October 06, 2021

Your guide to the ACSC’s Essential Eight Maturity Model Updates

By Information Assurance Specialist at Data#3 Limited

It’s hard to argue against my passion for cybersecurity and by extension, how much respect and appreciation I have for the Australian Cyber Security Centre (ACSC). I have long sought their advice and counsel on matters ranging from the mundane to the critical and all points in between. When the ACSC updated their long-standing “ASD Top 4” to the “Essential Eight” back in 2017, I was delighted to have a foundation upon which to build a wholly Australian cybersecurity framework. We shared a similar blog series and eBook back then to introduce you to the ASD Essential Eight strategy.

Indeed, while not a behemoth like the NIST Cybersecurity Framework, or universally known as ISO 27001, the ACSC Strategies to Mitigate Cybersecurity Incidents covered a lot of ground in a digestible format that nearly every business could draw expertise from. I predicted years ago that while the ACSC Essential Eight wasn’t regulatory compliance that it was likely headed that way. Over the past few years, and indeed the last year, with a significant rise in cybersecurity incidents in-country and globally, it seems the march towards making the Essential Eight mandatory is well underway.

As of July 12, 2021, the new Essential Eight maturity model became available and, along with the Australian Government Information Security Manual (ISM), inspired me to write a new series of articles regarding these valuable controls. Anyone familiar with the older maturity models will quickly realise that the new maturity model is a beast but fills a lot of gaps.

Previously, we could cherry-pick strategies from the Essential Eight, but the current model prioritises implementing all eight as a package because of their complementary attributes and broader focus on the evolving threat landscape. What I especially like is an emphasis on risk management which is a whole-of-business activity and not to be left to the often under-resourced IT departments of companies. Another emphasis is that businesses achieve a specific maturity level across all eight strategies first before moving to the next level. In other words, achieve maturity level 1 across all eight strategies before attempting to move to maturity level 2.

I see this as two-fold. First, it cements your cybersecurity defensive posture across a broad area instead of having strengths and gaps that can be exploited while you focus too much on one thing and not enough on another. Second, as the maturity model controls are more complementary, achieving a lower maturity level first solves a dependency when moving towards a higher level. The same controls appear across multiple levels, but often require a bit more focus to strengthen the control by adding elements.

In the following blog series, I discuss the latest updates to the controls, where you should start and how to progress through the three maturity levels for each strategy. No set of strategies is foolproof, but these are a great starting point. Over the series we’ll cover:

1. Application Control

Application control regulates the programs that can execute within your environment and who can execute them.

Learn more and level up your Application Control with the second blog in this series.

2. Application Patching

Patching applications keeps productivity systems secure and functional by ensuring you have deployed all available updates to software services.

Mature your approach to Application Patching with the third blog in this series.

3. Configure Microsoft Office Macro Settings

Macros exist for a reason but are increasingly a source of exploits. Blindly turning them off altogether isn’t effective as it creates more overhead. The better strategy is configuring your Microsoft Office macros settings based on the origin, trust, and users of macros.

Understand the pathway to the most mature Microsoft Office Macro settings with the fourth blog in this series.

4. User Application Hardening

User application hardening removes unnecessary and insecure features and settings to strengthen the security of specific applications.

Enhance your application hardening with the fifth blog in the series.

5. Restrict Administrative Privileges

Restricting administrative privileges safeguards the keys to the kingdom. This control addresses the principals of zero-trust and least-privilege, using the common sense that you should only ever allow access to those that need it.

Learn the latest advice on administrative privileges in our sixth blog in the series.

6. Patch Operating Systems

Patching operating systems secures the platforms upon which we work. Whether you run Windows, Mac or Linux, you also need to consider the operating systems that run on the myriad of devices other than servers or desktops and laptops. Consider tablets, mobile phones, printers, routers, switches and firewalls.

Learn more about patching operating systems in the seventh blog in the series.

7. Multi-Factor Authentication

Multi-Factor Authentication adds extra assurance to access and identity management by using a combination of easy-to-use secondary identification systems such as apps, SMS codes or even biometrics.

Discover how your Multi-Factor Authentication levels up to the ACSC Maturity Model in our eighth blog in the series.

8. Regular Backups

Backing up your data regularly preserves critical business information and IP. A robust disaster and recovery strategy is crucial to ensuring business continuity in a world rife with security threats.

Ensure your backup strategy is up to par with the final blog in this series.

No doubt you have many questions, but just take one blog and one control at a time. We’re not trying to “boil the ocean” to use a tired cliché, but rather secure your environment. Check out this page for Essential Eight Solutions from Data#3 or reach out to my colleagues and I anytime to chat through your security strategy.

Stay safe out there.