions, MFA on every login) as primary remote access control for cloud-native operations |
| Data | DLP (Data Loss Prevention) | Destiny IT | USB transfer blocked by default; additional DLP controls configured as part of Out Sauce onboarding |
| Data | Cloud backups | Destiny IT | Automated backup of all approved cloud platform data |
| Data | Encryption in transit | Approved cloud platform / Destiny IT | TLS for all data transmission; encrypted email for sensitive data |
| Data | Encryption at rest | Approved cloud platform / Destiny IT | Full-disk encryption on endpoints; encrypted cloud storage |
| Monitoring | SIEM | Destiny IT | Security event logging, correlation, and alerting |
| Monitoring | MDR (Managed Detection & Response) | Destiny IT | 24/7 threat monitoring across approved cloud platform and endpoints |
| Training | Security awareness + phishing simulation | Destiny IT | Video-based training via Destiny IT's security provider, delivered monthly or bi-monthly. Includes phishing resistance testing. |
| Patching | Automatic updates | Destiny IT | Regular patching as part of managed services; zero-day patches within 24 hours |
6.3 Administrative Controls
| Control | Details |
|---|---|
| Policy suite | This document set — establishes rules, procedures, and expectations |
| Contractor agreements | Security, data handling, AI, and incident reporting obligations built into agreements |
| Access reviews | Quarterly review of who has access to what systems |
| Onboarding/offboarding | Formal procedures for granting and revoking access |
| Vendor management | Security assessment of all third-party providers |
| Incident response plan | Documented, tested procedures for security incidents |
| Training program | Annual security awareness training (minimum 2 hours) and monthly or bi-monthly phishing simulations (exceeds licensee minimums). Deployment underway as part of Destiny IT onboarding. |
6.4 Physical Controls
| Control | Details |
|---|---|
| Device security | Screen lock (10-minute auto-timeout with dynamic locking enabled), secure storage when not in use |
| No removable media | Client data must not be stored on USB, external drives, or removable media |
| Asset disposal | Managed by Destiny IT — secure data erasure before disposal or redeployment |
| Home office | Contractors must use managed device in a reasonably secure environment (not shared public spaces for extended work with client data visible) |
7. RISK MANAGEMENT
7.1 Risk Appetite
Out Sauce has zero tolerance for:
- Deliberate misuse of client data
- Failure to report known security incidents
- Circumvention of security controls
Out Sauce has managed tolerance for:
- Residual risk after proportionate controls are applied
- Emerging threats that require ongoing monitoring and response
- Operational friction from security controls (mitigated through training and tool selection)
7.2 Risk Assessment
Out Sauce conducts formal risk assessments:
- Annually — comprehensive review of threat landscape, control effectiveness, and residual risk
- On change — when new systems, services, or significant operational changes are introduced
- Post-incident — following any security incident, to identify root cause and control gaps
7.3 Key Risk Areas
| Risk Area | Threat | Controls |
|---|---|---|
| Phishing / social engineering | Credential theft, malware delivery | Anti-spam, MFA, training, phishing simulation |
| Ransomware | Data encryption, business disruption | EDR, backups, MDR, incident response plan |
| Data exfiltration | Unauthorised transfer of client data | DLP, managed devices, approved tools only |
| Insider threat | Contractor misuse of data access | Least privilege, monitoring, data classification |
| Third-party compromise | Vendor breach impacting Out Sauce | Vendor management policy, cloud platform security |
| AI data leakage | Client data input into unapproved AI | Approved AI tools only, training, policy |
| Regulatory non-compliance | ASIC enforcement, licensee breach | Policy suite, training, audit trail |
| Business disruption | System outage, natural disaster | Cloud-based operations, backups, BCP |
8. SECURITY INCIDENT MANAGEMENT
Security incidents are managed under the Cyber Incident Response Plan (OS-CIRP-001). Key commitments:
- Detection: 24/7 monitoring via Destiny IT MDR and SIEM
- Reporting: All personnel must report suspected incidents within 24 hours
- Assessment: Out Sauce assesses whether incident is an Eligible Data Breach per regulatory requirements — statutory assessment period is 30 days (Privacy Act), with licensee policies typically requiring formal assessment within 7 days
- Notification chain: Personnel → Out Sauce → Destiny IT → Affected clients → Licensee → OAIC/regulators (as required)
- Post-incident: Root cause analysis, control improvement, lessons learned
9. DATA PROTECTION
Data protection is governed by the Data Handling & Classification Policy (OS-DHP-001) and the Privacy & Data Protection Policy (OS-PDP-001). Key commitments:
- Three-tier data classification: General / Personal / Sensitive
- Handling requirements specific to each classification
- Approved transfer methods by classification
- 7-year retention (Corporations Act and licensee requirements)
- Secure destruction after retention period
- No client data on personal devices, USB, personal cloud, or unapproved systems
10. BUSINESS CONTINUITY
Business continuity is governed by the Business Continuity & Disaster Recovery Plan (OS-BCP-001). Key commitments:
- Cloud-first architecture minimises single-point-of-failure risk
- Automated backups with tested restore capability
- Documented procedures for operating during system disruption
- Communication plan for clients and contractors during extended outage
11. CONTINUOUS IMPROVEMENT
| Activity | Frequency | Owner |
|---|---|---|
| Policy suite review | Annual + triggered | Out Sauce Operations |
| Risk assessment | Annual + triggered | Out Sauce Operations + Destiny IT |
| Access review | Quarterly | Out Sauce Operations |
| Phishing simulation | Monthly or bi-monthly (via Destiny IT) | Destiny IT |
| Security training | Annual (minimum 2 hours) | Destiny IT (delivery), Out Sauce (coordination) |
| Incident response test | Annual (tabletop exercise) | Out Sauce Operations + Destiny IT |
| Backup restore verification | Ongoing (automated); full manual test on request | Destiny IT |
| Vendor security review | Annual | Out Sauce Operations |
12. RELATED DOCUMENTS
| Document | Reference |
|---|---|
| Cyber Incident Response Plan | OS-CIRP-001 |
| Data Handling & Classification Policy | OS-DHP-001 |
| Acceptable Use Policy | OS-AUP-001 |
| Access Management Policy | OS-AMP-001 |
| Business Continuity & Disaster Recovery Plan | OS-BCP-001 |
| Privacy & Data Protection Policy | OS-PDP-001 |
| Third-Party & Vendor Management Policy | OS-VMP-001 |
| Security Awareness & Training Framework | OS-SAT-001 |
| Out Sauce Contractors Agreement v2.0 | Including Schedules A, B, C |
| Licensee cyber policy standards | External — licensee requirements |
APPROVAL
| Approved by: | Clinton Weekes |
| Position: | Director — Weekes Financial Pty Ltd |
| Date: | March 2026 |
| Next review: | March 2027 |
Out Sauce Cyber Incident Response Plan
Document IDOS-CIRP-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
Review cycleAnnual or after any incident
ClassificationInternal — Confidential
1. PURPOSE
This plan provides step-by-step procedures for identifying, containing, investigating, and recovering from cyber security incidents. It ensures Out Sauce can respond rapidly and meet its regulatory obligations under the Privacy Act (Notifiable Data Breaches scheme), licensee cyber policy requirements, and ASIC expectations.
2. SCOPE
This plan covers any actual or suspected Security Incident affecting:
- Out Sauce systems, devices, or data
- Client data handled by Out Sauce or its contractors
- Third-party systems that process Out Sauce data (e.g., approved cloud platform, financial planning software)
3. DEFINITIONS
| Term | Definition |
|---|---|
| Security Incident | Any actual or suspected unauthorised access to, disclosure of, loss of, or interference with Out Sauce systems or data. Includes phishing, malware, ransomware, credential compromise, data breach, device loss/theft, and social engineering. |
| Eligible Data Breach | A data breach likely to result in serious harm to affected individuals, as defined under Part IIIC of the Privacy Act 1988. |
| Near Miss | An event that could have resulted in a Security Incident but was detected and prevented. Near misses are logged for learning purposes. |
4. INCIDENT RESPONSE TEAM
Note: This plan reflects Out Sauce's incident response framework being established as part of the Destiny IT managed services deployment (March 2026).
| Role | Person / Entity | Responsibility |
|---|---|---|
| Incident Commander | Out Sauce Operations | Overall authority. Makes escalation, notification, and communication decisions. |
| Operations Support | Out Sauce Operations | Contractor communication, documentation, administrative support |
| Technical Response | Destiny IT | Technical investigation, containment, eradication, and recovery. 24/7 monitoring and alerting. |
| Licensee Contact | Applicable licensee risk team | Incident assessment, regulatory escalation, breach reporting coordination |
| Cyber Insurance | CFC Underwriting (24/7 incident response line) | Breach response coach, legal, forensics, notification services |
| Legal (if needed) | To be engaged as needed | Legal advice on obligations, notifications, regulatory response |
5. INCIDENT SEVERITY LEVELS
| Level | Description | Examples | Response Time |
|---|---|---|---|
| CRITICAL | Active data exfiltration, ransomware, or compromise of systems containing client data | Ransomware encrypting devices; confirmed unauthorised access to client records; active attacker in systems | Immediate — Destiny IT alerted within minutes; Out Sauce Operations notified within 1 hour |
| HIGH | Confirmed security breach with potential for data exposure, but no confirmed data loss | Compromised credentials; malware detected on managed device; phishing email clicked with credential entry | Within 4 hours — Destiny IT investigates; Out Sauce Operations notified same day |
| MEDIUM | Suspected incident requiring investigation | Unusual login activity; DLP alert triggered; contractor reports lost device | Within 24 hours — Destiny IT investigates; Out Sauce Operations notified within 24 hours |
| LOW | Near miss or minor policy violation | Phishing email received but not clicked; contractor attempts to install unapproved software (blocked) | Within 48 hours — logged for review; addressed in next training/review cycle |
6. INCIDENT RESPONSE PHASES
Phase 1: DETECTION & REPORTING
How incidents are detected:
- Destiny IT monitoring (EDR, SIEM, MDR) — automated alerts
- Contractor or employee reports (within 24 hours of becoming aware)
- Client or third-party notification
- Licensee or regulator notification
- Self-identification during reviews or audits
Reporting requirements:
| Who | Reports To | Timeframe |
|---|---|---|
| Contractor | Out Sauce Operations | Within 24 hours of awareness |
| Out Sauce internal (Operations) | Destiny IT | Immediately / as soon as practicable |
| Destiny IT | Out Sauce Operations | Per monitoring SLA (automated alerts are real-time) |
What to report:
- What happened (or what you suspect happened)
- When it was discovered
- What systems/data may be affected
- What actions have been taken so far
- Contact details for follow-up
Reporting channel: Phone call to Out Sauce Operations + follow-up email to clinton@outsauce.au. For CRITICAL severity, phone call is mandatory — do not rely on email alone.
