Your guide to the ACSC’s Essential Eight Maturity Model Updates

By Information Assurance Specialist at Data#3 Limited

It’s hard to argue against my passion for cybersecurity and by extension, how much respect and appreciation I have for the Australian Cyber Security Centre (ACSC). I have long sought their advice and counsel on matters ranging from the mundane to the critical and all points in between. When the ACSC updated their long-standing “ASD Top 4” to the “Essential Eight” back in 2017, I was delighted to have a foundation upon which to build a wholly Australian cybersecurity framework. We shared a similar blog series and eBook back then to introduce you to the ASD Essential Eight strategy.

Indeed, while not a behemoth like the NIST Cybersecurity Framework, or universally known as ISO 27001, the ACSC Strategies to Mitigate Cybersecurity Incidents covered a lot of ground in a digestible format that nearly every business could draw expertise from. I predicted years ago that while the ACSC Essential Eight wasn’t regulatory compliance that it was likely headed that way. Over the past few years, and indeed the last year, with a significant rise in cybersecurity incidents in-country and globally, it seems the march towards making the Essential Eight mandatory is well underway.

As of July 12, 2021, the new Essential Eight maturity model became available and, along with the Australian Government Information Security Manual (ISM), inspired me to write a new series of articles regarding these valuable controls. Anyone familiar with the older maturity models will quickly realise that the new maturity model is a beast but fills a lot of gaps.

Previously, we could cherry-pick strategies from the Essential Eight, but the current model prioritises implementing all eight as a package because of their complementary attributes and broader focus on the evolving threat landscape. What I especially like is an emphasis on risk management which is a whole-of-business activity and not to be left to the often under-resourced IT departments of companies. Another emphasis is that businesses achieve a specific maturity level across all eight strategies first before moving to the next level. In other words, achieve maturity level 1 across all eight strategies before attempting to move to maturity level 2.

I see this as two-fold. First, it cements your cybersecurity defensive posture across a broad area instead of having strengths and gaps that can be exploited while you focus too much on one thing and not enough on another. Second, as the maturity model controls are more complementary, achieving a lower maturity level first solves a dependency when moving towards a higher level. The same controls appear across multiple levels, but often require a bit more focus to strengthen the control by adding elements.

In the following blog series, I discuss the latest updates to the controls, where you should start and how to progress through the three maturity levels for each strategy. No set of strategies is foolproof, but these are a great starting point. Over the series we’ll cover:

1. Application Control

Application control regulates the programs that can execute within your environment and who can execute them.

Learn more and level up your Application Control with the second blog in this series.

2. Application Patching

Patching applications keeps productivity systems secure and functional by ensuring you have deployed all available updates to software services.

Mature your approach to Application Patching with the third blog in this series.

3. Configure Microsoft Office Macro Settings

Macros exist for a reason but are increasingly a source of exploits. Blindly turning them off altogether isn’t effective as it creates more overhead. The better strategy is configuring your Microsoft Office macros settings based on the origin, trust, and users of macros.

Understand the pathway to the most mature Microsoft Office Macro settings with the fourth blog in this series.

4. User Application Hardening

User application hardening removes unnecessary and insecure features and settings to strengthen the security of specific applications.

Enhance your application hardening with the fifth blog in the series.

5. Restrict Administrative Privileges

Restricting administrative privileges safeguards the keys to the kingdom. This control addresses the principals of zero-trust and least-privilege, using the common sense that you should only ever allow access to those that need it.

Learn the latest advice on administrative privileges in our sixth blog in the series.

6. Patch Operating Systems

Patching operating systems secures the platforms upon which we work. Whether you run Windows, Mac or Linux, you also need to consider the operating systems that run on the myriad of devices other than servers or desktops and laptops. Consider tablets, mobile phones, printers, routers, switches and firewalls.

Learn more about patching operating systems in the seventh blog in the series.

7. Multi-Factor Authentication

Multi-Factor Authentication adds extra assurance to access and identity management by using a combination of easy-to-use secondary identification systems such as apps, SMS codes or even biometrics.

Discover how your Multi-Factor Authentication levels up to the ACSC Maturity Model in our eighth blog in the series.

8. Regular Backups

Backing up your data regularly preserves critical business information and IP. A robust disaster and recovery strategy is crucial to ensuring business continuity in a world rife with security threats.

Ensure your backup strategy is up to par with the final blog in this series.

No doubt you have many questions, but just take one blog and one control at a time. We’re not trying to “boil the ocean” to use a tired cliché, but rather secure your environment. Check out this page for Essential Eight Solutions from Data#3 or reach out to my colleagues and I anytime to chat through your security strategy.

Stay safe out there.

Tags: ACSC Essential Eight, Application Control, Application Hardening, Application Whitelisting, Backup, Managed Security Services, Microsoft Office Macros, Multi-Factor Authentication, Patching Applications, Patching Operating Systems, Secure Administration, Security



Why would you deploy SASE?
If Secure Access Software Edge (SASE) with Cisco Meraki is the destination, what does the journey to get there look like?

Firstly, let’s set the scene. The term SASE was first mentioned by Gartner Analysts in July 2019 and Gartner continues…

Data#3 named (HPE) Platinum Partner of the Year and Aruba GreenLake Partner of the Year
Data#3 enjoys double scoops at HPE/Aruba awards night

December 08, 2022; Brisbane, Australia: Leading Australian technology services and solutions provider, Data#3, is proud to announce that it has…

Azure BaaS
Protecting Data in a Cloud World: Will Backup as a Service be what Keeps Your Business Online Through a Crisis?

Very few organisations could run in a technology-free environment, so naturally, strong IT departments put considerable effort into business continuity…

Azure Site Recovery
Beyond Backup: The Role of Azure Site Recovery in Business Continuity

In the first of our Azure Backup blog series, we discussed the value of data, and the critical importance…

Delivering the Digital Future, Securely – for Western Australia
Delivering the Digital Future, Securely – for Western Australia

Data#3, proudly sponsored by Cisco, Microsoft and Palo Alto Networks, are pleased to present to you: Delivering the Digital Future,…

K-12 Video Period
Securing the school network amidst escalating threats

Security threats are now a routine problem for increasingly connected education institutions. The good news is that a new generation…

Protecting Data in a Cloud World: What You Need to Know About Azure Backup

Welcome to part 1 of our 3-part blog series, exploring data protection options and considerations for when you’re operating in…

The Southport School Revisited
The Southport School: Four Years On

How have their investments in wireless networking and security paid off after four years? Download Customer…