LIVE WEBINAR Copilot AI for Microsoft 365 From Friction to Flow in Legal Sector

ACSC Essential Eight Maturity Model Changes

Exploring the 2023 Updates to the ACSC Essential Eight Maturity Levels

ACSC Essential Eight Maturity Model Changes

ACSC Essential Eight further information & resources

Enhance Your Cybersecurity Expertise: Sign up with our Learning Centre now to gain special access to a wealth of knowledge. Discover a library of expertly created eBooks, access webinars whenever you want, and tap into a treasure trove of invaluable cybersecurity resources. Take your knowledge and skills in cybersecurity to new heights!

ACSC Essential Eight Maturity Model update

Introduction

The Australian Cyber Security Centre’s (ACSC) November 2023 update to the Essential Eight Maturity Model (E8MM) introduces significant changes to enhance cybersecurity measures. These updates reflect the evolving nature of cyber threats and are designed to provide contemporary, practical advice for organisations to defend against these threats. The ACSC, part of the Australian Signals Directorate, updates the E8MM annually to assist organisations in protecting their internet-connected IT networks against common cyber threats​​​​.

Key Updates in the November 2023 Essential Eight Maturity Model

  1. Patch Applications and Operating Systems: The update places higher priority on patching scenarios, especially for critical vulnerabilities. Organisations are urged to patch, update, or mitigate such vulnerabilities within 48 hours. Applications interacting with untrusted content require patching within a two-week timeframe, emphasizing proactive vulnerability scanning​​.
  2. Multi-Factor Authentication (MFA): MFA requirements have been reinforced. The new standard includes ‘something users have’ in addition to ‘something users know’ at Maturity Level One. MFA is now mandatory for web portals storing sensitive data, with an emphasis on phishing-resistant MFA. Organisations must enforce MFA for staff logging onto business systems to achieve Maturity Level 2​​.
  3. Restrict Administrative Privileges: Enhanced governance processes for privileged access, including data repositories. Privileged accounts accessing the internet must be explicitly identified and limited. Requirements for secure admin workstations, break glass accounts, and infrastructure hardening are introduced​.
  4. Application Control: Annual reviews of application control rule sets and the implementation of Microsoft’s recommended application blocklist are important at Maturity Level Two​.
  5. User Application Hardening: Following the discontinuation of Internet Explorer 11 support, organisations must disable or remove it. The focus is on implementing both ASD and vendor hardening guidance, prioritising the most stringent requirements. This includes PowerShell logging and command-line process creation events at Maturity Level Two and Three​.
  6. Regular Backups: No significant changes, but organisations are encouraged to consider the business criticality of data when prioritising backups. This impacts Maturity Level One through Three​.
  7. Logging: The centralised logging requirement has shifted from Maturity Level 3 to Maturity Level 2, impacting the size of log repositories substantially​.
  8. Cloud Service Management and Incident Detection and Response: These are new areas of focus in the update​.

Maturity Levels in the Essential Eight:

  • ML 0: Recently reintroduced.
  • ML 1: Recommended for small to medium businesses (SMBs).
  • ML 2: For larger enterprises.
  • ML 3: The highest level, for enterprises or government agencies with critical infrastructures or higher threat environments. The requirements for ML 3 have increased significantly to address the need for more stringent protections​.

Each maturity level is divided into eight components, including patching and vulnerability management, configuration management, and application security testing. By working through these components, organizations can measure their progress toward compliance​.

Conclusion

The November 2023 update to the ACSC Essential Eight Maturity Model brings substantial changes across all maturity levels, aiming to strengthen the cybersecurity posture of organisations against the evolving landscape of cyber threats. These updates emphasise proactive and rigorous approaches in areas such as patching, MFA, administrative privileges, application control, and user application hardening, along with new focuses on cloud service management and incident detection and response. It’s crucial for organisations to assess their current cybersecurity maturity against these updated standards and implement the necessary measures to enhance their defences.

Uplevel your cyber security today!

Experience Premier Protection with Kaine Mathrick Tech’s Managed Security Services. Tailored specifically for your individual requirements, our services offer you the chance to enhance your operations with unparalleled cybersecurity proficiency. Don’t wait – secure your business with our expert-led security solutions today.

Summary
ACSC Essential Eight Maturity Model Changes
Article Name
ACSC Essential Eight Maturity Model Changes
Description
Safeguard your Brisbane business with the ultimate 2024 cybersecurity solutions. Get ahead of cyber threats with tailored, expert insights.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

Related Stories

Top 11 Cybersecurity Frameworks for Australian Businesses

Top 11 Cybersecurity Frameworks for Australian Businesses (Updated 2024)

Are you confused about what cyber security program you should comply with? Australia currently has no clear mandatory minimum cyber security standard for business, although it is recommended all businesses consider the Essential Eight maturity model and meet the minimum standard relevant to their business model.

All-Inclusive IT Support & Fully Managed IT Services

All-Inclusive IT Support & Fully Managed IT Services

Managed service providers offer all-inclusive managed IT support packages to serve their clients better. Read this blog to learn some of the services included.

What Does MSP Stand For

What Does MSP Stand For?

Explore the Complete Potential of Your Company with Managed Services

Want to be part of the crowd?

Summary
ACSC Essential Eight Maturity Model Changes
Article Name
ACSC Essential Eight Maturity Model Changes
Description
Safeguard your Brisbane business with the ultimate 2024 cybersecurity solutions. Get ahead of cyber threats with tailored, expert insights.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo