{"number":"2","title":"Maturity Level Two","implementation":"[p]Maturity Level Two may be suitable for large enterprises.[\/p][p]Maturity Level Two is considered the baseline for non-corporate Commonwealth entities.[\/p]","description":"[p]The focus of this maturity level is malicious actors operating with a modest step-up in capability from the previous maturity level. These malicious actors are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools. For example, these malicious actors will likely employ well-known tradecraft in order to better attempt to bypass controls implemented by a target and evade detection. This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.[\/p][p]Generally, malicious actors are likely to be more selective in their targeting but still somewhat conservative in the time, money and effort they may invest in a target. Malicious actors will likely invest time to ensure their phishing is effective and employ common social engineering techniques to trick users to weaken the security of a system and launch malicious applications, for example via Microsoft Office macros. If accounts that malicious actors compromise have special privileges they will exploit it, otherwise they will seek accounts with special privileges. Depending on their intent, malicious actors may also destroy all data (including backups) accessible to an account with special privileges.[\/p]","strategy":[{"title":"Application Control","requirement":[{"description":"Application control is implemented on workstations.","controls":["0843"]},{"description":"Application control is implemented on internet-facing servers.","controls":["1490"]},{"description":"Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.","controls":["1870"]},{"description":"Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.","controls":["1871"]},{"description":"Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.","controls":["1657"]},{"description":"Microsoft\u2019s recommended application blocklist is implemented.","controls":["1544"]},{"description":"Application control rulesets are validated on an annual or more frequent basis.","controls":["1582"]},{"description":"Allowed and blocked application control events are centrally logged.","controls":["1660"]},{"description":"Event logs are protected from unauthorised modification and deletion.","controls":["1815"]},{"description":"Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.","controls":["1906"]},{"description":"Cyber security events are analysed in a timely manner to identify cyber security incidents.","controls":["1228"]},{"description":"Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.","controls":["0123"]},{"description":"Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.","controls":["0140"]},{"description":"Following the identification of a cyber security incident, the cyber security incident response plan is enacted.","controls":["1819"]}]},{"title":"Patch Applications","requirement":[{"description":"An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.","controls":["1807"]},{"description":"A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.","controls":["1808"]},{"description":"A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.","controls":["1698"]},{"description":"A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.","controls":["1699"]},{"description":"A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.","controls":["1700"]},{"description":"Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.","controls":["1876"]},{"description":"Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.","controls":["1690"]},{"description":"Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.","controls":["1691"]},{"description":"Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.","controls":["1693"]},{"description":"Online services that are no longer supported by vendors are removed.","controls":["1905"]},{"description":"Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.","controls":["1704"]}]},{"title":"Restrict Microsoft Office macros","requirement":[{"description":"Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.","controls":["1671"]},{"description":"Microsoft Office macros in files originating from the internet are blocked.","controls":["1488"]},{"description":"Microsoft Office macro antivirus scanning is enabled.","controls":["1672"]},{"description":"Microsoft Office macros are blocked from making Win32 API calls.","controls":["1673"]},{"description":"Microsoft Office macro security settings cannot be changed by users.","controls":["1489"]}]},{"title":"User application hardening","requirement":[{"description":"Internet Explorer 11 is disabled or removed.","controls":["1654"]},{"description":"Web browsers do not process Java from the internet.","controls":["1486"]},{"description":"Web browsers do not process web advertisements from the internet.","controls":["1485"]},{"description":"Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.","controls":["1412"]},{"description":"Web browser, Microsoft Office and PDF software security settings cannot be changed by users.","controls":["1585"]},{"description":"Microsoft Office is blocked from creating child processes.","controls":["1667"]},{"description":"Microsoft Office is blocked from creating executable content.","controls":["1668"]},{"description":"Microsoft Office is blocked from injecting code into other processes.","controls":["1669"]},{"description":"Microsoft Office is configured to prevent activation of OLE packages.","controls":["1542"]},{"description":"Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.","controls":["1859"]},{"description":"Office productivity suite security settings cannot be changed by users.","controls":["1823"]},{"description":"PDF software is blocked from creating child processes.","controls":["1670"]},{"description":"PDF software is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.","controls":["1860"]},{"description":"PDF software security settings cannot be changed by users.","controls":["1824"]},{"description":"PowerShell module logging, script block logging and transcription events are centrally logged.","controls":["1623"]},{"description":"Command line process creation events are centrally logged.","controls":["1889"]},{"description":"Event logs are protected from unauthorised modification and deletion.","controls":["1815"]},{"description":"Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.","controls":["1906"]},{"description":"Cyber security events are analysed in a timely manner to identify cyber security incidents.","controls":["1228"]},{"description":"Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.","controls":["0123"]},{"description":"Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.","controls":["0140"]},{"description":"Following the identification of a cyber security incident, the cyber security incident response plan is enacted.","controls":["1819"]}]},{"title":"Restrict administrative privileges","requirement":[{"description":"Requests for privileged access to systems, applications and data repositories are validated when first requested.","controls":["1507"]},{"description":"Privileged access to systems, applications and data repositories is disabled after 12 months unless revalidated.","controls":["1647"]},{"description":"Privileged access to systems and applications is disabled after 45 days of inactivity.","controls":["1648"]},{"description":"Privileged users are assigned a dedicated privileged account to be used solely for duties requiring privileged access.","controls":["0445"]},{"description":"Privileged accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.","controls":["1175"]},{"description":"Privileged accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.","controls":["1883"]},{"description":"Privileged users use separate privileged and unprivileged operating environments.","controls":["1380"]},{"description":"Privileged operating environments are not virtualised within unprivileged operating environments.","controls":["1687"]},{"description":"Unprivileged accounts cannot logon to privileged operating environments.","controls":["1688"]},{"description":"Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.","controls":["1689"]},{"description":"Administrative activities are conducted through jump servers.","controls":["1387"]},{"description":"Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed.","controls":["1685"]},{"description":"Privileged access events are centrally logged.","controls":["1509"]},{"description":"Privileged account and group management events are centrally logged.","controls":["1650"]},{"description":"Event logs are protected from unauthorised modification and deletion.","controls":["1815"]},{"description":"Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.","controls":["1906"]},{"description":"Cyber security events are analysed in a timely manner to identify cyber security incidents.","controls":["1228"]},{"description":"Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.","controls":["0123"]},{"description":"Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.","controls":["0140"]},{"description":"Following the identification of a cyber security incident, the cyber security incident response plan is enacted.","controls":["1819"]}]},{"title":"Patch operating systems","requirement":[{"description":"An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.","controls":["1807"]},{"description":"A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.","controls":["1808"]},{"description":"A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.","controls":["1701"]},{"description":"A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.","controls":["1702"]},{"description":"Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.","controls":["1877"]},{"description":"Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.","controls":["1694"]},{"description":"Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.","controls":["1695"]},{"description":"Operating systems that are no longer supported by vendors are replaced.","controls":["1501"]}]},{"title":"Multi-factor authentication","requirement":[{"description":"Multi-factor authentication is used to authenticate users to their organisation\u2019s online services that process, store or communicate their organisation\u2019s sensitive data.","controls":["1504"]},{"description":"Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation\u2019s sensitive data.","controls":["1679"]},{"description":"Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation\u2019s non-sensitive data.","controls":["1680"]},{"description":"Multi-factor authentication is used to authenticate users to their organisation\u2019s online customer services that process, store or communicate their organisation\u2019s sensitive customer data.","controls":["1892"]},{"description":"Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation\u2019s sensitive customer data.","controls":["1893"]},{"description":"Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.","controls":["1681"]},{"description":"Multi-factor authentication is used to authenticate privileged users of systems.","controls":["1173"]},{"description":"Multi-factor authentication is used to authenticate unprivileged users of systems.","controls":["0974"]},{"description":"Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.","controls":["1401"]},{"description":"Multi-factor authentication used for authenticating users of online services is phishing-resistant.","controls":["1872"]},{"description":"Multi-factor authentication used for authenticating customers of online customer services provides a phishing-resistant option.","controls":["1873"]},{"description":"Multi-factor authentication used for authenticating users of systems is phishing-resistant.","controls":["1682"]},{"description":"Successful and unsuccessful multi-factor authentication events are centrally logged.","controls":["1683"]},{"description":"Event logs are protected from unauthorised modification and deletion.","controls":["1815"]},{"description":"Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.","controls":["1906"]},{"description":"Cyber security events are analysed in a timely manner to identify cyber security incidents.","controls":["1228"]},{"description":"Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered.","controls":["0123"]},{"description":"Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered.","controls":["0140"]},{"description":"Following the identification of a cyber security incident, the cyber security incident response plan is enacted.","controls":["1819"]}]},{"title":"Regular backups","requirement":[{"description":"Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.","controls":["1511"]},{"description":"Backups of data, applications and settings are synchronised to enable restoration to a common point in time.","controls":["1810"]},{"description":"Backups of data, applications and settings are retained in a secure and resilient manner.","controls":["1811"]},{"description":"Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.","controls":["1515"]},{"description":"Unprivileged accounts cannot access backups belonging to other accounts.","controls":["1812"]},{"description":"Privileged accounts (excluding backup administrator accounts) cannot access backups belonging to other accounts.","controls":["1705"]},{"description":"Unprivileged accounts are prevented from modifying and deleting backups.","controls":["1814"]},{"description":"Privileged accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.","controls":["1707"]}]}]}