Morning Briefing
Sign in with your AGP account above to load your inbox.
Management
4Policies
2Draft
16Vendors
Operations
23Software
$865/user/yr
24VIP Users
Cybersecurity
3Critical
4High
10Pen Tests
Projects
9Active
5Offices
0Blocked
Needs Your Attention
PDPA — Investigation Cases Require Access Review
6 active cases in SharePoint contain PST exports, HR personnel files, and financial data (Case-003, 004, 006 include PII). No documented retention or disposal decisions for closed cases.
Cyber Incident Procedure — Still DRAFT
The incident response procedure has not been finalised or signed off. In an actual incident, staff have no authoritative procedure to follow.
DR Plan — Still DRAFT
Disaster Recovery Plan exists as a draft document. No sign-off, no tested recovery procedures. BCP project (AlertMedia) is active but DR documentation lags behind.
Hardware Asset Register — Completely Absent
No asset register exists anywhere in the IT folder structure. Cannot demonstrate device inventory to auditors or trace endpoints in a security incident.
Vulnerability Management — No Process Defined
The Vulnerability Management folder in SharePoint is empty. Qualys is licensed ($80/user/yr) but no scan schedule, no remediation workflow, no tracking in place.
Software & Licenses Inventory — Folder Empty
The Software & Licenses folder exists but contains no inventory. License data exists in the Service Catalogue but is not formalised as an audit-ready register.
Management
Governance, policies, vendors, strategy & reporting
Policies — Total
4
2 finalised · 2 draft
⚠ 2 Pending Signoff
Approved Vendors
16
Global — SG, AU, US, JP
Register Active
Compliance Docs
11
DPAs, onboarding, vendor forms
Filed in SharePoint
ISMS Version
Jan 2026
ISMS March 2026 PDF also on record
Current
Policy Status
| Document | Status | Version | ISO 27001 | Action |
|---|---|---|---|---|
| Information Security Management System (ISMS) | Final | Jan 2026 | A.5.1 | Reviewed ✓ |
| AI Policy | Final | 2025 | A.5.1 | Reviewed ✓ |
| Cyber Incident Response Procedure | DRAFT | — | A.16.1 | ⚠ Finalise & sign off |
| Disaster Recovery Plan | DRAFT | — | A.17.1 | ⚠ Finalise & sign off |
Vendor Register — Summary
| Vendor | Region | Category | Status |
|---|---|---|---|
| Microsoft | Global | M365 / Azure / Entra | Active |
| Atlassian | Global | Jira / Confluence / Freshservice | Active |
| Insight | US / SG | Hardware Procurement | Active |
| Dell Technologies | SG / AU / US | Hardware | Active |
| Lenovo | Global | Hardware | Active |
| KnowBe4 | Global | Security Awareness Training | Active |
| IIJ Global Solutions | SG / JP | Network / Connectivity | Active |
| Proarch | US | Cloud / Azure MSP | Active |
| Increscent | — | IT Services | Active |
| Starhub | SG | Telco / Connectivity | Active |
| Executive Centre | AU | Office / Facilities | Active |
| JK Tech | — | IT Services | Active |
Compliance Documentation on File
Deel
DPA + onboarding documentation filed
On FileDiligent
Vendor compliance documents filed
On FileDocusign
DPA + onboarding documentation filed
On FileDrooms
Vendor compliance docs filed
On FileEFTSure
Vendor compliance docs filed
On FileFreshService
DPA + onboarding docs filed
On FileGrammarly
DPA on file in Vendor Security folder
On FileLumApps
Compliance docs filed
On FileSmartsheet
Vendor onboarding documentation
On FileOperations
EUC, software & licenses, assets, service delivery
Software Stack Items
23
Licensed tools across all users
Catalogue Active
Stack Cost / User / Year
$865
Standard seat, all-in
Calculated
VIP Users
24
T1: 3 · T2: 8 · T3: 13
List Current
Hardware Asset Register
—
No register built
⚠ GAP
Software Stack Costs
| Tool | Cost/User/Yr | Category |
|---|---|---|
| Microsoft 365 | $250 | Productivity |
| Adobe Acrobat | $185 | Document |
| Qualys | $80 | Security |
| Keeper | $90 | Security |
| DropSuite | $40 | Backup |
| KnowBe4 | $20 | Training |
| NinjaOne | $20 | RMM |
| Defender for Business | $25 | Security |
| DNSFilter | $26 | Security |
| Printix | $24 | Print Mgmt |
| CodeTwo | $15 | Email Sig |
| Standard Total | $865 | — |
Operational Gaps
Hardware Asset Register
Not built. No visibility into endpoint inventory — cannot support ISO A.8.1 or incident response.
Vulnerability Management Process
Qualys licensed but no defined scan cadence, remediation SLA, or tracking workflow.
Software & Licenses Folder — Empty
Folder structure exists in SharePoint but no formal inventory filed. Service Catalogue has data — needs to be promoted to a proper register.
EUC Coverage
Singapore
Printer drivers available
ReadyAustralia
Printer drivers available
ReadyIndia
Printer drivers available
ReadyTokyo
Office setup completed
LiveMelbourne
Office setup completed
LiveDSE Checklist
Home setup guide available
ReadyCybersecurity
Risk posture, pen testing, incident readiness, PDPA
Critical Risks
3
Priority score ≥ 20
Immediate Attention
High Risks
4
Priority score 15–19
Monitor Closely
Pen Tests Completed
10
2024 (5) + 2025 (5)
Comprehensive
Security Training
KnowBe4
Platform active · Training programme live
Active
Risk Register — Top Risks
| Risk | Priority | Severity | Category | Status |
|---|---|---|---|---|
| IT Staffing — Single point of failure (Head of IT) | 20 | Critical | Staffing | Open |
| Fragmented LOBs — inconsistent IT standards across entities | 20 | Critical | Governance | Open |
| Unclear entity-level IT obligations across jurisdictions | 20 | Critical | Compliance | Open |
| Complex procurement — no formal approval workflow | 16 | High | Procurement | Open |
| Shadow software — unapproved tools in use | 16 | High | Software | Open |
| No SOC — limited 24/7 detection capability | 15 | High | Security Ops | Open |
| Patching gaps — no formal patch management cadence | 15 | High | Vulnerability | Open |
Penetration Testing
| Scope | Year | Status |
|---|---|---|
| AGP Group External | 2025 | Done |
| AGPCM External | 2025 | Done |
| Wellingtonbees | 2025 | Done |
| Internal Network | 2025 | Done |
| AMPYR | 2025 | Done |
| Singapore | 2024 | Done |
| India | 2024 | Done |
| Sydney | 2024 | Done |
| AMPYR | 2024 | Done |
| AGP External | 2024 | Done |
PDPA Watchlist
Investigation Cases — PII in SharePoint
Case-003: Varsha email export (PST). Case-004: PST packages. Case-006: Drew Lexmond / AirTrunk — HR files + financial data, 34+ document versions.
No Data Flow Diagrams
No documentation of where personal data flows across systems, vendors, or jurisdictions. Cannot demonstrate data mapping to regulators.
No Data Classification Policy
No formal classification scheme — staff cannot determine how to handle sensitive documents.
Projects
Active IT initiatives across AGP Group
Active Projects
9
Across all offices
Tracked in Jira
Offices Live
5
SG · SYD · MEL · BLR · TKO
All Operational
Blocked / On Hold
0
No known blockers
Clear
Domain Migrations
1
AssetzANZ in progress
In Progress
Active Projects
GCC Migration
Microsoft 365 GCC (Government Community Cloud) migration. Elevated compliance and data residency requirements.
HRIS — Deel
HR Information System implementation via Deel. Centralising HR data management globally.
Intranet — LumApps
Company-wide intranet platform deployment. Replacing or complementing existing SharePoint-based hub.
SharePoint Migration
Ongoing migration and restructuring of SharePoint content. Departmental site consolidation.
Domain Migration — AssetzANZ
Email and identity domain migration for the AssetzANZ entity. Entra ID and Exchange reconfiguration.
CRM — JuniperSquare
Investor relations and CRM platform deployment. JuniperSquare implementation and data migration.
BCP — AlertMedia
Business Continuity Planning with AlertMedia mass notification system. Ties to DR Plan finalisation.
AIC
Active project — details in Jira. Status to be confirmed with project lead.
TV Signage
Digital signage deployment across office locations. Content management and display infrastructure.