Cyber security webinar

Top 11 Cybersecurity Frameworks for Australian Businesses in 2022

Are you confused about what cyber security program you should comply with? Australia currently has no clear mandatory minimum cyber security standard for business, although it is recommended all businesses consider the Essential Eight maturity model and meet the minimum standard relevant to their business model.

Top 11 Cybersecurity Frameworks for Australian Businesses in 2022

Top Cyber Frameworks of 2022

If you are an Australian business, you can be excused for being confused about your responsibilities in what cyber security programs you should be implementing to protect your business and customers.  Unlike the USA, Australia’s minimum cyber security mandates can be confusing.

In March 2022 the ACSC issued an alert urgently urging businesses to adopt an enhanced cyber security posture.  We recently covered what this means to your business in our recent blog.

Related:  ACSC issues alert to Australian Businesses to adopt a cyber security strategy

The Australian government is moving towards a national security reform which will mean that industry-specific regulatory standards will likely be introduced to strengthen the vulnerabilities unique to each sector.

To assist in the effort of strengthening our cyber threat resilience, we’ve compiled a list of cybersecurity frameworks that are available and could be referenced to improve security postures to protect Australian businesses from cyberattacks and cyber threats.

What is a cyber security framework?

A cyber security framework is a set of guidelines or a template that outlines policies and procedures you can use in your business.  These frameworks will help you establish and maintain your cyber security posture, when a framework is applied, your cyber security resilience should improve and the risk of a cyber event minimised.

Most of the listed IT security frameworks focus on a risk-management approach. Consequently, they’re easily adaptable to match your needs and can be applied to target the specific risks that threaten your IT security.

Top 11 Cyber Security Frameworks for Australian Businesses in 2022

1. ASD Essential Eight

The Essential Eight was developed by the Australian Cyber Security Centre (ACSC) in 2017 to assist businesses to mitigate cyber security threats and data breaches.  In March 2022, the ACSC issued an alert for all Australian Businesses to implement the Essential Eight considering the maturity model as a minimum.

The Essential Eight comprises eight mitigation strategies or security controls divided across three primary objectives. When implementing the Essential Eight, organisations should first identify a target maturity level that is suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved.

Objective 1:  Prevent Cyberattacks

The initial strategy aims to protect internal systems from malicious software such as malware, ransomware and other cyber threats.

  • Patch Application
  • Application Control
  • User Application Hardening
  • Configuring MS Office Macro settings

Objective 2:  Limit the Extent of Cyberattacks

This strategy aims to limit the depth of penetration of the attack.  This is achieved by remediating all security vulnerabilities so hackers cannot exploit them.

  • Restrict Administration Privileges
  • Patch Operating Systems
  • MFA or Multifactor Authentication

Objective 3:  Data Recovery and System Availablity

The final strategy aims to cover the final stage of a cyber threat.  Sensitive data must be continuously backed up to support the system’s availability through immediate data recovery.

  • Daily Backups

ACSC Essential Eight Maturity Model

To guide you in the implementation the ACSC has published a maturity scale that helps measure your business’ alignment with each strategy.

  • Level 0 (Immature) – Not aligned with the mitigation strategy (no compliance)
  • Level 1 (Intermittent) – Party aligned with the mitigation strategy (low compliance)
  • Level 2 (Committed)– Mostly aligned with the mitigation strategy (medium compliance)
  • Level 3 (Advanced)– Fully aligned (highly protected) (2)

The minimum recommended baseline is Maturity Level 3.

Take our self-assessment to see how your business stacks up with the Essential Eight:  Essential Eight Self Assessment Tool

What industries does the Essential Eight apply to?

The Australian Signals Directorate recommends all Australian Government entities and businesses implement the Essential Eight framework for best cybersecurity practice.

Is the Essential Eight Mandatory for Australian Businesses?

This is rapidly evolving, so here are the links to the most recent information:

  • The Australian Department of Home Affairs has recently made amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act).  On 2 December 2021, the SOCI Act was amended to apply obligations to certain assets, including new assets defined in the SOCI Act and the Asset Definition Rules.  Learn More.
  • The Security of Critical Infrastructure Act 2018 mandates cyber incident reporting for critical infrastructure assets. Critical Infrastructure owners and operators are required to report a cyber security incident if you are captured by the critical infrastructure asset definitions.  Fact Sheet.
  • The Protective Security Policy Framework (PSPF), administered by AGD, mandates that all non-corporate Commonwealth entities implement four specific Essential Eight mitigation strategies (known as the Top Four) and strongly recommends the adoption of the entire Essential Eight. Learn more:  ACSC Essential Eight Cyber Security Guidelines & the Maturity Model and ACSC Strategies to mitigate cyber security incidents
  • Since 2018, it has become mandatory for all businesses with an annual turnover of at least $3 million, to report data breaches to the OAIC – whether or not they’ve embraced the Essential Eight framework.

Becoming compliant with the Essential Eight

KMT empowers Australian businesses with our comprehensive managed cyber security service.  Our comprehensive attack surface monitoring service provides a complete cyber security solution to protect your business from most cyber threats.

Speak to us today:  Contact Us

2. AESCF Program - Australian Energy Sector Cyber Security Framework

The Australian Energy Sector Cyber Security Framework (AESCSF) program provides a tool for assessing cyber security maturity across Australia’s energy sector.  Protecting Australia’s energy sector from cyber threats is of national importance. These protections maintain secure and reliable energy supplies thereby supporting our economic stability and national security.

The program applies to the following sectors:

  • gas markets and non-Australian Energy Market Operator (AEMO)
  • Australian Energy Sector
  • electricity grids and markets
  • liquid fuels

The AESCSF assesses cyber security maturity and uplift capability, which strengthens the energy sector’s cyber resilience. The AESCSF was developed in 2018 by AEMO, the industry and the Australian Government.  Learn More.

3. Australian Government Protective Security Policy Framework (PSPF)

The Protective Security Policy Framework (PSPF) empowers Australian Government entities, to protect their people, information, and assets.

Its goal is to cultivate a positive security culture across all entities. This protection is valid on Australian soil and overseas.

The PSPF aims to implement the following policies. Each policy links to core requirements guidelines.

There are 5 PSPF principles that represent desired security outcomes:

  1. Security is everyone’s responsibility –  A positive security culture supports the achievement of security outcomes.
  2. Security enables the business of government – It supports the efficient and effective delivery of services.
  3. Security measures applied proportionately protect entities’ people, information and assets in line with their assessed risks
  4. Accountable authorities own the security risks of their entity and the entity’s impact on shared risks
  5. A cycle of action, evaluation and learning are evident in response to security incidents.

Learn more.

Is the PSPF mandatory for Australian Businesses?

The PSPF must be applied to all Government entities and non-corporate government entities in accordance with their risk profiles.

The PSPF is considered the best cybersecurity practice for all Australian state and territory agencies.

4. Australian Signals Directorate (ASD)

The ASD applies a risk-based approach to cyber security that draws from the risk-management framework of the National Institute of Standards and Technology (NIST). They have published the manual across several documents. These include an outline for each standard, so you can quickly determine which one will be most relevant for your industry. Consistent updates of the manual keep it in accordance with the Intelligence Services Act 2001.
The ASD published the ISM for government agencies.  The ISM is intended for CIOs, CISO.s and cyber security professionals.

What industries is ISM applicable to?

A variety of industries where cyber-security measures need to be implemented can use the ISM. This IT security framework focuses on minimising risks and exposure as a general rule.

Is the ISM mandatory for Australian Businesses?

These are not mandatory for all Australian Businesses.

Learn More

5. The Australian Security of Critical Infrastructure Act 2018

The Security of Critical Infrastructure Act 2018 (the Act) seeks to manage the complex and evolving national security risks of sabotage, espionage and coercion posed by foreign involvement in Australia’s critical infrastructure.

There are three primary directives of the Australian Security of Critical Infrastructure Act:

  1. Owners and operators of critical infrastructures must register all relevant assets.
  2. Owners and operators of critical infrastructures must supply the Department of Home Affairs with all required information that could support the security efforts of the center.
  3. Owners and operators of critical infrastructures must comply with all instructions from the Minister of Home Affairs that support the mitigation of national security risks where all other risk mitigation efforts have. been exhausted.

The Act applies to 22 asset classes across 11 sectors including:

  • communications
  • data storage or processing
  • defence, energy
  • financial services and markets
  • food and grocery
  • health care and medical
  • higher education and research
  • space technology
  • transport, water and sewerage.

Learn More

Is the Security of Critical Infrastructure Act 2018 mandatory for Australian Businesses?

Currently, there are no announcements enforcing compliance.

6. Control Objectives for Information Technology (COBIT)

COBIT stands for Control Objectives for Information and Related Technology. It is a framework created by the ISACA (Information Systems Audit and Control Association) for IT governance and management. It was designed to be a supportive tool for managers—and allows bridging the crucial gap between technical issues, business risks, and control requirements.

The COBIT business orientation includes linking business goals with its IT infrastructure by providing various maturity models and metrics that measure the achievement while identifying associated business responsibilities of IT processes.

The main focus of COBIT 4.1 was illustrated with a process-based model subdivided into four specific domains, including:

  • Planning & Organization
  • Delivering and Support
  • Acquiring & Implementation
  • Monitoring & Evaluating

What industries does COBIT apply to?

COBIT supports all businesses that depend on the reliable distribution of relevant information.

How to be compliant with COBIT

Some of the protocols that support this effort include:

  • Ensuring the correct information security policies are in place
  • Implementing safeguards to detect and remediate data leaks
  • Remediating vulnerabilities placing sensitive data at risk.

Learn More

Is the Security of Critical Infrastructure Act 2018 mandatory for Australian Businesses?

Currently, there are no announcements enforcing compliance.

7. Centre for Internet Security (CIS) Controls

  1. New work-from-home arrangements
  2. Increased reliance on cloud-based solutions
  3. Increased mobile endpoints
  4. Increased adoption of virtualization
  5. The transition to hybrid workforces

The individual controls are:

 

What industries does CIS apply to?

CIS controls are not industry-specific but can assist industries that store a lot of sensitive data such as finance, healthcare etc…

Is the CIS mandatory for Australian Businesses?

Currently, there are no announcements enforcing compliance.

But is recommended for the superior sensitive data protection offered.

Learn More

8. NIST Cyber Security Framework

The framework’s core is a list of cybersecurity functions that follow the basic pattern of cyber defense: identify, protect, detect, respond, and recover. The framework provides an organized mechanism for identifying risks and assets that require protection. It lists the ways the organization must protect these assets by detecting risks, responding to threats, and then recovering assets in the event of a security incident.

What industries does NIST apply to?

NIST is intended to be used to protect critical infrastructure like power plants and dams from cyber attacks.  However, it can apply to any business that seeks better security.

Is the NIST mandatory for Australian Businesses?

Currently, there are no announcements enforcing compliance.

Learn More

9. ISO/IEC 27001

ISO 27001/27002, also known as ISO 27K is the internationally recognized standard for cybersecurity. ISO/IEC 27001 requires that management will systematically manage the organization’s information security risks, taking into account threats and vulnerabilities.  The framework then requires the organization to design and implement information security (InfoSec) controls that are both coherent and comprehensive. The goal of these controls is to mitigate identified risks.

The ISO 27002 lists 114 security controls divided into 14 control sets:

  1. Information security policies
  2. Organisation of information security
  3. Human resource security
  4. Asset management
  5. Access control
  6. Cryptography
  7. Physical and environmental security
  8. Operations security
  9. Communications security
  10. System acquisition, development and maintenance
  11. Supplier relationships
  12. Incident management
  13. Information security aspects of business continuity management
  14. Compliance

Who can implement ISO 27002?

There is no limit to the organisations that can successfully implement and benefit from ISO27002.

