The Essential Eight Maturity Model Has Changed – Here’s How!
Quietly, the advice around the Essential Eight has changed…Here’s how!
In July this year, as Australia’s news headlines were dominated by rolling COVID-19 outbreaks and lockdowns, the Australian Cyber Security Centre (ACSC) quietly released new advice on the implementation of the Essential Eight.
Whether you’re just starting your IT Security Governance or Essential Eight Implementation journey, or you’re already working your way up the Maturity Levels, here is what you need to know and what the new advice means for your journey to cyber maturity.
Firstly, let’s get back to basics…then we’ll highlight what’s changed!
What the Essential Eight Is and Is Not – Revisited!
What the Essential Eight IS…
The ACSC recommends a set of priority cyberthreat mitigation strategies for organisations in the form of the Strategies to Mitigate Cyber Security Incidents. This is a much longer and more detailed set of strategies than the Essential Eight. The Essential Eight is a subset of the full set of recommended strategies and is “packaged up” as the most effective of the set of general strategies designed to address both risk and most organisations’ ability to implement.
It is also important to note, too, that the Essential Eight is a framework designed to enhance security provisions specifically for Microsoft Windows-based Internet-connected networks.
What the Essential Eight IS NOT…
The Essential Eight is not…
- A guarantee that your organisation will not be targeted by adversaries or succumb to cyber incidents in the future.
- Primarily designed for cloud services, enterprise mobility or non-Windows operating systems (Other mitigation strategies will need to be overlayed and run alongside the Essential Eight, including those outlined in the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual.)
- An exhaustive list of IT security best practices that is complete or finite.
What are the Essential Eight Mitigation Strategies?
The Eight prioritised strategies are:
- Application Control
- Patch Applications
- Configure Microsoft Office Macro Settings
- Under Application Hardening
- Restrict Administrative Privileges
- Patch Operating Systems
- Multi-factor Authentication
- Regular Back-ups
How to implement the Essential Eight
To assist organisations to effectively implement the Essential Eight, the ACSC provides the Essential Eight Maturity Model, in which now four (previously three) maturity levels are defined and unpacked.
Organisations are advised to self-assess themselves against the guidelines and take a risk-based approach to bolstering protections to address the risks they face.
So, what has changed?
So, the Essential Eight themselves, alongside the broader Strategies to Mitigate Cyber Security Incidents and Australian Government Information Security Manual, remain unchanged (although are under continual review and consultation by the ACSC).
Firstly, what has changed is the guidance around how organisations should implement the Essential Eight using the Essential Eight Maturity Model.
Whereas previously organisations could effectively record a higher tier maturity level for one or two of the strategies and lower tier maturity levels for others, the renewed guidance now “prioritises the implementation of all eight mitigation strategies as a package” due to their complementary nature and focus on various cyber threats.
What this means is that “Organisations should fully achieve a maturity level across all eight mitigation strategies before moving to achieve a higher maturity level.”
Secondly, another change is the addition of a fourth Maturity Level Zero. The aim of adding the fourth level was to broaden the range and scope of maturity levels to better reflect the growing sophistication and types of TTPs in play. (Read on for more about TTPs!)
Thirdly, a number of key updates and additions were made to the specified actions set out under each of the Essential Eight strategies across all of the Maturity Levels. There’s handy summary of these changes listed up in the ACSC’s Essential Eight Maturity Model FAQ.
What do the Maturity Levels now represent? What should you be aiming for?
It is important to understand the Maturity Levels are not representative of the time, talent, and resources it might take your organisation to implement the recommended provisions and controls.
Instead, the Maturity Levels are based on increasing levels of adversary sophistication and skills – what the experts call TTPs (tools, tactics, and procedures) – and how they are used to target organisations like yours.
In this way, organisations should not choose to achieve a certain maturity level based on what they as an organisation think they can realistically achieve. Rather, organisations need to take a risk-based view to assess the level of TTPs and targeting they are most likely to be exposed to, given the nature of the data they hold, the confidentiality or regulatory requirements for that data, the complexity and connectedness of their systems, and specific requirements around the availability and integrity of key systems and data.
The New Implementation Guidance
Reading the Essential Eight Maturity Model can be a bit overwhelming the first time you read it! That’s why we’ve put together a couple of recommended steps upfront to help you get started (or back on track)!
Step 1. Review the key elements of the Essential Eight and the Essential Eight Maturity Model.
Step 2. Identify a target Maturity Level
The ACSC now recommends that organisations should first identify a target maturity level.
Remember this should not be based on what you think you can realistically achieve, but rather the risk associated with exposure to more sophisticated TTPs given the nature of your systems and data requirements.
Rather than playing pin the tail on the donkey here, ideally you need to work with an impartial third party with an expert understanding of the cyberthreat landscape and TTPs in action against your industry sector. This might be your Managed IT Services Provider (MSP) or your IT Security Advisor (…and like Woody from Toy Story says… “If you don’t have one, get one!”)
Step 3. Recognise that, at any maturity level, the Essential Eight represents a minimum set of preventive measures, and that you may also need to review and incorporate elements from the broader Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual.
Step 4. Plan to implement
Then organisations should plan their implementation to achieve the same maturity level across all eight mitigation strategies before moving onto higher maturity levels.
An effective implementation plan should also:
- Clearly set out your target Maturity Level and the associated risks your organisation is seeking to address by achieving that Maturity Level.
- Minimise any exceptions or deviations from the Essential Eight strategies
- Minimise the scope (number of people or devices affected by) of any exceptions or deviations
- Ensure any exceptions or deviations are covered by an alternative security strategy
- Outline how any exceptions or deviations must be documented and approved
- Outline how and when any exceptions and deviations, as well as compensating security provisions associated with them, must be monitored, and reviewed
- Document and timeline out the implementation of Essential Eight and additional strategies complementary to the Essential Eight that may have been drawn from other sources.
Step 5. Build a Team
Finally, IT security is never a set and forget thing, and it should never be one person’s responsibility.
Here is who you need on your team:
- Someone within your organisation that is tracking your progress as well as key changes in the threat landscape
- Someone they can report progress, threats, or findings to who has executive decision-making power
- A Managed IT Services Partner (MSP) who can take care of operational actions like monitoring and actioning both routine and emergency IT security patches, alerts, and changes
- An IT Security Advisor, who knows and works closely with your MSP and who keeps your IT security discussions progressing at a strategic level.
- A vendor and product suite that is fit-for-purpose, provides service level metrics and continuous education and alerts around threats, provides required logging and reporting capabilities, and uses both AI and human resources to provide timely prevention, mitigation, and response activities.
If you’d like to recalibrate your Essential Eight journey to align with the new advice….or just need some more info on what the heck we are talking about here, give Maxsum a call on 1300 629 786 or shoot us a message here.
Other great Maxsum content you might like to read: