keypoints
August 1, 2024

Nuances of Maturity: Specifics and Details

The Essential Eight Maturity Model FAQ provides comprehensive guidance on implementing and understanding the Essential Eight strategies. It emphasizes a proactive, risk-based approach to cybersecurity, reflecting the evolving nature of cyber threats and the importance of maintaining a balanced and comprehensive cybersecurity posture

General Questions

πŸ“Œ Essential Eight Overview: The Essential Eight consists of eight mitigation strategies recommended for organizations to implement as a baseline to protect against cyber threats. These strategies are application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.

πŸ“Œ Purpose of Implementing the Essential Eight: Implementing the Essential Eight is seen as a proactive measure that is more cost-effective in terms of time, money, and effort compared to responding to a large-scale cyber security incident.

πŸ“Œ Essential Eight Maturity Model (E8MM): The E8MM assists organizations in implementing the Essential Eight in a graduated manner based on different levels of tradecraft and targeting.

Updates to the Essential Eight Maturity Model

πŸ“Œ Reason for Updates: The Australian Signals Directorate (ASD) updates the E8MM to ensure the advice remains contemporary, fit for purpose, and practical. Updates are based on evolving malicious tradecraft, cyber threat intelligence, and feedback from Essential Eight assessment and uplift activities.

πŸ“Œ Recent Updates: Recent updates include recommendations for using an automated method of asset discovery at least fortnightly and ensuring vulnerability scanners use an up-to-date vulnerability database.

Maturity Model Updates and Implementation

πŸ“Œ Redefinition of Maturity Levels: The July 2021 update redefined the number of maturity levels and moved to a stronger risk-based approach to implementation. It also reintroduced Maturity Level Zero to provide a broader range of maturity level ratings.

πŸ“Œ Risk-Based Approach: The model now emphasizes a risk-based approach, where circumstances like legacy systems and technical debt are considered. Choosing not to implement entire mitigation strategies where technically feasible is generally considered Maturity Level Zero.

πŸ“Œ Implementation as a Package: Organizations are advised to achieve a consistent maturity level across all eight mitigation strategies before moving to a higher maturity level. This approach aims to provide a more secure baseline than achieving higher maturity levels in a few strategies to the detriment of others.

Specific Strategy Updates

πŸ“Œ Application Control Changes: Additional executable content types were introduced for all maturity levels, and Maturity Level One was updated to focus on using file system access permissions to prevent malware execution