Phase 2: ASSESSMENT & TRIAGE
Within the first 4 hours (CRITICAL/HIGH) or 24 hours (MEDIUM):
- Confirm the incident — Is this a real incident, a false positive, or a near miss?
- Classify severity — Use the severity table above
- Identify scope — What systems, data, and people are affected?
- Determine data type — Is client data involved? What classification (General / Personal / Sensitive)?
- Assess NDB threshold — Could this be an Eligible Data Breach under the Privacy Act?
Decision tree:
Incident confirmed?
├── NO → Log as near miss. Review in next training cycle. STOP.
├── UNSURE → Investigate further (Destiny IT). Set 24-hour review point.
└── YES → Continue to Phase 3 (Containment)
│
Client data involved?
├── NO → Contain and resolve. Log incident. Review controls. STOP.
└── YES → Continue NDB assessment (Phase 5)
Phase 3: CONTAINMENT
Objective: Stop the incident from getting worse. Preserve evidence.
Immediate containment actions (Destiny IT + Out Sauce Operations):
| Action | Responsibility | Notes |
|---|---|---|
| Isolate affected device(s) | Destiny IT | Network isolation, disable remote access |
| Disable compromised accounts | Destiny IT | Reset passwords, revoke tokens |
| Block malicious IPs/domains | Destiny IT | Firewall and email filtering updates |
| Preserve logs and evidence | Destiny IT | Do NOT attempt to "clean up" before preserving |
| Notify affected contractors | Out Sauce Operations | "Stop using the device / system until further notice" |
| Activate cyber insurance | Out Sauce Operations | If CRITICAL or HIGH with likely data breach |
CRITICAL RULE: Do NOT attempt to investigate or remediate independently. Preserve everything and let Destiny IT handle the technical response.
Phase 4: ERADICATION & RECOVERY
Objective: Remove the threat and restore normal operations.
| Action | Responsibility | Details |
|---|---|---|
| Identify root cause | Destiny IT | How did the attacker get in? What vulnerability was exploited? |
| Remove malware/threat | Destiny IT | Clean or reimage affected devices |
| Patch vulnerability | Destiny IT | Apply patches, update configurations |
| Restore from backup | Destiny IT | If data was encrypted/destroyed |
| Reset all credentials | Destiny IT + Out Sauce | All affected accounts, plus any accounts that shared credentials |
| Verify system integrity | Destiny IT | Confirm systems are clean before reconnecting |
| Resume operations | Out Sauce Operations | Notify contractors they can resume; monitor closely |
Phase 5: NOTIFICATION & REGULATORY OBLIGATIONS
Privacy Act — Notifiable Data Breaches (NDB) scheme:
| Step | Timeframe | Action |
|---|---|---|
| 1. Assessment | Start within 24 hours of awareness; complete within statutory timeframes (30 days Privacy Act; 7 days per licensee requirements) | Assess whether breach is likely to result in serious harm. Consider: type of data, sensitivity, who accessed it, what they could do with it, was it encrypted. |
| 2. Reasonable steps | Concurrent with assessment | Take steps to reduce harm (e.g., password resets, account monitoring). If remediation eliminates serious harm risk, NDB notification may not be required. |
| 3. Notify OAIC | If Eligible Data Breach: "as soon as practicable" after assessment | Statement to OAIC including: entity details, description of breach, type of information, recommended steps for individuals. |
| 4. Notify individuals | If Eligible Data Breach: "as soon as practicable" | Same statement as OAIC, delivered to affected individuals (or public notice if individual notification not practicable). |
Licensee notification:
| Step | Timeframe | Action |
|---|---|---|
| 1. Initial report | Within 24 hours of Out Sauce becoming aware | Notify applicable licensee risk team. Provide initial facts. |
| 2. Assessment update | Within 7 days (per licensee requirements) | Provide formal assessment of whether incident is an Eligible Data Breach |
| 3. Ongoing updates | As required | Keep licensee informed of investigation, remediation, and notifications |
Other notifications:
| Party | When | How |
|---|---|---|
| Affected clients | If their data was compromised | Personal contact (phone/email) from Out Sauce Operations — do not delegate to contractors |
| ACSC | If criminal activity suspected | Report via cyber.gov.au |
| Police | If theft, fraud, or criminal activity | QLD Police + AFP (if cross-jurisdictional) |
| Cyber insurer | CRITICAL or HIGH with potential liability | Per policy terms — typically within 24-48 hours |
Phase 6: POST-INCIDENT REVIEW
Within 14 days of incident closure:
- Root cause analysis — What happened and why?
- Control effectiveness — Did existing controls work? What failed?
- Response effectiveness — Was the response plan followed? What worked well? What needs improvement?
- Lessons learned — What changes are needed to policies, controls, or training?
- Action items — Specific, assigned, time-bound actions to prevent recurrence
Document: Post-incident report filed and retained for 7 years. Policy suite updated if required.
7. TESTING
This plan is tested through:
| Test Type | Frequency | Participants |
|---|---|---|
| Tabletop exercise | Annual | Out Sauce Operations, Destiny IT |
| Phishing simulation | Monthly or bi-monthly (via Destiny IT) | All contractors + internal |
| Backup restore verification | Ongoing (automated); full manual test on request | Destiny IT |
| Communication test | Annual | Verify all contact details are current |
A tabletop exercise walks through a realistic scenario (e.g., "a contractor clicks a phishing link and enters their approved cloud platform credentials") and tests the team's response against this plan.
8. RECORD KEEPING
All incident records are retained for 7 years, including:
- Initial incident reports
- Investigation logs
- Communication records (notifications sent)
- Post-incident review reports
- Evidence and forensic reports (from Destiny IT)
- NDB assessment documentation
- Remediation action records
APPROVAL
| Approved by: | Clinton Weekes |
| Position: | Director — Weekes Financial Pty Ltd |
| Date: | March 2026 |
| Next review: | March 2027 |
Out Sauce Data Handling & Classification Policy
Document IDOS-DHP-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
Review cycleAnnual or on material change
ClassificationInternal — shared with contractors as part of onboarding
1. PURPOSE
This policy establishes how Out Sauce classifies, handles, stores, transfers, and retains information — particularly client data. It ensures all personnel understand their obligations and that Out Sauce meets its regulatory requirements under the Privacy Act, licensee cyber policy standards, and Corporations Act.
2. SCOPE
Applies to all information created, received, stored, processed, or transmitted by Out Sauce personnel (employees and contractors) in the course of Out Sauce business, regardless of format (digital, paper, verbal).
3. DATA CLASSIFICATION
All information handled in Out Sauce operations falls into one of three classifications:
3.1 General Information
Definition: Non-sensitive business information with no privacy implications.
Examples:
- Public business information (Out Sauce website content, marketing materials)
- General industry data, market research, public regulatory guidance
- Internal process documentation (non-confidential)
- General communication not referencing specific clients
Handling requirements:
- Standard care
- May be stored on managed device, approved cloud storage, or approved tools
- No special transfer requirements
- No restriction on approved AI tools for this classification
3.2 Personal Information
Definition: Information as defined in the Privacy Act 1988 — information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Examples:
- Client names, dates of birth, contact details (address, phone, email)
- Employment details and history
- Government identifiers (Medicare, driver's licence, passport — but NOT TFN, which is Sensitive)
- Superannuation fund names and membership numbers
- Insurance policy details (provider name, policy number)
- Basic financial information (salary, employer)
Handling requirements:
- Store only in approved systems (approved cloud platform, financial planning software managed on Out Sauce devices)
- Transfer only via approved methods (see Section 4)
- Must not be emailed without encryption unless limited to: client name, contact details, super fund name, insurance provider name, policy number
- Must not be input into AI tools unless the tool is on the Approved list AND approved for Personal Information
- Must not be stored on personal devices, USB, personal cloud, or unapproved systems
- Access limited to personnel who need it for their current engagement
3.3 Sensitive Information
Definition: A subset of personal information attracting heightened regulatory protection under the Privacy Act, licensee cyber policy standards, and applicable financial services regulation.
Examples:
- Financial details: Assets, liabilities, income, expenses, account numbers, account balances, transaction history, credit reports, credit card numbers
- Tax File Numbers (TFN) — additional protections under the Privacy Act and Tax Administration Act
- Health information: Medical conditions, insurance exclusions, health history (relevant to risk insurance)
- Insurance claims history
- Identity documents: Passport copies, driver's licence copies, birth certificates (when retained)
- Sensitive information under the Privacy Act: Racial/ethnic origin, political opinions, religious beliefs, union membership, sexual orientation, criminal record, biometric data
Handling requirements:
- Highest protection level
- Store only in approved systems with access controls (financial planning software, approved cloud platform with access restrictions)
- Transfer only via approved secure methods (see Section 4)
- Must never be emailed without encryption
- Must never be input into AI tools unless specifically approved for Sensitive Information by Out Sauce
- TFNs must be stored in one location only (approved financial planning software) — not duplicated across file notes, spreadsheets, or emails
- Access strictly limited to personnel with a current, specific need
- Printed copies must be securely destroyed after use (cross-cut shredding)
4. APPROVED TRANSFER METHODS
| Data Classification | Approved Transfer Methods | NOT Approved |
|---|---|---|
| General | Email, approved collaboration tools, approved cloud sharing, approved AI tools | Personal messaging apps |
| Personal | Approved cloud platform (encrypted), approved client portals, secure cloud sharing links with MFA | Unencrypted email (except limited fields — see 3.2), personal cloud, USB, personal messaging |
| Sensitive | Approved cloud platform (encrypted email), approved client portals with access controls, direct system-to-system transfer (e.g., between approved financial planning software instances), password-protected documents (password sent via separate channel) | Unencrypted email, any personal system, USB, AI tools (unless specifically approved) |
These methods meet or exceed leading licensee cyber policy requirements for data transfer by classification.
5. DATA STORAGE
5.1 Approved Storage Locations
| System | Classification Approved | Managed By |
|---|---|---|
| Approved financial planning software | General, Personal, Sensitive | Out Sauce + licensee |
| Approved cloud platform (storage, email, collaboration) — managed tenant | General, Personal, Sensitive (with access controls) | Destiny IT |
| Out Sauce managed device (local storage) | General, Personal (temporary working copies only) | Destiny IT |
Out Sauce may also operate internal workflow and communication tools for task coordination and general business communications. These tools are assessed under the Out Sauce vendor management framework and are restricted to General and limited Personal information only. Client Sensitive data (Tier 3) is stored and transferred exclusively via approved financial planning software and the managed cloud platform.
