The ACSC released a significant update to the Essential Eight Maturity Model earlier this week. Details of the revised Maturity Model can be found here: Essential Eight Maturity Model | Cyber.gov.au.
The Essential Eight Maturity Model is designed to provide prioritised guidance on mitigations organisations can employ to protect themselves against various cyber security threats. Some of the common threats that the Essential Eight Maturity Model aims to increase an organisations protection against include:
- Identity Theft / Compromised Identity
- Execution of Malware (including ransomware)
- Exfiltration of data (theft of organisation and/or customer data)
There have been substantial changes to the guidance provided around each of the maturity levels. With a number of new controls being introduced to align with maturity level 1 and 2 that were previously guided for level 3 of beyond. There is also a substantial uplift across all levels in areas previously not included in the Essential Eight Maturity Model, examples of these include:
- Centralised logging
- Vulnerability scanning
- Action on blocked events
These changes represent a substantial increase in recommended baseline cyber security posture with all levels of the Essential Eight Maturity Model as published by the Australian Cyber Security Centre. Previous guidance for best practice within this framework has now been revised and many organisations at Level 3 maturity in some pillars for the previous maturity model may now find themselves at maturity zero in those same pillars.
The Essential Eight Maturity Model is an evolving framework which we expect to see continue to see develop over time as cyber threats and technological landscape continues to shift.
The ACSC Essential Eight Maturity Models’ 8 Pillars
Prevents unapproved applications (such as malware) from executing
Prevent the exploitation of known security vulnerabilities in applications
Configure Microsoft Office Macro Settings
Prevent the execution of malicious code within the Microsoft Office Suite
User Application Hardening
Prevent the delivery and execution of malicious code through applications such as web browsers
Restrict Administrative Privileges
Minimise the risk of theft of administrative credentials and the vectors through which this theft could occur
Patch Operating Systems
Prevent the exploitation of known security vulnerabilities in operating systems
Stronger user authentication makes it harder for adversaries to access sensitive information and systems
Ensure information can be accessed following a cyber security incident (e.g. a ransomware incident).
If you would like to find out how your business aligns with the updated guidance and what your Essential Eight Maturity Level is under this new guidance, please contact our team.