© 2020 Content Security Pty Ltd.

Frameworks and standards

ACSC Essential Eight

We not only assess your level of maturity for each mitigation strategy, but make tailored recommendations and implementation roadmaps to get your business where it needs to be

The ACSC Essential 8 Explained

What is the Essential 8 and why does it exist?

In today’s digital society, cyber threats are an all too frequent reality. On almost a daily basis, businesses across the nation are faced with a variety of common cyber security incidents threatening their infrastructure, data and livelihood. In order to mitigate the risk posed by these threats, it is crucial to have cost-effective and comprehensive protection strategies in place. These strategies should work to:

  • Prevent malware delivery and execution;
  • Limit the extent of cyber security incidents; and
  • Assist in data recovery and system availability.

The Australian Cyber Security Centre’s (ACSC) Essential 8 (previously the ASD Essential 8) does just that. Ultimately, it is a baseline of mitigation strategies compiled to assist Australian organisations and government agencies in protecting their systems against a range of adversaries.

Is it mandatory to comply?

Federal Government Requirements

As the phrase ‘Essential 8’ implies, these are fundamental building blocks in any organisation’s security approach. However, the Federal Government has rejected recommendations to make all of the Essential 8 mitigation strategies mandatory. Currently, only the top 4 of these strategies are mandatory for government departments and agencies to comply with.

NSW Government Requirements

As of February 2019, the NSW Government Cyber Security Policy mandates that government departments must submit an annual report detailing a maturity assessment against the ACSC Essential 8 by August 31st. 

Essential Eight

 So, what exactly are the Essential 8?

Firstly, these controls act as a baseline of defence and assist organisations in uplifting their security posture. Secondly, implementing them in a proactive way is more cost-effective than responding to large scale cyber security incidents in a reactive manner. For that reason, these controls are listed in a suggested implementation order, starting with Application Control and ending with Daily Back Ups:

Application Control

This is the practice of specifying an index of approved software applications or executable files. This can be achieved by Application Whitelisting, for instance. It is primarily designed to prevent the execution and spread of malicious code, as well as the installation or use of unapproved applications.

Patching Applications

Patches provide updates or changes to fix or improve your devices’ applications, such as Flash, web browsers, Microsoft Office, Java, PDF viewers and more. In addition, they remove security vulnerabilities meaning they close the gaps that adversaries typically target.

Configure Microsoft Office Macro Settings

Macros work in the background of Microsoft Office documents, and are used by cyber adversaries to execute malicious code. Therefore, it is recommended to block macros from the internet, and only allow checked macros from trusted locations with limited write access or further, digitally signed macros with a trusted certificate.

User Application Hardening

Flash, web advertisements and Java are popular vehicles for executing malware on victims’ systems. Therefore, it is important to configure web browsers to block and disable these. Further disable other unnecessary features in Microsoft Office and PDF viewers.

Restrict Administrative Privileges

To prevent adversaries from exploiting admin accounts and gaining full access to your business’ information and systems, it is important to restrict administrative privileges based on individual users’ duties. It is also vital to regularly revalidate these privileges.

Patch Operating Systems

Just as with your applications, your computers and network devices should be patched and updated regularly. Your operating systems are one of the primary ways that cyber criminals can enact further compromise and systems should therefore be running the latest versions.

Multi-Factor Authentication

Multi-Factor Authentication is the practice of using two or more authentication factors to verify a user to a system. When implemented correctly, it significantly strengthens user authentication, thus making it more difficult for cyber adversaries to steal credentials and gain access to the network.

Daily Back Ups

In the aftermath of a security incident it is vital that key information from prior to the incident, including data and configuration settings, is available. Daily back-ups of new/changed data, software and settings facilitate an easier recovery and assist in keeping systems available.

What are the maturity levels?

The following tiers assist with determining the level of maturity for each control implementation. Once an initial level of implementation is met, organisations should focus on reaching maturity level three for all eight mitigation strategies. For more information on the ACSC’s Essential Eight Maturity Model, please visit their website.

Maturity Level One

Partly aligned with the intent of the mitigation strategy.

Maturity Level Two

Mostly aligned with the intent of the mitigation strategy.

Maturity Level Three

Fully aligned with the intent of the mitigation strategy.

The Content Security Approach

Our goal is to help you become compliant and ultimately, enhance your security

As a cyber security advisory organisation with over 20 years of experience, our mission is to empower businesses in cyber security and keep them abreast of evolving threats. As a result, a large part of our work involves reviewing and implementing the correct strategies to proactively mitigate our clients’ exposure to security incidents.

At Content Security, we take a two-pronged approach to help clients gain and maintain Essential Eight compliance:

Auditing Services

Firstly, we conduct security audits on clients' systems and processes, ranking them against the ACSC Essential Eight Maturity Model.

Implementation Services

Secondly, we make a tailor-made roadmap based on the findings from the audit report. We provide you with a suitable implementation strategy to ensure your organisation is meeting the required maturity level, and further, strengthening your security posture.

Essential Eight

Essential Eight Auditing service

Our qualified experts give you a clear overview of your environment, determining your level of maturity and providing clarity on which areas need most improvement

Content Security’s Essential Eight security audits typically consist of the following activities. Please note that the auditing process may differ across each mitigation strategy:

Interviews with members of the IT team

Process reviews with supporting documentation

Direct observation of the in-scope mitigation strategies

Automated scanning and other testing

What are the outcomes of this audit?

Helping you understand your current level of maturity and getting your business where it needs to be

After conducting the audit, our security consultants provide you with a detailed report describing the activities that were performed and the results found. This report typically contains:

Maturity ratings of each security control in your environment

Our experts take a closer look at the security controls in scope, ranking each against the Essential 8 Maturity Model. As a result, this gives you a clear idea of where your organisation sits and thus, a benchmark from which you can improve.

The associated evidence used to define each rating

In order to give you the most in-depth overview possible, our consultants pair each control with a summary of the evidence used to determine the ranking. To clarify, this evidence includes interview notes, process review notes, and notes from direct observation.

A tailored project plan and roadmap

Once we distinguish where your organisation sits in relation to the Essential Eight Maturity Model, we are better suited to provide you with an Essential Eight roadmap. Our tailor-made plans define the activities required of your organisation to increase the maturity of each control from where they currently stand to the next level(s).

Actionable recommendations

We not only create an outline of your personalised Essential Eight roadmap but provide actionable recommendations on the path ahead. This includes which security controls to increase prioritised by the level of risk (both current and residual) faced by your business after increasing the security control.

Reports on missing patches and vulnerabilities

In addition to the above elements, we are also able to include reports from our automated vulnerability assessment tool, showing missing patches and other vulnerabilities found within your organisation.

custom_resized_7e66ad38-b089-41ab-beee-cdf40688151f

Implementations 

The following tiers assist with determining the level of maturity for each control implementation. Once an initial level of implementation is met, organisations should focus on reaching maturity level three for all eight mitigation strategies. For more information on the ACSC’s Essential Eight Maturity Model, click here.

Maturity Level One

Partly aligned with the intent of the mitigation strategy.

Maturity Level One

Partly aligned with the intent of the mitigation strategy.

Maturity Level One

Partly aligned with the intent of the mitigation strategy.

Maturity Level One

Partly aligned with the intent of the mitigation strategy.

Maturity Level One

Partly aligned with the intent of the mitigation strategy.