5.2 Prohibited Storage
Client data (Personal or Sensitive) must never be stored on:
- Personal devices (laptops, phones, tablets not managed by Destiny IT)
- USB drives, external hard drives, or removable media
- Personal cloud storage (personal Google Drive, Dropbox, iCloud, personal OneDrive)
- Personal email accounts
- Consumer AI tools or services not on the Approved Tools list
- Paper files retained beyond immediate use (must be destroyed after use)
5.3 Data Minimisation
- Collect and retain only the client data necessary for the engagement
- Do not duplicate Sensitive Information across multiple locations (e.g., TFN in one place only)
- Working copies of client files on managed devices should be moved to approved cloud storage on completion and not retained locally longer than necessary
6. DATA RETENTION
6.1 Retention Periods
| Data Type | Retention Period | Authority |
|---|---|---|
| Client files (SOAs, ROAs, file notes) | 7 years from creation | Corporations Act s1101C; licensee requirements |
| AML/CTF identification records | 7 years from relationship end | AML/CTF Act 2006 |
| Contractor agreements and records | 7 years from agreement end | General business practice |
| Security incident records | 7 years from incident closure | Out Sauce policy (aligns with other retention) |
| Training records | 7 years | licensee requirements |
| General business correspondence | 3 years | General business practice |
6.2 Secure Destruction
After the retention period expires:
- Digital data: Secure deletion using approved tools, or device destruction managed by Destiny IT
- Paper records: Cross-cut shredding
- Devices: Secure data erasure and certified disposal managed by Destiny IT
7. SPECIAL CATEGORIES
7.1 Tax File Numbers (TFNs)
TFNs attract additional protections under the Privacy Act and the Tax Administration Act 1953:
- Store in approved financial planning software — single-source principle (do not duplicate across multiple documents)
- Never include in email body (even encrypted email — use secure portal or system-to-system)
- Never duplicate across file notes, spreadsheets, or working documents
- Access strictly limited
7.2 Health Information
Health information (relevant to risk insurance advice) is Sensitive Information:
- Store in approved financial planning software or approved cloud platform with access controls
- Transfer via encrypted channels only
- Consider redaction after the specific advice engagement is complete (retain minimum necessary)
7.3 Identity Documents
Copies of passports, driver's licences, birth certificates (used for AML/CTF verification):
- Retain per AML/CTF Act requirements (7 years from relationship end)
- Store in approved financial planning software or approved cloud platform with access controls
- After AML/CTF verification, redact government-issued numbers where possible (per industry best practice)
- Securely destroy after retention period
8. AI & DATA
| Classification | AI Tools Permitted? | Conditions |
|---|---|---|
| General | Yes — any Approved AI Tool | Standard use |
| Personal | Only Approved AI Tools specifically cleared for Personal Information | Must be on Approved Tools list; data must not leave Out Sauce-managed environment |
| Sensitive | Only if specifically approved by Out Sauce for that data type | Extremely limited; requires explicit Out Sauce approval; most AI tools are NOT approved for Sensitive data |
Default rule: When in doubt, do NOT input data into an AI tool. Ask Out Sauce for clarification.
9. BREACH OF THIS POLICY
Deliberate or reckless breach of this policy is treated as a serious matter:
- Contractors: Material breach under Contractors Agreement — may result in immediate termination
- Employees: Disciplinary action up to and including termination
- Regulatory consequences: Depending on the breach, Out Sauce may be required to report to the applicable licensee, OAIC, or ASIC
Inadvertent breaches (e.g., accidentally emailing the wrong file) should be reported immediately. Self-reporting is treated constructively — the goal is to contain and learn, not to punish honest mistakes.
APPROVAL
| Approved by: | Clinton Weekes |
| Position: | Director — Weekes Financial Pty Ltd |
| Date: | March 2026 |
| Next review: | March 2027 |
Out Sauce Acceptable Use Policy
Document IDOS-AUP-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
Review cycleAnnual or on material change
ClassificationInternal
1. PURPOSE
This policy defines acceptable use of Out Sauce technology, systems, and information assets by Out Sauce employees. Contractor technology obligations are governed by the Contractors Agreement (Schedule B — Technology & AI Use Policy), which mirrors and extends this policy.
2. SCOPE
Applies to all Out Sauce-owned or managed technology used by Out Sauce employees, including:
- Out Sauce managed devices (laptops, any future desktops or mobile devices)
- Approved cloud platform (email, collaboration tools, cloud storage)
- Financial planning software
- Any cloud services accessed through Out Sauce accounts
- Internet access through Out Sauce managed devices
3. GENERAL PRINCIPLES
- Out Sauce technology is provided for business purposes. Incidental personal use is acceptable provided it does not compromise security, consume excessive resources, or expose Out Sauce systems to risk.
- All activity on Out Sauce managed devices is subject to security monitoring by Destiny IT (for security purposes only — not productivity tracking).
- Users must not attempt to circumvent, disable, or interfere with security controls.
4. APPROVED USE
4.1 Software and Applications
- Only software approved by Out Sauce and managed by Destiny IT may be installed on managed devices
- Browser extensions must be approved — do not install extensions without checking with Destiny IT
- SaaS applications accessed via browser must be on the Approved Tools list when used with client data
- Requests for new software should be directed to Out Sauce Operations → Destiny IT for security assessment
4.2 Email and Communication
- Use Out Sauce managed email for all business communication
- Do not use personal email for any Out Sauce business
- Do not forward Out Sauce email to personal accounts
- Be cautious with email attachments and links — report suspicious emails via Destiny IT's reporting mechanism
- Do not send Sensitive Information via unencrypted email (see Data Handling Policy)
4.3 Internet Use
- Internet use on managed devices should be primarily business-related
- Incidental personal browsing is acceptable (news, weather, personal banking via secure sites)
- Do not access sites that could compromise device security (pirated software, suspicious downloads)
- Use mobile hotspot rather than public Wi-Fi; if public Wi-Fi is unavoidable, use approved VPN
4.4 Cloud Storage
- Use Out Sauce-managed approved cloud storage for document storage
- Do not sync Out Sauce data to personal cloud accounts
- Do not share Out Sauce files via personal file-sharing services
4.5 AI Tools
- Use only Approved AI Tools (see Contractors Agreement Schedule B, Approved Tools list)
- Do not input Personal or Sensitive client data into any AI tool not specifically approved for that purpose
- Disclose AI use in deliverables where AI materially contributed to content
- You remain responsible for all outputs — AI does not reduce your accountability
5. PROHIBITED USE
The following are prohibited on Out Sauce managed devices and systems:
- Installing unapproved software or browser extensions
- Attempting to gain administrative access or elevate privileges
- Disabling, modifying, or circumventing any security software or controls
- Connecting USB drives or removable media containing client data
- Transferring client data via Airdrop, Bluetooth, or other wireless file-sharing methods
- Leaving Bluetooth enabled when not actively in use
- Storing client data on personal devices, personal cloud, or personal email
- Sharing passwords or login credentials with any other person
- Saving passwords in browser autocomplete (use approved password manager only)
- Using Out Sauce systems for illegal activity
- Downloading or distributing pirated software, media, or content
- Accessing or distributing inappropriate or offensive material
- Using Out Sauce email or systems to impersonate another person
- Making public statements about security incidents without Out Sauce Operations approval
6. PASSWORDS AND AUTHENTICATION
- Use the approved enterprise password manager for all Out Sauce-related credentials
- Passwords must be minimum 16 characters
- Passwords must be unique — do not reuse across accounts
- Do not save passwords in browsers — use the password manager only
- MFA (authenticator app preferred) must be enabled on all systems accessing client data
- Report any suspected credential compromise immediately
7. PHYSICAL SECURITY
- Lock managed devices when unattended (screen lock: 10-minute auto-timeout)
- Store managed devices securely when not in use (not visible in vehicles, not left in public spaces)
- Do not leave managed devices unattended in public places
- Report lost or stolen devices within 24 hours (Destiny IT can remote-lock and wipe)
- Secure printed client documents — shred when no longer needed
8. REMOTE WORKING
Out Sauce operates as a remote-first business. When working remotely:
- Use the managed device for all Out Sauce work involving client data
- Ensure your working environment is reasonably private (client data not visible on screen to unauthorised people)
- Use mobile hotspot or secure home network — avoid public Wi-Fi without VPN
- Lock device when stepping away, even briefly
9. REPORTING
Report the following to Out Sauce Operations and/or Destiny IT:
- Suspected phishing emails or social engineering attempts
- Any unusual device behaviour (slowness, unexpected pop-ups, unfamiliar software)
- Lost or stolen devices
- Any suspected security incident (see Cyber Incident Response Plan)
- Any situation where you're unsure whether an action is permitted under this policy
APPROVAL
| Approved by: | Clinton Weekes |
| Position: | Director — Weekes Financial Pty Ltd |
| Date: | March 2026 |
| Next review: | March 2027 |
Out Sauce Access Management Policy
Document IDOS-AMP-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
Review cycleAnnual or on material change
ClassificationInternal — Confidential
1. PURPOSE
This policy governs how access to Out Sauce systems, data, and resources is granted, managed, reviewed, and revoked. It implements the principle of least privilege — every person gets only the access they need, when they need it.
2. SCOPE
Applies to all access to Out Sauce systems and data, including:
- Approved cloud platform (email, collaboration tools, cloud storage)
- Approved financial planning software
- Out Sauce managed devices
- Any cloud services or SaaS platforms used for Out Sauce business
- Physical access to Out Sauce equipment
3. PRINCIPLES
- Least privilege: Grant the minimum access needed to perform the role
- Need to know: Access to client data is limited to the specific engagements a person is working on
- Separation of duties: Where practicable, no single person has unchecked access to all systems (the Director as sole principal is an exception — mitigated by monitoring and audit trails)
- Timely revocation: Access is removed promptly when no longer needed
- Accountability: All access is attributed to a named individual — no shared accounts
4. ACCESS ROLES
4.1 Out Sauce Access Roles
| Role | Systems | Access Level | Assigned To |
|---|---|---|---|
| Operations / Admin | All Out Sauce systems, approved cloud platform admin, approved financial planning software (full) | Full access + admin | Out Sauce Operations |
| Operations | Approved cloud platform (email, collaboration tools, cloud storage), invoicing/billing, contractor records | Standard user + billing access | Out Sauce Operations |
| Contract Paraplanner | Approved cloud platform (limited — email, collaboration tools, cloud storage for assigned work), approved financial planning software (assigned client files only) | Restricted — engagement-specific | Each contractor individually |
| Destiny IT | Approved cloud platform admin (security), device management, SIEM, EDR, monitoring tools | Admin — security functions only | Destiny IT service team |
4.2 Contractor Access Restrictions
Contractors receive access only to:
- The managed device assigned to them
- Approved cloud platform accounts provisioned for their work
- Approved financial planning software access limited to the specific clients they are assigned to work on
- No admin rights on any system
- No access to Out Sauce business/financial data, other contractors' work, or internal strategic documents
5. ACCESS LIFECYCLE
5.1 Onboarding — New Contractor
| Step | Action | Responsible | Timing |
|---|---|---|---|
| 1 | Signed Contractors Agreement received (including Schedules A, B, C) | Out Sauce Operations | Before any access granted |
| 2 | Security awareness training scheduled | Out Sauce Operations + Destiny IT | Within 30 days of device receipt |
| 3 | Managed device provisioned and configured | Destiny IT | Before first engagement |
| 4 | Approved cloud platform account created (managed tenant) | Destiny IT | With device |
| 5 | Approved financial planning software access provisioned (engagement-specific) | Out Sauce Operations | Per engagement |
| 6 | Password manager account created | Destiny IT | With device |
| 7 | MFA configured and verified | Destiny IT + Contractor | At device setup |
| 8 | Access details logged in register | Out Sauce Operations | On completion |
5.2 Onboarding — New Employee
| Step | Action | Responsible | Timing |
|---|---|---|---|
| 1 | Employment agreement signed | Out Sauce Operations | Before start date |
| 2 | Access role determined | Out Sauce Operations | Before start date |
| 3 | Device provisioned | Destiny IT | By start date |
| 4 | All accounts created per role | Destiny IT + Out Sauce Operations | By start date |
| 5 | Security training completed | Destiny IT | Within first week |
| 6 | Access logged in register | Out Sauce Operations | On completion |
5.3 Access Changes
When a person's role changes or they need access to additional systems:
- Request made to Out Sauce Operations
- Out Sauce Operations assesses against least privilege principle
- If approved, Destiny IT or Out Sauce Operations provisions the access
- Change logged in access register
5.4 Offboarding — Contractor Departure
| Step | Action | Responsible | Timing |
|---|---|---|---|
| 1 | Agreement termination confirmed | Out Sauce Operations | Per agreement terms |
| 2 | All approved cloud platform access disabled | Destiny IT | Within 24 hours of termination |
| 3 | Approved financial planning software access revoked | Out Sauce Operations | Within 24 hours |
| 4 | Managed device returned | Contractor → Out Sauce Operations | Within 7 days (per agreement) |
| 5 | Device data securely wiped and redeployed/disposed | Destiny IT | On receipt |
| 6 | Password manager access revoked, shared credentials rotated | Destiny IT | Within 24 hours |
| 7 | Access removal logged in register | Out Sauce Operations | On completion |
| 8 | Written certification of data return/destruction received | Contractor | Per agreement |
5.5 Offboarding — Employee Departure
Same process as contractor, plus:
- All internal documents and access reviewed for completeness
- Handover of ongoing responsibilities documented
6. ACCESS REVIEWS
| Review Type | Frequency | Reviewer | Scope |
|---|---|---|---|
| Quarterly access review | Every 3 months | Out Sauce Operations + Out Sauce Operations | All active accounts — verify each person still needs their current access level |
| Annual comprehensive review | Annually | Out Sauce Operations + Destiny IT | Full review of all access roles, permissions, and controls |
| Post-incident review | After any security incident | Out Sauce Operations + Destiny IT | Review whether access controls contributed to the incident |
Action on review: Any unnecessary access identified is revoked within 7 days.
7. PRIVILEGED ACCESS
7.1 Admin Accounts
- Admin access to approved cloud platform and Out Sauce systems is limited to Out Sauce Operations and Destiny IT (security administration)
- Admin access must use MFA
- Admin actions are logged via SIEM
- Out Sauce Operations's admin access is mitigated by: Destiny IT's independent monitoring and audit trail
7.2 Destiny IT Access
Destiny IT has administrative access to Out Sauce systems for security management purposes. This access is governed by:
- Destiny IT's own professional indemnity and cyber insurance
- Out Sauce's Third-Party & Vendor Management Policy
- Destiny IT's contractual obligations (managed services agreement)
- SIEM logging of their administrative actions
8. AUTHENTICATION REQUIREMENTS
| Requirement | Standard |
|---|---|
| MFA | Mandatory for all accounts accessing client data. Authenticator app preferred (not SMS). |
| Password length | Minimum 16 characters |
| Password reuse | Must not reuse any of last 10 passwords |
| Password manager | Mandatory — enterprise password manager managed by Destiny IT |
| Browser password storage | Prohibited — use password manager only |
| Failed login attempts | Account locked after 5 failed attempts |
| Password rotation | Every 90 days (or immediately after suspected compromise) |
| Shared accounts | Prohibited — every person has their own credentials |
9. ACCESS REGISTER
Out Sauce will maintain an access register documenting:
- Who has access to what systems
- What access level (role)
- Date access was granted
- Date of last review
- Date access was revoked (where applicable)
The register will be maintained by Out Sauce Operations and reviewed quarterly.
APPROVAL
| Approved by: | Clinton Weekes |
| Position: | Director — Weekes Financial Pty Ltd |
| Date: | March 2026 |
| Next review: | March 2027 |
Out Sauce Business Continuity & Disaster Recovery Plan
Document IDOS-BCP-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
Review cycleAnnual or after any activation
ClassificationInternal — Confidential
1. PURPOSE
This plan ensures Out Sauce can maintain or rapidly restore critical business operations following a disruption — whether from a cyber incident, system failure, natural disaster, or other cause. It establishes recovery priorities, procedures, and communication protocols.
2. Out Sauce BUSINESS PROFILE
| Item | Detail |
|---|---|
| Business model | Cloud-first, remote workforce |
| Critical function | Paraplanning services (SOAs, ROAs, file notes) for financial advice clients |
| Employees | 2 (Out Sauce Operations + Out Sauce Operations) |
| Contractors | ~10 contract paraplanners |
| IT infrastructure | Approved cloud platform, Destiny IT managed endpoints, approved financial planning software (cloud) |
| Physical office | Home-based — no dedicated office premises |
| Key dependency | Internet access, approved cloud platform, approved financial planning software, managed devices |
Out Sauce's cloud-first, remote model is inherently resilient. There is no single physical location whose loss would halt operations. The primary risks are: system/cloud outages, cyber incidents, and key person unavailability.
3. RECOVERY OBJECTIVES
| Metric | Target | Rationale |
|---|---|---|
| Recovery Time Objective (RTO) | 24 hours for critical systems; 72 hours for full operations | Clients expect responsive service; most work can tolerate 1-day gap |
| Recovery Point Objective (RPO) | 24 hours (maximum data loss) | Approved cloud platform backups run daily (Destiny IT); work saved to cloud is near-real-time |
| Maximum Tolerable Downtime (MTD) | 5 business days | Beyond this, client relationships and regulatory obligations are at risk |
4. CRITICAL BUSINESS FUNCTIONS
| Priority | Function | Systems Required | RTO |
|---|---|---|---|
| 1 — Critical | Client communication | Approved cloud platform email, approved collaboration tools, phone | 4 hours |
| 2 — Critical | Access to existing client files | Approved financial planning software, approved cloud platform | 24 hours |
| 3 — Essential | Paraplanning production | Approved financial planning software, approved cloud platform, managed devices | 24-48 hours |
| 4 — Essential | Invoicing and payments | Approved accounting software, banking | 72 hours |
| 5 — Important | Internal administration | Approved cloud platform, internal documents | 72 hours |
| 6 — Deferrable | Marketing, business development | Various | 5+ business days |
5. DISRUPTION SCENARIOS AND RESPONSES
5.1 Scenario: Single Managed Device Failure
ImpactOne contractor unable to work
LikelihoodMedium
- Contractor reports device failure to Out Sauce and Destiny IT
- Destiny IT diagnoses remotely — if recoverable, fix within SLA
- If device is unrecoverable, Destiny IT manages device replacement or repair under manufacturer warranty arrangements
- Contractor's cloud-stored work is intact (approved cloud platform backup)
- RTO: 24-48 hours for device replacement; 0 data loss
5.2 Scenario: Cloud Platform Outage
ImpactAll users unable to access email, files, collaboration tools
LikelihoodLow (cloud platform provider SLA 99.9%+ (per vendor published SLA))
- Monitor cloud platform service health dashboard
- Communicate with contractors via phone/SMS (contact list maintained offline)
- For short outages (<4 hours): wait for restoration
- For extended outages (>4 hours): contractors continue offline work on managed devices; Out Sauce communicates client delays via phone
- RTO: Dependent on cloud platform provider (SLA 99.9%+ (per vendor published SLA)) — typically <4 hours for major outages
5.3 Scenario: Financial Planning Software Outage
ImpactUnable to access client files or produce SOAs
LikelihoodLow
- Monitor vendor status page
- Notify contractors of outage
- Redirect contractors to work that doesn't require the platform (admin tasks, offline research)
- Notify affected clients of potential delays
- RTO: Dependent on vendor — typically <24 hours
5.4 Scenario: Cyber Incident (Ransomware / Data Breach)
ImpactPotentially all systems and data
LikelihoodMedium
- Activate Cyber Incident Response Plan (OS-CIRP-001) — takes priority over BCP
- Destiny IT leads technical response (containment, investigation)
- Out Sauce communicates with contractors: "Stop all Out Sauce work until cleared"
- Out Sauce communicates with affected clients per incident response plan
- Recovery from approved cloud platform backups once Destiny IT confirms systems are clean
- RTO: 24-72 hours depending on severity
5.5 Scenario: Key Person Unavailability
ImpactBusiness operations and decision-making
LikelihoodLow (illness, accident)
ResponseIf any single Out Sauce team member (including Out Sauce Operations lead) is unavailable, remaining Out Sauce Operations staff sustain operations:
- Short-term (<1 week): Other Out Sauce team members manage day-to-day operations. Contractors continue existing engagements autonomously. Destiny IT continues security operations independently.
- Extended (>1 week): Out Sauce Operations contacts applicable licensees for guidance on obligations. Consider activating a nominated emergency contact (e.g., trusted industry peer or professional adviser) who can make decisions if needed.
- All critical passwords and account access are documented in a secure location accessible to the Out Sauce Operations team.
5.6 Scenario: Internet Outage (Individual)
ImpactOne person unable to work remotely
LikelihoodMedium
- Use mobile phone hotspot as backup internet connection
- If prolonged, work from alternative location with internet access
- Notify Out Sauce if unable to meet engagement deadlines
5.7 Scenario: Natural Disaster (Regional)
ImpactPotentially multiple users in affected area
LikelihoodLow
- Cloud-first model means geographic redundancy is built in — approved cloud platform data is replicated across provider data centres
- Users outside the affected area continue working normally
- Affected users resume when safe and connectivity restored
- Client communication priorities maintained via phone
6. BACKUP AND RECOVERY
6.1 Backup Architecture
| Data | Backup Method | Frequency | Retention | Managed By |
|---|---|---|---|---|
| Approved cloud platform email, cloud storage, collaboration tools | Cloud Platform Backups | Daily (minimum) | Per Destiny IT retention settings | Destiny IT |
| Approved financial planning software | Vendor-managed backups | Per vendor SLA | Per vendor | Vendor |
| Managed device local data | Synced to approved cloud storage; backed up via approved cloud platform | Near-real-time (cloud storage sync) | Per cloud platform backup retention | Destiny IT |
6.2 Backup Testing
- Automated restore verification: Destiny IT's backup platform performs automated restore integrity verification to confirm recoverability on an ongoing basis. Full manual restore testing is available on request as an additional service.
- Post-incident: If backups are used in incident recovery, the process is documented and reviewed
6.3 Backup Security
- Backups are encrypted and isolated from the production network (per industry best practice)
- Backup access is restricted to Destiny IT administrators
- Backup integrity is monitored by Destiny IT
7. COMMUNICATION PLAN
7.1 During Disruption
| Audience | Communication Method | Responsible | Timing |
|---|---|---|---|
| Contractors | Phone/SMS (primary), email if available | Out Sauce Operations / Out Sauce Operations | Within 2 hours of disruption |
| Clients (affected) | Phone call from Out Sauce Operations | Out Sauce Operations | Within 4 hours |
| Destiny IT | Phone + email (established support channels) | Out Sauce Operations | Immediately |
| Applicable licensee | Per licensee cyber policy (if applicable) | Out Sauce Operations | Per incident response plan |
7.2 Contact List
Out Sauce maintains an offline (printed) contact list containing:
- All contractor mobile numbers and personal email addresses
- Destiny IT support phone number
- Licensee risk team contacts
- Cyber insurance claims contact
- Key client contacts
This list is kept in a secure physical location accessible to Out Sauce Operations and Out Sauce Operations, and updated quarterly.
8. TESTING
| Test | Frequency | Scope |
|---|---|---|
| Contact list verification | Quarterly | Confirm all numbers/emails are current |
| Backup restore verification | Ongoing (automated) | Backup platform self-tests restore integrity; full manual restore available on request |
| Tabletop exercise | Annual | Walk through a scenario (combined with incident response plan testing) |
| Communication test | Annual | Test ability to reach all contractors via phone/SMS |
9. PLAN MAINTENANCE
- Reviewed annually or after any activation
- Updated when: new systems introduced, team size changes significantly, contact details change
- Out Sauce Operations is responsible for ensuring the plan remains current
APPROVAL
| Approved by: | Clinton Weekes |
| Position: | Director — Weekes Financial Pty Ltd |
| Date: | March 2026 |
| Next review: | March 2027 |
Out Sauce Privacy & Data Protection Policy
Document IDOS-PDP-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
Review cycleAnnual or on material change
ClassificationInternal — summary available externally on request
1. PURPOSE
This policy establishes how Out Sauce collects, uses, stores, discloses, and protects personal information in compliance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Notifiable Data Breaches (NDB) scheme, and evolving privacy legislation.
2. SCOPE
Applies to all personal information handled by Out Sauce in the course of business, including:
- Information about clients of financial advice firms (Out Sauce's clients' customers)
- Information about Out Sauce's own clients (the advice firms)
- Information about Out Sauce contractors and employees
- Information about prospective clients, contractors, or employees
3. AUSTRALIAN PRIVACY PRINCIPLES — Out Sauce COMPLIANCE
APP 1 — Open and Transparent Management of Personal Information
Out Sauce maintains this policy and the Data Handling & Classification Policy (OS-DHP-001) to document how personal information is managed. These policies are available to individuals on request.
APP 2 — Anonymity and Pseudonymity
Where practicable, Out Sauce allows individuals to interact anonymously (e.g., general enquiries). However, the nature of paraplanning services requires identification of clients for regulatory and professional purposes.
APP 3 — Collection of Personal Information
- Out Sauce collects personal information only where reasonably necessary for providing paraplanning services
- Collection is from the advice firm (Out Sauce's client) — Out Sauce does not typically collect information directly from end consumers
- Out Sauce collects Sensitive Information only where required for the specific advice engagement (e.g., health information for risk insurance, financial details for investment advice)
- Individuals are notified of collection through the advice firm's own privacy notices
APP 4 — Dealing with Unsolicited Information
If Out Sauce receives personal information it did not request and does not need:
- Assess whether it would have been permitted to collect it
- If not, destroy or de-identify the information as soon as practicable
APP 5 — Notification of Collection
Out Sauce relies on the advice firm (as the primary entity in the client relationship) to notify individuals about collection. Out Sauce's privacy information is available on request for inclusion in advice firm disclosures.
APP 6 — Use or Disclosure of Personal Information
Out Sauce uses personal information only for:
- The purpose for which it was collected (providing paraplanning services)
- A directly related secondary purpose the individual would reasonably expect
- Where required or authorised by law (e.g., regulatory reporting, AML/CTF obligations)
Out Sauce does not:
- Sell personal information
- Use personal information for direct marketing
- Disclose personal information to overseas recipients (unless the advice firm's client has overseas connections and disclosure is necessary for the engagement)
- Share personal information between unrelated Out Sauce clients
APP 7 — Direct Marketing
Out Sauce does not use personal information collected through paraplanning services for direct marketing.
APP 8 — Cross-Border Disclosure
Out Sauce does not routinely disclose personal information overseas. If an engagement requires it (e.g., international estate planning), Out Sauce ensures compliance with APP 8 requirements and the advice firm's instructions.
APP 9 — Government-Related Identifiers
Out Sauce does not adopt, use, or disclose government identifiers (e.g., TFN, Medicare number) as its own identifier. Government identifiers are handled per the Data Handling & Classification Policy (Sensitive Information classification).
APP 10 — Quality of Personal Information
Out Sauce takes reasonable steps to ensure personal information is accurate, up-to-date, and complete. Where Out Sauce identifies inaccuracies in client data, it notifies the advice firm.
APP 11 — Security of Personal Information
Out Sauce protects personal information through:
- The full security framework documented in the Information Security Policy (OS-ISP-001)
- Destiny IT managed services (EDR, SIEM, DLP, encryption, patching)
- Data classification and handling requirements (OS-DHP-001)
- Contractor obligations (Contractors Agreement, Schedule B)
- Training and awareness (OS-SAT-001)
When personal information is no longer needed and not subject to retention requirements, it is securely destroyed (see Data Handling & Classification Policy, Section 6).
APP 12 — Access to Personal Information
Individuals have a right to request access to personal information Out Sauce holds about them. In practice, most requests will come through the advice firm. Out Sauce will:
- Respond to access requests within 30 days
- Provide information in the format requested (where reasonable)
- Not charge for making a request (may charge reasonable costs for providing access)
- Refuse access only where permitted by law (e.g., commercially sensitive information, ongoing legal proceedings)
APP 13 — Correction of Personal Information
If Out Sauce becomes aware that personal information is inaccurate, out of date, incomplete, or misleading:
- Out Sauce takes reasonable steps to correct the information
- Notifies the advice firm of the correction
- If Out Sauce refuses a correction request, it provides written reasons and information about complaint mechanisms
4. NOTIFIABLE DATA BREACHES
4.1 When Does the NDB Scheme Apply?
A data breach is "eligible" for notification if:
- There is unauthorised access to, disclosure of, or loss of personal information
- A reasonable person would conclude the breach is likely to result in serious harm to any of the affected individuals
- Out Sauce has been unable to prevent the likely risk of serious harm through remedial action
4.2 Out Sauce's NDB Process
| Step | Timeframe | Action |
|---|---|---|
| Detect | Ongoing (24/7 via Destiny IT monitoring) | Incident identified through monitoring, contractor report, or third-party notification |
| Contain | Immediately | Per Cyber Incident Response Plan — stop the breach from getting worse |
| Assess | Begin within 24 hours of awareness; complete within statutory timeframes (30 days Privacy Act; 7 days or per applicable licensee cyber policy requirements) | Assess whether breach is "eligible" — consider: type of data, volume, who accessed it, encryption status, likelihood of serious harm |
| Remediate | Concurrent | Take steps to reduce risk of harm (password resets, account monitoring, etc.) |
| Notify OAIC | If eligible: as soon as practicable after assessment | Statement including: entity details, description, type of information, recommended steps |
| Notify individuals | If eligible: as soon as practicable after assessment | Same statement as OAIC; direct notification where possible |
| Notify licensee | Within 24 hours of Out Sauce awareness; formal assessment within 7 days | Per applicable licensee cyber policy requirements |
4.3 Serious Harm Assessment Factors
When assessing whether serious harm is likely, Out Sauce considers:
- The kind of information involved (TFN, financial details, health info = higher risk)
- Whether the information is encrypted or otherwise protected
- The person(s) who obtained or could obtain the information
- Whether the breach could result in identity theft, financial loss, or reputational damage
- The nature of the harm that could result
4.4 Record Keeping
Out Sauce maintains records of:
- All data breaches (whether or not eligible for notification)
- All NDB assessments
- All notifications made
- All remedial actions taken
Records retained for 7 years.
5. PRIVACY RISK MANAGEMENT
Out Sauce recognises that privacy obligations continue to evolve, with increasing expectations around proportionality, data minimisation, and informed consent for monitoring. Out Sauce proactively manages these risks through:
- Contractor monitoring: Out Sauce ensures monitoring on managed devices is proportionate, informed consent is obtained, and monitoring is limited to security purposes. The Contractors Agreement (Schedule A, Clause 5) addresses this.
- Data minimisation: Out Sauce does not collect or retain more personal information than necessary.
- Proportionality: Security measures are proportionate to the risk.
Out Sauce mitigates privacy risk through:
- Explicit, informed consent for monitoring (Schedule A)
- Clear limitation of monitoring to security purposes (not productivity tracking)
- Data minimisation principles (Data Handling Policy)
- Regular review of monitoring scope and proportionality
6. CONTRACTOR AND EMPLOYEE PRIVACY
6.1 Information Out Sauce Holds About Contractors
- Business entity details, ABN, contact information
- Bank details for payment
- Insurance certificates of currency
- Training completion records
- Security incident reports (if any)
- Device assignment and access records
This information is collected with consent (via the Contractors Agreement) and used only for managing the contractor relationship.
6.2 Monitoring and Privacy
- Out Sauce does NOT monitor contractor productivity, hours, or work methods
- Security monitoring on managed devices is limited to threat detection and data protection
- Monitoring data is accessible only to Destiny IT (for security) and Out Sauce (for incident response)
- Contractors are fully informed of monitoring scope before consenting
6.3 Employee Privacy
- Out Sauce holds standard employment records for Out Sauce Operations and Out Sauce Operations (exempt from APPs under the employee records exemption)
- Despite the exemption, Out Sauce applies the same standards as for contractor information
7. COMPLAINTS
If any individual believes Out Sauce has breached their privacy:
- Contact Out Sauce Operations — clinton@outsauce.au
- Out Sauce will investigate within 30 days and respond in writing
- If not resolved to the individual's satisfaction, they may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au
APPROVAL
| Approved by: | Clinton Weekes |
| Position: | Director — Weekes Financial Pty Ltd |
| Date: | March 2026 |
| Next review: | March 2027 |
Out Sauce Third-Party & Vendor Management Policy
Document IDOS-VMP-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
Review cycleAnnual or on material change
ClassificationInternal
1. PURPOSE
This policy governs how Out Sauce assesses, engages, monitors, and manages third-party vendors and service providers that have access to Out Sauce systems, data, or operations. It ensures that Out Sauce's security and privacy standards are maintained across the supply chain.
2. SCOPE
Applies to all third-party relationships where the third party:
- Accesses, processes, or stores Out Sauce or client data
- Provides IT or technology services to Out Sauce
- Has connectivity to Out Sauce systems or infrastructure
- Provides professional services involving confidential business information
3. THIRD-PARTY RISK TIERS
| Tier | Criteria | Examples | Assessment Level |
|---|---|---|---|
| Tier 1 — Critical | Ongoing access to client data or Out Sauce systems; business-critical service | Destiny IT, financial planning software vendor | Full assessment + annual review |
| Tier 2 — Significant | Regular access to Out Sauce business data or periodic access to client data | Approved accounting software, cloud services, research platforms | Standard assessment + annual review |
| Tier 3 — Standard | Limited or no access to client data; general business services | Office supplies, general SaaS tools not handling client data, website hosting | Basic assessment |
4. ASSESSMENT CRITERIA
4.1 Pre-Engagement Assessment
Before engaging a Tier 1 or Tier 2 vendor, Out Sauce assesses:
| Criterion | What Out Sauce Looks For |
|---|---|
| Security posture | Certifications (ISO 27001, SOC 2), security policies, incident history |
| Data handling | Where data is stored (jurisdiction), encryption at rest and in transit, access controls, data retention and destruction practices |
| Privacy compliance | Privacy policy, APP compliance, handling of personal/sensitive information |
| Insurance | Professional indemnity insurance, cyber insurance (mandatory for Tier 1 per licensee cyber policy requirements) |
| Business continuity | Vendor's BCP/DR capabilities, SLA commitments, historical uptime |
| Regulatory alignment | Compliance with relevant Australian regulations (Privacy Act, ASIC expectations) |
| Subcontracting | Whether the vendor subcontracts services and what controls they apply |
| Financial stability | Basic assessment of vendor viability (especially for critical services) |
4.2 Licensee Requirements for External Outsource Providers
Per leading licensee cyber policy standards, external outsource providers must:
- Hold their own Professional Indemnity Insurance
- Hold their own Cyber Insurance Policy
- Provide Certificates of Currency to Out Sauce (maintained on file, available to licensees on request)
- Transfer client data only via approved methods (approved financial planning software, approved cloud storage, encrypted email)
- Hold their own software licensing
5. CURRENT VENDOR REGISTER
| Vendor | Tier | Service | Data Access | Insurance on File | Last Review |
|---|---|---|---|---|---|
| Destiny IT | 1 — Critical | Managed IT services, security, monitoring (ISO 27001:2022 certified) | Full system access (security admin) | SURA Technology Package COC (valid to Jun 2026) | March 2026 |
| Cloud platform provider | 1 — Critical | Cloud productivity, email, storage | Out Sauce data hosted in approved cloud platform | SOC 2 / ISO 27001 certified | March 2026 |
| Financial planning software | 1 — Critical | Client file management, SOA production | Full client data access | To be confirmed with vendor | March 2026 |
| Approved accounting software | 2 — Significant | Accounting, invoicing | Out Sauce financial data, contractor payment data | SOC 2 certified | March 2026 |
6. ONGOING MONITORING
6.1 Annual Review
All Tier 1 and Tier 2 vendors are reviewed annually:
- Confirm insurance remains current (request updated COCs)
- Review any security incidents reported by the vendor
- Assess any changes to the vendor's services, data handling, or terms
- Review vendor's security certifications and compliance status
6.2 Continuous Monitoring
For Tier 1 vendors:
- Subscribe to vendor security bulletins and incident notifications
- Monitor vendor uptime and service quality against SLA
- Review any changes to vendor's privacy policy or terms of service
6.3 Incident Response
If a vendor experiences a security incident that may affect Out Sauce data:
- Activate Cyber Incident Response Plan (OS-CIRP-001)
- Demand information from the vendor about scope, impact, and remediation
- Assess whether Out Sauce's own NDB obligations are triggered
- Notify applicable licensee if required
7. CONTRACT REQUIREMENTS
Out Sauce's agreements with Tier 1 and Tier 2 vendors should include (where Out Sauce has negotiating power):
| Requirement | Purpose |
|---|---|
| Confidentiality obligations | Protect Out Sauce and client data |
| Data handling and storage location | Ensure data remains in approved jurisdictions |
| Notification of security incidents | Timely notification to Out Sauce |
| Right to audit | Out Sauce can assess vendor's compliance (proportionate to relationship) |
| Data return/destruction on termination | Out Sauce can recover its data and ensure it's destroyed |
| Insurance requirements | PI and cyber insurance (per licensee cyber policy requirements) |
| Subcontracting restrictions | Vendor must notify Out Sauce of material subcontracting |
| Compliance with applicable laws | Privacy Act, relevant regulations |
Practical note: Out Sauce may not have negotiating power over terms with large vendors (cloud platform providers, financial planning software vendors). In those cases, Out Sauce relies on the vendor's published security certifications, terms, and SLAs.
8. OFFBOARDING VENDORS
When a vendor relationship ends:
- Revoke vendor's access to Out Sauce systems (within 24 hours)
- Request return or certified destruction of Out Sauce data
- Rotate any credentials the vendor had access to
- Update vendor register
- Retain records of the vendor relationship for 7 years
APPROVAL
| Approved by: | Clinton Weekes |
| Position: | Director — Weekes Financial Pty Ltd |
| Date: | March 2026 |
| Next review: | March 2027 |
Out Sauce Security Awareness & Training Framework
Document IDOS-SAT-001
Version1.0
EffectiveMarch 2026
OwnerOut Sauce Operations
Review cycleAnnual
ClassificationExternal — included in Out Sauce Security Submission Pack
1. PURPOSE
This framework establishes Out Sauce's security awareness and training program. Its goal is to ensure every person handling Out Sauce data understands the risks, knows the rules, and can recognise and respond to threats.
2. SCOPE
Applies to:
- Out Sauce employees (Out Sauce Operations and Out Sauce Operations)
- All contract paraplanners
- Any future employees, contractors, or approved delegates
3. TRAINING REQUIREMENTS
| Requirement | Standard |
|---|---|
| Annual security awareness training | Minimum 2 hours per year for all personnel |
| Phishing simulations | Simulated phishing exercises for all personnel |
| Policy acknowledgment | Annual acknowledgment of Out Sauce policy suite |
| Onboarding | Security orientation before or within 30 days of receiving managed device |
4. TRAINING PROGRAM
4.1 Security Awareness Training
Security awareness training and phishing simulations will be provided through Out Sauce's managed IT services agreement with Destiny IT. This is an included service covering all managed users.
Training is delivered via a video platform through Destiny IT's security provider, with content delivered on a monthly or bi-monthly basis. Training covers security awareness relevant to Out Sauce's operating environment, including recognition and response to cyber threats.
4.2 Out Sauce-Delivered Training
Out Sauce delivers the following directly:
- Onboarding orientation — Out Sauce security framework, key policies, data handling rules, managed device overview
- Policy updates — notification and summary when policies are updated
- Incident debriefs — lessons learned following any security incident
- AI and data handling — Out Sauce's data classification and approved handling methods
4.3 Phishing Simulations
Simulated phishing exercises are included in Out Sauce's managed services agreement with Destiny IT, delivered monthly or bi-monthly depending on requirements. Phishing resistance testing is integrated with the security awareness training platform. Results are used for training purposes — not performance management.
5. TRACKING AND EVIDENCE
5.1 Training Register
Out Sauce maintains a training register documenting:
- Who completed what training
- When it was completed
- Completion evidence
- Phishing simulation results
The register is maintained by Out Sauce Operations and available for licensee audit on request.
5.2 Licensee Reporting
- Training completion records are maintained by Out Sauce and available to licensees on request
- Training register submitted to applicable licensee upon request
APPROVAL
| Approved by: | Clinton Weekes |
| Position: | Director — Weekes Financial Pty Ltd |
| Date: | March 2026 |
| Next review: | March 2027 |
Policy Review Register
Document IDOS-PRR-001
Version1.0
ClassificationInternal
OwnerOut Sauce Operations
Effective DateMarch 2026
Next ReviewMarch 2027
1. Purpose
This register provides a centralised record of all Out Sauce policy and procedure documents, their review status, and review history. It ensures that the Out Sauce security and operational document suite remains current, accurate, and aligned with regulatory requirements, threat landscape changes, and business operations.
All Out Sauce documents must be reviewed at least annually or when triggered by specific events outlined in this register.
2. Review Schedule
| Document ID | Document Name | Current Version | Effective Date | Next Review Date | Reviewer | Review Outcome | Changes Made | Notes |
|---|---|---|---|---|---|---|---|---|
| OS-ISP-001 | Information Security Policy | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-CIRP-001 | Cyber Incident Response Plan | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-DHP-001 | Data Handling & Classification | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-AUP-001 | Acceptable Use Policy | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-AMP-001 | Access Management Policy | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-BCP-001 | Business Continuity & DR | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-PDP-001 | Privacy & Data Protection | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-VMP-001 | Third-Party Vendor Management | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-SAT-001 | Security Awareness & Training | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-DDP-001 | Due Diligence Pack | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-CCM-001 | Compliance Matrix | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
| OS-AIT-001 | Approved AI Tools List | 1.0 | March 2026 | March 2027 | Out Sauce Operations | Pending | — | Initial release |
3. Triggered Review Criteria
In addition to the scheduled annual review, any Out Sauce document must be reviewed immediately when any of the following triggers occur:
3.1 Security Incident
- A cyber security incident has occurred that exposed a gap or weakness in existing policy
- A near-miss event that revealed inadequate controls or procedures
- A phishing simulation result indicating systemic training or policy failures
3.2 Regulatory Change
- New or amended ASIC regulatory guidance affecting financial services security obligations
- Changes to the Privacy Act, Australian Privacy Principles, or notifiable data breach scheme
- New or updated licensee security requirements or due diligence expectations
- Changes to industry standards referenced in Out Sauce policies (e.g., Essential Eight, ISO 27001)
3.3 Operational Change
- Onboarding of a new licensee or significant change to licensee arrangements
- Addition or removal of a third-party vendor or IT service provider
- Material change to Out Sauce business operations, staffing model, or service delivery
- Introduction of new technology, tools, or platforms into the Out Sauce environment
- Changes to the Destiny IT managed service scope or configuration
3.4 Threat Landscape Change
- Emergence of a new threat category relevant to Out Sauce operations (e.g., novel AI-based attack vectors)
- Industry-wide security advisory or alert affecting financial services practices
- Notification from Destiny IT or other security partners of elevated threat conditions
4. Review Procedure
4.1 Initiation
- Scheduled reviews: Out Sauce Operations initiates the review process no later than 30 days before the documented Next Review Date
- Triggered reviews: The person identifying the trigger notifies Out Sauce Operations, who initiates the review within 5 business days
4.2 Review Steps
- Out Sauce Operations retrieves the current version of the document from the document repository
- The document is assessed against:
- Current regulatory requirements and licensee obligations
- Current operational practices and technology environment
- Any incidents, near-misses, or audit findings since last review
- Feedback from personnel, licensees, or Destiny IT
- Required changes are drafted and documented
- If changes affect other documents in the suite, those documents are flagged for concurrent review
4.3 Approval
- All policy changes must be approved by Out Sauce Operations before publication
- Material changes (new sections, removed controls, changed classification levels) require documented approval rationale
- Minor changes (formatting, typographical corrections, reference updates) may be approved by Out Sauce Operations
4.4 Distribution
- Updated documents are published to the Out Sauce document repository
- All affected personnel are notified of changes and required to acknowledge updated policies
- Licensees are notified where changes affect due diligence pack content or compliance matrix entries
- The Review Schedule table in this register is updated with the new version, effective date, and next review date
5. Review History Log
| Review Date | Documents Reviewed | Reviewer | Trigger | Outcome | Next Scheduled |
|---|---|---|---|---|---|
| March 2026 | All (initial release) | Out Sauce Operations | Initial publication | All documents approved v1.0 | March 2027 |
6. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | Out Sauce Operations | Initial release |
This document is classified as Internal and is maintained by Out Sauce Operations. It is available to licensees upon request as part of the Out Sauce due diligence pack.
Risk Assessment Register
Document IDOS-RAR-001
Version1.0
ClassificationInternal
OwnerOut Sauce Operations
Effective DateMarch 2026
Next ReviewMarch 2027
1. Purpose
This register documents the Out Sauce information security risk assessment methodology, maintains a current record of identified risks, and tracks risk treatment over time. It supports Out Sauce obligations under licensee due diligence requirements and demonstrates a structured, ongoing approach to identifying, assessing, and managing information security risks across the business.
This register is maintained by Out Sauce Operations and reviewed at least annually, or following any significant incident, operational change, or regulatory development.
2. Risk Rating Methodology
2.1 Likelihood Scale
| Rating | Level | Description |
|---|---|---|
| 1 | Rare | May occur only in exceptional circumstances. No history of occurrence. |
| 2 | Unlikely | Could occur at some point but not expected. Has occurred elsewhere in the industry. |
| 3 | Possible | Might occur. Has occurred in similar organisations or environments. |
| 4 | Likely | Will probably occur in most circumstances. Has occurred at Out Sauce or close peers. |
| 5 | Almost Certain | Expected to occur frequently. Is occurring or has recently occurred. |
2.2 Impact Scale
| Rating | Level | Description |
|---|---|---|
| 1 | Insignificant | No measurable impact on operations, data, or reputation. No regulatory consequence. |
| 2 | Minor | Minor operational disruption (<4 hours). No client data affected. Minor inconvenience. |
| 3 | Moderate | Operational disruption (4-24 hours). Limited data exposure. Licensee notification may be required. |
| 4 | Major | Significant disruption (1-5 days). Client data compromised. Regulatory notification required. Licensee relationship at risk. |
| 5 | Catastrophic | Extended outage (>5 days). Large-scale data breach. OAIC notification required. Potential loss of licensee authorisations. Business viability threatened. |
2.3 Risk Rating Matrix
| Insignificant (1) | Minor (2) | Moderate (3) | Major (4) | Catastrophic (5) | |
|---|---|---|---|---|---|
| Almost Certain (5) | Medium (5) | High (10) | High (15) | Critical (20) | Critical (25) |
| Likely (4) | Medium (4) | Medium (8) | High (12) | Critical (16) | Critical (20) |
| Possible (3) | Low (3) | Medium (6) | Medium (9) | High (12) | Critical (15) |
| Unlikely (2) | Low (2) | Low (4) | Medium (6) | Medium (8) | High (10) |
| Rare (1) | Low (1) | Low (2) | Low (3) | Medium (4) | Medium (5) |
2.4 Risk Rating Thresholds
| Rating | Score Range | Required Action |
|---|---|---|
| Low | 1-3 | Accept. Monitor during scheduled reviews. |
| Medium | 4-9 | Treat. Ensure controls are operating effectively. Review quarterly. |
| High | 10-15 | Treat urgently. Implement additional controls. Review monthly until reduced. |
| Critical | 16-25 | Immediate action required. Escalate to Out Sauce Operations. Do not proceed with affected activity until mitigated. |
2.5 Risk Appetite Statement
Out Sauce maintains zero tolerance for:
- Deliberate misuse of client data by any personnel
- Use of unapproved tools or platforms for processing client information
- Circumvention of security controls or policies
Out Sauce maintains managed tolerance for:
- Residual risks that remain after all reasonable and proportionate controls have been applied
- Risks rated Low or Medium after treatment, where the cost of further mitigation is disproportionate to the risk reduction achieved
- Operational risks inherent in the delivery of financial planning services (e.g., reliance on third-party platforms)
3. Risk Register
| Risk ID | Category | Risk Description | Likelihood | Impact | Inherent Rating | Controls in Place | Residual Likelihood | Residual Impact | Residual Rating | Risk Owner | Review Date | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| RSK-001 | Cyber Threat | Phishing / Social Engineering — Credential theft or malware delivery via deceptive emails, calls, or messages targeting Out Sauce personnel | 4 (Likely) | 4 (Major) | Critical (16) | Anti-spam/anti-phishing filtering via Destiny IT; MFA on all accounts; security awareness training (commencing Q2 2026); monthly or bi-monthly phishing simulations (commencing Q2 2026); managed endpoint detection | 2 (Unlikely) | 3 (Moderate) | Medium (6) | Out Sauce Operations | March 2027 | Active |
| RSK-002 | Cyber Threat | Ransomware — Encryption of Out Sauce data and systems causing business disruption and potential data loss | 3 (Possible) | 5 (Catastrophic) | Critical (15) | Endpoint detection and response (EDR) managed by Destiny IT; automated cloud backups; managed detection and response (MDR); documented incident response plan; network segmentation | 2 (Unlikely) | 4 (Major) | Medium (8) | Out Sauce Operations | March 2027 | Active |
| RSK-003 | Data Security | Data Exfiltration — Unauthorised transfer or extraction of client data from Out Sauce systems via email, removable media, or cloud services | 3 (Possible) | 4 (Major) | High (12) | Data loss prevention controls; managed devices only; approved collaboration tools enforced; data classification policy; USB restrictions; cloud platform conditional access | 2 (Unlikely) | 3 (Moderate) | Medium (6) | Out Sauce Operations | March 2027 | Active |
| RSK-004 | Insider Threat | Insider Threat / Contractor Misuse — Deliberate or accidental misuse of access privileges by Out Sauce personnel or contractors | 2 (Unlikely) | 4 (Major) | Medium (8) | Least privilege access model; quarterly access reviews; data classification and handling policy; activity monitoring via Destiny IT; contractor agreements with security obligations; offboarding procedures | 1 (Rare) | 3 (Moderate) | Low (3) | Out Sauce Operations | March 2027 | Active |
| RSK-005 | Third-Party | Third-Party Compromise — Security breach at a vendor or service provider resulting in Out Sauce data exposure or service disruption | 3 (Possible) | 4 (Major) | High (12) | Vendor management policy and register; cloud platform security controls managed by Destiny IT; vendor due diligence assessments; contractual security requirements; monitoring of vendor security posture | 2 (Unlikely) | 3 (Moderate) | Medium (6) | Out Sauce Operations | March 2027 | Active |
| RSK-006 | AI & Technology | AI Data Leakage — Client data entered into unapproved AI tools resulting in data exposure, privacy breach, or loss of control | 3 (Possible) | 4 (Major) | High (12) | Approved AI tools list maintained and enforced; AI governance policy; security awareness training covering AI risks (commencing Q2 2026); human review requirement for all AI outputs; data classification restrictions on AI use | 1 (Rare) | 3 (Moderate) | Low (3) | Out Sauce Operations | March 2027 | Active |
| RSK-007 | Compliance | Regulatory Non-Compliance — Failure to meet ASIC, APPs, or licensee security obligations resulting in enforcement action or loss of authorisation | 2 (Unlikely) | 5 (Catastrophic) | High (10) | Comprehensive policy suite aligned to regulatory requirements; compliance matrix maintained; security awareness training (commencing Q2 2026); audit trail and evidence collection; policy review register; licensee due diligence pack | 1 (Rare) | 4 (Major) | Medium (4) | Out Sauce Operations | March 2027 | Active |
| RSK-008 | Operational | Business Disruption — System outage, infrastructure failure, or loss of access to critical platforms disrupting service delivery | 3 (Possible) | 3 (Moderate) | Medium (9) | Cloud-based operations (no on-premises dependencies); automated backups managed by Destiny IT; business continuity and disaster recovery plan; alternative communication channels documented; mobile device access capability | 2 (Unlikely) | 2 (Minor) | Low (4) | Out Sauce Operations | March 2027 | Active |
4. Assessment Schedule
4.1 Annual Comprehensive Assessment
- A full risk assessment is conducted annually, aligned with the policy review cycle
- All existing risks are reassessed for changes in likelihood, impact, or control effectiveness
- New risks are identified through environmental scanning, incident review, and stakeholder consultation
- Results are documented in the Assessment History Log below
4.2 On-Change Assessment
- A targeted risk assessment is conducted when any of the following occur:
- New technology, platform, or tool introduced into the Out Sauce environment
- New licensee onboarded or significant change to licensee arrangements
- New vendor engaged or existing vendor scope materially changed
- Significant change to Out Sauce staffing model or operational processes
- Regulatory change affecting Out Sauce security obligations
4.3 Post-Incident Assessment
- Following any security incident (actual or near-miss), the relevant risk(s) are reassessed
- Control effectiveness is evaluated in light of the incident
- New risks identified during incident investigation are added to the register
- Assessment is completed within 10 business days of incident closure
5. Assessment History Log
| Assessment Date | Type | Assessor | Key Findings | Actions | Next Due |
|---|---|---|---|---|---|
| March 2026 | Annual (Initial) | Out Sauce Operations | Initial risk assessment completed. 8 risks identified and rated. All residual ratings Low or Medium after controls applied. | Risk register established. Controls documented. Monitoring schedule set. | March 2027 |
6. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | Out Sauce Operations | Initial release |
This document is classified as Internal and is maintained by Out Sauce Operations. It is available to licensees upon request as part of the Out Sauce due diligence pack.
Security Awareness Training Program
Document IDOS-SATP-001
Version1.0
ClassificationInternal
OwnerOut Sauce Operations
Effective DateMarch 2026
Next ReviewMarch 2027
1. Purpose
This document defines the Out Sauce security awareness training program, including the annual training schedule, module descriptions, onboarding requirements, and effectiveness measurement criteria. It ensures all Out Sauce personnel — including all operations staff, and contract paraplanners — receive consistent, relevant, and timely security training aligned with Out Sauce policy obligations and licensee expectations.
This program is maintained by Out Sauce Operations and delivered in partnership with Destiny IT.
2. Training Requirements Summary
| Requirement | Detail |
|---|---|
| Minimum annual training hours | 2 hours per person per year |
| Applicability | All Out Sauce personnel — operations staff, and all contract paraplanners |
| Phishing simulations | Monthly or bi-monthly (commencing Q2 2026) |
| Policy acknowledgment | Annual, plus on any material policy update |
| New starter training | Must be completed within first 5 business days of engagement |
| Non-compliance consequence | Access restrictions until training completed (see Section 7) |
3. Annual Training Schedule
| Quarter | Activity | Description | Duration | Delivery Method | Provider | Audience |
|---|---|---|---|---|---|---|
| Q1 | Security Awareness Training | Comprehensive annual security awareness training covering current threats, safe practices, and Out Sauce-specific requirements | 1.5 hours | Online (self-paced) | Destiny IT | All personnel |
| Q1 | Out Sauce Policy Acknowledgment | Review and formal acknowledgment of the Out Sauce policy suite, including any changes since previous acknowledgment | 30 minutes | Self-paced document review | Out Sauce Operations | All personnel |
| Q2 | Phishing Simulation #1 | Simulated phishing email exercise to test recognition and reporting behaviour | N/A | Simulated email | Destiny IT | All personnel |
| Q3 | Phishing Simulation #2 | Second simulated phishing exercise. Personnel who clicked in Q2 receive targeted refresher training | N/A | Simulated email + refresher module | Destiny IT | All personnel |
| Q4 | Phishing Simulation #3 + Annual Review | Third simulated phishing exercise. Annual review of training effectiveness and planning for next cycle | N/A | Simulated email + review | Destiny IT | All personnel |
| Ongoing | Incident Debriefs | Training sessions triggered by actual security incidents or near-misses, covering lessons learned and updated procedures | As needed | Briefing (virtual or in-person) | Out Sauce Operations | Affected personnel |
4. Training Modules
| Module ID | Module Name | Description | Duration | Frequency | Provider | Data Classifications Covered |
|---|---|---|---|---|---|---|
| MOD-001 | Security Awareness Fundamentals | Recognising cyber threats including phishing, social engineering, and business email compromise. Password hygiene, device security, safe browsing, and physical security practices. Reporting suspicious activity. | 1.5 hours | Annual | Destiny IT | All (General, Personal, Sensitive) |
| MOD-002 | Out Sauce Data Classification & Handling | The Out Sauce three-tier data classification system (General, Personal, Sensitive). Approved methods for storing, transferring, and disposing of each classification. Prohibited practices and common mistakes. | 30 minutes | Annual | Out Sauce Operations | All (General, Personal, Sensitive) |
| MOD-003 | AI Governance & Approved Tools | The Out Sauce approved AI tools list and usage restrictions. What data can and cannot be entered into AI tools. Human review requirements for all AI-generated outputs. Prohibited AI practices. | 20 minutes | Annual (and on approved tools list update) | Out Sauce Operations | All (General, Personal, Sensitive) |
| MOD-004 | Incident Reporting | What constitutes a reportable security incident or near-miss. Timeframes for reporting (immediate for confirmed incidents, within 4 hours for suspected). Reporting channels and who to contact. What information to include. Preservation of evidence. | 15 minutes | Annual | Out Sauce Operations | All (General, Personal, Sensitive) |
| MOD-005 | Out Sauce Policy Suite Overview | Onboarding orientation covering all Out Sauce policies: Information Security, Acceptable Use, Data Handling, Access Management, Incident Response, Business Continuity, Privacy, Vendor Management, and AI Governance. Key obligations and where to find each policy. | 45 minutes | On engagement (and on major policy updates) | Out Sauce Operations | All (General, Personal, Sensitive) |
| MOD-006 | Phishing Simulation | Monthly or bi-monthly simulated phishing exercises delivered via email. Tests ability to recognise and report phishing attempts. Results tracked and personnel who fail receive additional targeted training. | N/A | Monthly or bi-monthly (commencing Q2 2026) | Destiny IT | N/A |
5. New Contractor Onboarding Checklist
All new contractors must complete the following steps within their first 5 business days. Access to client data and financial planning software is not granted until all mandatory items are completed.
| Step | Activity | Timing | Responsible | Completed |
|---|---|---|---|---|
| 1 | Receive managed device from Destiny IT | Day 1 | Destiny IT / Out Sauce Operations | [ ] |
| 2 | Complete MOD-005: Out Sauce Policy Suite Overview | Day 1-2 | Out Sauce Operations | [ ] |
| 3 | Complete MOD-001: Security Awareness Fundamentals | Day 1-3 | Destiny IT | [ ] |
| 4 | Acknowledge all Out Sauce policies (signed acknowledgment form) | Day 1-3 | Out Sauce Operations | [ ] |
| 5 | Configure MFA on all assigned accounts | Day 1-2 | Destiny IT / Contractor | [ ] |
| 6 | Complete MOD-002: Out Sauce Data Classification & Handling | Day 3-5 | Out Sauce Operations | [ ] |
| 7 | Complete MOD-003: AI Governance & Approved Tools | Day 3-5 | Out Sauce Operations | [ ] |
Sign-off:
| Name | Date | Signature | |
|---|---|---|---|
| Contractor | |||
| Out Sauce Operations |
6. Completion Requirements
6.1 Passing Criteria
- MOD-001 (Security Awareness Fundamentals): Must achieve minimum 80% score on assessment
- MOD-002 to MOD-005: Must complete all content and provide written acknowledgment
- MOD-006 (Phishing Simulations): No pass/fail — results tracked for trend analysis and targeted remediation
6.2 Timeframes
- Annual training (MOD-001 to MOD-004): Must be completed within Q1 each year
- Policy acknowledgment: Within 10 business days of notification
- New contractor onboarding: Within 5 business days of engagement commencement
6.3 Non-Compliance Consequences
- Personnel who fail to complete mandatory training within the required timeframe will have their access to Out Sauce systems restricted until training is completed
- Personnel who fail a phishing simulation will receive targeted refresher training within 5 business days
- Personnel who fail two consecutive phishing simulations will complete the full MOD-001 module again
- Repeated non-compliance will be escalated to Out Sauce Operations for review and may result in termination of contractor engagement
7. Effectiveness Measurement
Out Sauce Operations tracks the following metrics to assess training program effectiveness:
| Metric | Target | Measurement Frequency | Source |
|---|---|---|---|
| Training completion rate | 100% of personnel within required timeframes | Quarterly | Training register (OS-TR-001) |
| Phishing simulation click rate | <10% (declining trend year-on-year) | Quarterly | Destiny IT simulation reports |
| Phishing reporting rate | >80% of simulated emails reported to IT | Quarterly | Destiny IT simulation reports |
| Credential entry rate | 0% of personnel entering credentials on simulated phishing pages | Quarterly | Destiny IT simulation reports |
| Incident reporting compliance | 100% of incidents reported within required timeframes | Ongoing | Incident register |
| Assessment pass rate | 100% achieving minimum 80% on MOD-001 | Annual | Training register (OS-TR-001) |
| Onboarding completion | 100% of new contractors completing all onboarding within 5 days | Per engagement | Onboarding checklists |
Annual Effectiveness Review
At the end of each training year (Q4), Out Sauce Operations conducts an effectiveness review that considers:
- Year-on-year trends in all metrics above
- Correlation between training and actual incident rates
- Feedback from personnel on training content and delivery
- Changes in threat landscape requiring curriculum updates
- Recommendations for the following year's training program
Results are documented in the Training Register annual summary (OS-TR-001) and reported to Out Sauce Operations.
8. Document Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | Out Sauce Operations | Initial release |
This document is classified as Internal and is maintained by Out Sauce Operations. It is available to licensees upon request as part of the Out Sauce due diligence pack.
Out Sauce Cyber Insurance COC
CFC Cyber Liability — $2M per clause, valid to Sep 2026
Loading document...
Out Sauce Professional Indemnity COC
AIG Professional Indemnity, valid to Sep 2026
Loading document...
Destiny IT Insurance COC
SURA Technology Package — PI $1M/$2M, Cyber $1M/$1M, valid to Jun 2026
Loading document...
Destiny IT ISO 27001:2022 Certificate
Compass Assurance Services, Certificate #6686-3757-01, valid to Nov 2027
Loading document...