The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight.
The Australian Cyber Security Centre (ACSC) Essential Eight Maturity Model is designed to assist organisations to implement the Essential Eight in a graduated manner based upon different levels of adversary tradecraft and targeting.
The different maturity levels can also be used to provide a high-level indication of an organisation’s cyber security maturity.
The Essential Eight has been designed to protect Microsoft Windows-based internet-connected networks. While the principles behind the Essential Eight may be applied to cloud services and enterprise mobility, or other operating systems, it was not primarily designed for such purposes and alternative mitigation strategies may be more appropriate to mitigate unique cyber threats to these environments.
In Short: The Essential Eight is not appropriate for Cloud Service Providers including: IaaS, Paas, CaaS and SaaS.
Cloud Service providers should follow the cloud-specific mitigatons as defined in the Cloud Computing Security for Cloud Service Providers.
Achieving a maturity level as a package will provide a more secure baseline than achieving higher maturity levels in a few mitigation strategies to the detriment of others.
This is due to the Essential Eight being designed to complement each other and to provide broad coverage of various cyber threats.
Therefore organisations are advised to achieve a consistent maturity level across all eight mitigation strategies before moving onto a higher maturity level.
Note: the appropriate use of exceptions should not preclude an organisation from being assessed as meeting the requirements for a given maturity level.
Organisations should implement the Essential Eight using a risk-based approach. In doing so, organisations should seek to minimise any exceptions and their scope, for example, by implementing compensating controls and ensuring the number of systems or users impacted are minimised. In addition, any exceptions should be documented and approved through an appropriate process. Subsequently, the need for any exceptions, and associated compensating controls, should be monitored and reviewed on a regular basis.
Note, the appropriate use of exceptions should not preclude an organisation from being assessed as meeting the requirements for a given maturity level.
As the Essential Eight outlines a minimum set of preventative measures, organisations need to implement additional measures to those within this maturity model where it is warranted by their environment. Furthermore, while the Essential Eight can help to mitigate the majority of cyber threats, it will not mitigate all cyber threats. As such, additional mitigation strategies and controls need to be considered, including those from the Strategies to Mitigate Cyber Security Incidents and the Information Security Manual.
Finally, there is no requirement for organisations to have their Essential Eight implementation certified by an independent party. However, Essential Eight implementations may need to be assessed by an independent party if required by a government directive or policy, by a regulatory authority, or as part of contractual arrangements.