The Essential Eight Explained
Healthdirect Australia met all requirements to achieve at least a Maturity Level Two in all areas across all aspects of the healthdirect Video Call service. If you would like further detail on Video Call Essential Eight Maturity Model Assessment please contact firstname.lastname@example.org.
While no single mitigation strategy is guaranteed to prevent cyber security incidents, the ACSC recommends that organisations implement E8 mitigation strategies as a baseline. This baseline makes it much harder for adversaries to compromise systems. Furthermore, implementing the E8 proactively can be more cost-effective in terms of time, money and effort when compared to responding to a large-scale cyber security incident. Based on the threats faced from adversaries, there is a suggested implementation order to assist organisations in building a strong cyber security posture for their systems. Once organisations have implemented their desired mitigation strategies to an initial level, they should focus on increasing the maturity of their implementation such that they eventually reach full alignment with the intent of each mitigation strategy. The E8 strategies the ACSC recommends as a baseline are as follows:
Application control only allows selected software applications to run on computers. It aims to prevent unapproved software applications from executing, including malware
- Patch applications Patching fixes and security vulnerabilities in software applications. It is important because adversaries will use known security vulnerabilities in applications to target computers
Disable untrusted Microsoft Office macros Microsoft Office applications can use software known as 'macros' to automate routine tasks. Macros are increasingly being used to enable the download of malware. Macros can allow adversaries to access sensitive information, so macros should be secured or disabled.
User application hardening This includes activities like blocking web browser access to Adobe Flash Player, web advertisements and untrusted Java code on the Internet. Flash, Java and web ads have long been popular ways to deliver malware to infect computers.
Restrict administrative (admin) privileges This means that administrator privileges are only used for managing systems, installing legitimate software, and applying software patches. These should be restricted to only those that need them. Admin accounts are the 'keys to the kingdom', adversaries use these accounts for full access to information and systems.
Patch operating systems Patching fixes and security vulnerabilities in operating systems. It is important because adversaries will use known security vulnerabilities in the operating system to target computers.
Multi-factor authentication This is when a user is only granted access after successfully presenting multiple, separate pieces of evidence. Having multiple factors of authentication makes it a lot harder for adversaries to access your information
- Daily backup of important data This means regularly backing up all data and storing it offline, or online but in a non-rewritable and non-erasable manner. This enables an organisation to access data again if it suffers a cyber security incident.
Essential Eight Maturity Model
To assist organisations in determining the effectiveness of their implementation of the E8, a maturity model has been developed. The model defines four maturity levels for each mitigation strategy.
- Maturity Level Zero - limited or no aligned with intent of mitigation strategy
- Maturity Level One - Partly aligned with intent of mitigation strategy
- Maturity Level Two - Mostly aligned with intent of mitigation strategy
- Maturity Level Three - Fully aligned with intent of mitigation strategy