Governance Risk and Compliance
The Essential 8 Cybersecurity Strategies
This refers to the level of control and constraints you have over users’ applications. It involves stopping software libraries, scripts, installers, and other executables from running on workstations.
This guideline refers explicitly to updating third-party applications. It focuses on applying security updates and patches as quickly as feasible. The strategies require frequent usage of vulnerability scanners to detect missing patches and updates, as well as removing solutions that are no longer supported by their vendors.
This strategy focuses on keeping operating systems up to date. The main outcome is to ensure that OS patches, updates, and security mitigations for internet-facing services are applied within two weeks of release – or within 48 hours if an exploit exists. Vulnerability scanners should be used to identify any missing patches, and any OS that is no longer vendor supported should be replaced.
Macro Settings: This refers to the amount of freedom your users have to run macros in Microsoft Office applications. Most users would have macros blocked as default – unless they have a demonstrated business requirement.
This refers to the limitations in place on users’ applications. At its most basic, web browsers should not be able to process ads or Java content from the internet, Internet Explorer 11 should be disabled, and users should not be able to change these settings.
This section involves enforcing MFA for all privileged access. Maturity starts by enforcing MFA for all user before they access internet-facing services and third-party providers.
This strategy involves ensuring critical systems and information is securely backed up and readily available. This flexible strategy requires organisations to back up important data, software, and configuration settings “in accordance with business continuity requirements”. All backup and restoration systems are tested, and unprivileged accounts restricted to their own backup environments.
What is an
Essential 8
security
assessment?
As part of Essential 8 security assessment, Cyber Ethos will provide you with a clear view of your organisation’s security posture:
- A comprehensive review of existing technical information security controls against the ACSC Essential Eight Mitigation Strategies
- A ranked Maturity Level (from 0 to 3) for each of the mitigation strategies
- A report highlighting key areas of improvement, corrective actions, and estimated budgets
What is the ACSC maturity model?
The ACSC Essential Eight maturity model provides organisations guidance in relation to the ACSC Essential Eight strategies implementation. It uses a scoring system from 0-3 to help identify what is the security posture for a particular organisation. It also provides the next logical steps to enhance that security posture.
This takes away organisations ability to cherry-pick strategies from the Essential Eight and provides them with a wholistic and sustainable model. What do I need to do next?
One size does not fit all. Your organization’s Risk Management Framework and Risk Appetite will determine what solutions and strategies must be implemented. The consultants at Cyber Ethos can conduct an Essential 8 security assessment for you. Get in touch with us immediately by clicking Contact us.
Further Information
The Essential Eight Maturity Model is part of a suite of related publications:
- Answers to questions about this maturity model are available in the Essential Eight Maturity Model FAQ publication.
- Additional mitigation strategies are available in the Strategies to Mitigate Cyber Security Incidents publication.
- Further information on additional mitigation strategies is available in the Strategies to Mitigate Cyber Security Incidents – Mitigation Details publication.
- Further Information on implementing application control is available in the Implementing Application Control publication.
- Answers to questions about this maturity model are available in the Essential Eight Maturity Model FAQ publication.
- Additional mitigation strategies are available in the Strategies to Mitigate Cyber Security Incidents publication.
- Further information on additional mitigation strategies is available in the Strategies to Mitigate Cyber Security Incidents – Mitigation Details publication.
- Further Information on implementing multi-factor authentication is available in the Implementing Multi-Factor Authentication publication.
Want to know more about Essential 8?