OGYA ARGUS | CyberSphinx

General Information

Please enter your contact details. These will be treated confidentially.

Organisation name *

First name *

Last name *

Email address *

Phone number *0 / 15

Job title / Role *

Organisation Context

These questions provide context about your organisation and IT environment.

Number of employees (incl. contractors) *

Number of external users *

How many applications are available within your organisation? *Less than 1010-2526-50More than 50

Is Microsoft 365 / Entra ID used? *YesNoPartially

Domain 1: Identity Governance

How well does your organisation have visibility over all identities, ownership and lifecycle?

Does your organisation have a central overview of all identities (employees, external users, systems)? *There is no central overview; identities are managed per systemThere is a partial overview, but it is not complete or up to dateIdentities are centrally registered with periodic updatesThere is an up-to-date, centrally managed identity register with ownershipIdentities are managed dynamically and automatically drive access and governance

Are machine identities (service accounts, API keys) and AI agents registered and managed? *Machine identities are not trackedSome service accounts are known, but there is no complete overviewMachine identities are registered and have an ownerMachine identities and AI agents are actively managed with lifecycle processesMachine identities and AI agents are fully integrated into the identity governance framework

Does each identity (person, system, AI agent) have a defined owner? *Ownership is not recordedFor some identities an owner is knownOwnership is recorded for most identitiesAll identities have a formal owner with responsibilitiesOwnership is dynamically linked to governance processes and updated automatically

Is the identity lifecycle (create, modify, deactivate) managed in a structured way? *Lifecycle processes are manual and ad hocThere are basic processes for creation and removal, but they are not completeLifecycle processes are defined and followed periodicallyThe identity lifecycle is largely automated with connections to HR systemsThe full identity lifecycle is automated, including role changes, and drives governance

Domain 2: Access Governance

How are access rights managed, reviewed and enforced?

Are access rights periodically reviewed and validated? *No periodic reviews take placeReviews happen incidentally, for example after an audit or incidentA periodic review process is in place for critical systemsAll access rights are periodically reviewed with formal approvalAccess reviews are automated and continuously performed based on risk

Are role-based access models (RBAC) implemented? *Access is granted individually without a role modelSome roles are defined, but not organisation-wideRole-based access is implemented for the most important systemsRBAC is implemented organisation-wide with periodic maintenanceDynamic, risk-based access models are applied on top of RBAC

Are inactive and dormant accounts detected and handled? *Dormant accounts are not actively identifiedInactive accounts are checked incidentallyThere is a process to periodically identify dormant accountsDormant accounts are automatically detected and deactivatedAccount activity is continuously monitored and inactive accounts are handled automatically

Is the least-privilege principle implemented? *There is no deliberate least-privilege policyLeast privilege is pursued but not structurally appliedLeast privilege is implemented for privileged accounts and critical systemsLeast privilege is applied organisation-wide with periodic validationLeast privilege is dynamically enforced based on context and risk

Domain 3: AI Governance

How is AI usage managed, registered and linked to governance?

Does your organisation have a formal AI governance policy? *There is no AI policyThere are informal agreements about AI usageA formal AI policy has been establishedAI policy is actively enforced and periodically evaluatedAI governance is integrated into organisation-wide governance and continuously adjusted

Are AI tools and AI agents centrally registered? *There is no overview of AI usage in the organisationSome AI tools are known, but there is no central registerAI tools are centrally registered with basic informationAI tools and AI agents are registered with ownership, purpose and risk classificationAI registration is dynamically linked to identity governance and updated automatically

Is the use of AI tools monitored? *AI usage is not monitoredThere is limited visibility on AI usageAI usage is monitored periodicallyAI usage is continuously monitored with reportingAI monitoring is integrated with identity and security monitoring

Are AI agents linked to identity governance processes? *AI agents operate separately from identity governanceThere is awareness that AI agents need identities, but no integrationAI agents have identities but are managed separatelyAI agents are included in the identity governance frameworkAI agents are fully driven by identity governance with automatic lifecycle and audit

Domain 4: Security & Monitoring

How are security, authentication and monitoring organised?

Is Multi-Factor Authentication (MFA) implemented organisation-wide? *MFA is barely or not implementedMFA is set up for a limited number of users or systemsMFA is set up for all employees on the most important systemsMFA is implemented organisation-wide including external usersAdaptive MFA is applied based on risk and context

Is centralised logging and monitoring in place (SIEM/SOC)? *There is no central loggingLogging is limited to a few systemsCentral logging is in place for the most important systemsA SIEM or SOC is operational with structural monitoringSecurity monitoring is integrated with identity and AI governance for proactive detection

Are identity-related security events monitored? *Identity security events are not separately monitoredThere is limited monitoring of login attempts and account changesIdentity events are logged and analysed periodicallyIdentity security events are monitored in real time with alertsIdentity events are correlated with AI governance and escalated automatically

Is privileged access (admin rights) managed via governance processes? *Privileged access is not separately managedAdmin accounts are known but not formally managedPrivileged access is limited and periodically reviewedPAM tooling is in place with session monitoring and approval processesPrivileged access is fully integrated into identity governance with just-in-time access

Domain 5: Compliance & Risk Management

How are compliance, risk management and audit organised?

Does your organisation have an up-to-date risk register? *There is no risk registerThere is a risk register but it is not actively maintainedThe risk register is updated periodicallyThe risk register is linked to governance processes and actively managedRisks are managed dynamically and automatically linked to identity and AI governance

Are relevant regulatory frameworks (NIS2, DORA, ISO27001, EU AI Act) actively monitored? *There is no structural focus on compliance frameworksCompliance is addressed reactively (during audits)Relevant frameworks are identified and tested periodicallyCompliance is continuously monitored with technological supportCompliance is integrated into automated governance processes

Are audit trails automatically generated? *There are no or limited audit trailsAudit trails exist for some systems but are not centralisedAudit trails are centrally collected for the most important systemsComplete audit trails are automatically generated and retainedAudit trails are integrated with identity governance and analysed automatically

Is governance in place for external identities (partners, suppliers, contractors)? *External identities are not separately managedThere is a basic registration of external usersExternal identities have formal processes for assignment and revocationExternal identities are included in the identity governance frameworkExternal identities are dynamically managed with automatic lifecycle and risk assessment

Complete ARGUS Assessment

Review your answers and submit the form. You will receive the report within a few business days by email.