Australian’s Essential Eight Maturity Model for IT Security Has Changed!

Marketing, Communications & Engagement - Maxsum Consulting

Ever so quietly last month, some changes were made to the Australian Cyber Security Centre’s advice around the Essential Eight.

As cyberthreats get greater in number, scale and sophistication, so must our IT security strategies – and the Essential Eight is a great first step on that journey – so get across what’s new right now.

In July this year, as Australia’s news headlines were dominated by rolling COVID-19 outbreaks and lockdowns, the Australian Cyber Security Centre (ACSC) quietly released new advice on the implementation of the Essential Eight.

Whether you’re just starting your IT Security Governance or Essential Eight Implementation journey, or you’re already working your way up the Maturity Levels, here is what you need to know and what the new advice means for your journey to cyber maturity.

Firstly, let’s get back to basics…then we’ll highlight what’s changed!

What the Essential Eight Is and Is Not – Revisited!

What the Essential Eight IS

The ACSC recommends a set of priority cyberthreat mitigation strategies for organisations in the form of the Strategies to Mitigate Cyber Security Incidents. This is a much longer and more detailed set of strategies than the Essential Eight. The Essential Eight is a subset of the full set of recommended strategies and is “packaged up” as the most effective of the set of general strategies designed to address both risk and most organisations’ ability to implement.

It is also important to note, too, that the Essential Eight is a framework designed to enhance security provisions specifically for Microsoft Windows-based Internet-connected networks.

What the Essential Eight IS NOT

The Essential Eight is not…

  • A guarantee that your organisation will not be targeted by adversaries or succumb to cyber incidents in the future.
  • Primarily designed for cloud services, enterprise mobility or non-Windows operating systems (Other mitigation strategies will need to be overlayed and run alongside the Essential Eight, including those outlined in the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual.)
  • An exhaustive list of IT security best practices that is complete or finite.

What are the Essential Eight Mitigation Strategies?

The Eight prioritised strategies are:

  • Application Control
  • Patch Applications
  • Configure Microsoft Office Macro Settings
  • Under Application Hardening
  • Restrict Administrative Privileges
  • Patch Operating Systems
  • Multi-factor Authentication
  • Regular Back-ups

How to implement the Essential Eight

To assist organisations to effectively implement the Essential Eight, the ACSC provides the Essential Eight Maturity Model, in which now four (previously three) maturity levels are defined and unpacked.

Organisations are advised to self-assess themselves against the guidelines and take a risk-based approach to bolstering protections to address the risks they face.

So, what has changed?

So, the Essential Eight themselves, alongside the broader Strategies to Mitigate Cyber Security Incidents and Australian Government Information Security Manual, remain unchanged (although are under continual review and consultation by the ACSC).

Firstly, what has changed is the guidance around how organisations should implement the Essential Eight using the Essential Eight Maturity Model.

Whereas previously organisations could effectively record a higher tier maturity level for one or two of the strategies and lower tier maturity levels for others, the renewed guidance now “prioritises the implementation of all eight mitigation strategies as a package” due to their complementary nature and focus on various cyber threats.

What this means is that “Organisations should fully achieve a maturity level across all eight mitigation strategies before moving to achieve a higher maturity level.

Secondly, another change is the addition of a fourth Maturity Level Zero. The aim of adding the fourth level was to broaden the range and scope of maturity levels to better reflect the growing sophistication and types of TTPs in play. (Read on for more about TTPs!)

Thirdly, a number of key updates and additions were made to the specified actions set out under each of the Essential Eight strategies across all of the Maturity Levels.  There’s handy summary of these changes listed up in the ACSC’s  Essential Eight Maturity Model FAQ.

For more on what the various Maturity Levels represent and what you should be aiming for, continue on the the full article here.

Or if you’d like to recalibrate your Essential Eight journey to align with the new advice….or just need some more info on what the heck we are talking about here, give Maxsum a call on 1300 629 786 or shoot us a message here.

Marketing, Communications & Engagement - Maxsum Consulting