Is the ISO27002 mandatory for Australian Businesses?

Australian governments should adopt ISO and/or IEC standards as a baseline. For information classified as “PROTECTED”, Australian governments should mandate ISO/IEC 27001, SOC 2 and potentially FedRAMP (which is a US Government program).

Learn More

10. General Data Protection Regulation (GDPR)

There are 7 key principles:
  1. Lawfulness, fairness and transparency.
  2. Purpose limitation.
  3. Data minimisation.
  4. Accuracy.
  5. Storage limitation.
  6. Integrity and confidentiality (security)
  7. Accountability.

Is the GDRmandatory for Australian Businesses?

All Australian businesses, regardless of their size, must be GDPR compliant if they either:

  • Have an establishment in the European Union.
  • Offer goods and services in the European Union.

Learn More

11. Cloud Controls Matrix (CCM)

The CCM is particularly effective because it maps its controls to prominent security standards and regulations such as:

  • AICPA
  • BITS Shared Assessments
  • German BSI C5
  • PIPEDA Canada
  • CIS AWS Foundation
  • COBIT
  • COPPA
  • ENISA IAF
  • 95/46/EC EU Data Protection Directive
  • FedRAMP
  • FERPA
  • GAPP
  • HIPAA/HITECH Act
  • HITRUST CSF
  • ISO/IEC 27001
  • ISO/IEC 27002
  • ISO/IEC 27017
  • ISO/IEC 27018
  • Mexico Federal Law
  • NERC CIP
  • NIST SP800-53
  • NZISM
  • ODCA UM: PA
  • PCI DSS
  • IEC 62443-3-3
  • C5.

CCM caters to all parties in a cloud computing relationship – cloud customers and cloud solution providers.

Is the Cloud Control Matrix Mandatory for Australian Businesses?

The CCM matrix is not a mandatory requirement in Australia. However, this framework is designed to map to mandatory regulations and frameworks.

The Cloud Security Alliance has created a series of mappings to the Cloud Control Matrix (CCM) that can be accessed here.

CSA is regularly updating this list, so if your required cybersecurity framework mapping is not included in this list, contact CSA to confirm whether it will be in the future.

Final Thoughts

Your IT security framework is what safeguards your data, networks, and business from cyber attack.  These frameworks provide you with everything you need to be compliant with cyber security standards. Whether you choose to implement one or choose to mix and match protocols and policies to make your own personalised IT security framework is up to you, but either way you are making the choice to protect your business in the best way possible.

Summary
Top 11 Cybersecurity Frameworks for Australian Businesses in 2022
Article Name
Top 11 Cybersecurity Frameworks for Australian Businesses in 2022
Description
Are you confused about what cyber security program you should comply with? Australia currently has no clear mandatory minimum cyber security standard for business, although it is recommended all businesses consider the Essential Eight maturity model and meet the minimum standard relevant to their business model.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

Related Stories

6 Biggest Cyber Security Threats Against Businesses

6 Biggest Cyber Security Threats Against Businesses

Read this blog post and learn more about the 6 Biggest Cyber Security Threats Against Australian Businesses.

Why Now Is The Perfect Time To Learn About Cyber Security

Why Now Is The Perfect Time To Learn About Cyber Security

Are you currently concerned about your company’s cyber security but you’re wondering if it’s worth the time to research? Well, then. Read this blog post.

How The Australian Cyber Security Centre Protects You Online

How The Australian Cyber Security Centre Protects You Online

Cyber security experts warn that cyberattacks will only get fiercer from this point on. Learn the key cyber security facts and figures in this post.

Want to be part of the crowd?

Summary
Top 11 Cybersecurity Frameworks for Australian Businesses in 2022
Article Name
Top 11 Cybersecurity Frameworks for Australian Businesses in 2022
Description
Are you confused about what cyber security program you should comply with? Australia currently has no clear mandatory minimum cyber security standard for business, although it is recommended all businesses consider the Essential Eight maturity model and meet the minimum standard relevant to their business model.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo