Essential Eight Maturity Model

Download ASD Protect Essential Eight Maturity Model (PDF), September 2017
First published June 2017; updated July and September 2017

Introduction

The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of ASD’s Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate cyber security incidents caused by various cyber threats. The most effective of these mitigation strategies for targeted cyber intrusions and ransomware are known as the Essential Eight.

This document is intended for cyber security professionals looking to determine the maturity of their implementation of the Essential Eight mitigation strategies.

Maturity levels for mitigation strategies

To assist organisations in determining their maturity in the implementation of the Essential Eight mitigation strategies, five levels of maturity have been defined for each mitigation strategy. Broadly, the maturity levels are defined as:

  1. Maturity Level Zero: Not aligned with intent of mitigation strategy
  2. Maturity Level One: Partly aligned with intent of mitigation strategy
  3. Maturity Level Two: Mostly aligned with intent of mitigation strategy
  4. Maturity Level Three: Fully aligned with intent of mitigation strategy
  5. Maturity Level Four: For higher risk environments.

What maturity level should I aim for?

As a baseline, organisations should aim to reach a maturity level of three for all of the Essential Eight mitigation strategies. However, some organisations are constantly targeted by highly skilled adversaries, or otherwise operate in a higher risk environment. These organisations should aim to reach a maturity level of four for mitigation strategies designed to assist in mitigating the specific threat vectors that adversaries are known to be using against them.

The minimum criteria required to be met for each maturity level, for each mitigation strategy, is covered in the grid at the end of this document.

Further information

The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian government systems.

ASD’s Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.

Essential Eight Maturity Model

  Maturity Level Zero
Not aligned with intent of mitigation strategy
Maturity Level One
Partly aligned with intent of mitigation strategy
Maturity Level Two
Mostly aligned with intent of mitigation strategy
Maturity Level Three
Fully aligned with intent of mitigation strategy
Maturity Level Four
For higher risk environments
Application whitelisting

Not implemented, or

Running in audit mode

Implemented on at least workstations of high risk users

Running in enforcement mode

Any whitelisting method covering executables

Implemented on at least workstations of high risk users

Running in enforcement mode

An approved whitelisting method covering executables and software libraries

Implemented on all workstations

Running in enforcement mode

An approved whitelisting method covering executables, software libraries, scripts and installers

Implemented on all workstations

Running in enforcement mode

Exclusively hash-based whitelisting covering executables, software libraries, scripts and installers

Patching applications

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are not applied or applied on a greater than monthly basis

Non-vendor-supported versions of the above applications are used

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are applied within one month for all workstations

Vendor-supported yet deprecated versions of the above applications are used

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are applied within 48 hours for workstations of high risk users and two weeks for all other workstations

Vendor-supported yet deprecated versions of the above applications are used

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are applied and verified within 48 hours for all workstations

Vendor-supported yet deprecated versions of the above applications are used

Patches for extreme risk security vulnerabilities in Adobe Flash, web browsers, Microsoft Office, Oracle Java and PDF viewers are applied and verified within 48 hours for all workstations

The latest vendor-supported versions of the above applications are used

Microsoft Office macros

All Microsoft Office macros can execute without prompting users for approval,or

Microsoft Office macro settings can be configured by users

All Microsoft Office macros can execute, but only after prompting users for approval

Microsoft Office macro settings are enforced via Group Policy settings

Only signed Microsoft Office macros can execute

Microsoft Office macro settings are enforced via Group Policy settings

Only Microsoft Office macros in appropriately configured Trusted Locations can execute

Microsoft Office macro settings are enforced via Group Policy settings

Microsoft Office macros are blocked from executing and Trusted Locations are disabled

Microsoft Office macro settings are enforced via Group Policy settings

User application hardening

Web browsers allow Adobe Flash, web advertisements and Java from the Internet

Unneeded features in Microsoft Office, web browsers and PDF viewers aren't disabled

Web browsers block either Adobe Flash, web advertisements or Java from the Internet

Unneeded features in Microsoft Office, web browsers and PDF viewers aren't disabled

Web browsers block Adobe Flash, web advertisements and Java from the Internet

Unneeded features in Microsoft Office, web browsers and PDF viewers aren't disabled

Web browsers block Adobe Flash, web advertisements and Java from the Internet

Unneeded features in Microsoft Office, web browsers and PDF viewers are disabled

Web browsers are hardened using vendor hardening guides in addition to having Adobe Flash uninstalled and both web advertisements and Java from the Internet blocked

Microsoft Office, web browsers and PDF viewers are hardened using ASD and vendor hardening guides (where available) in addition to having unneeded features disabled

Restricting administrative privileges

Requirements for privileged accounts are not validated

No duties-based restrictions on privileged accounts are applied

All privileged accounts are capable of reading emails and web browsing

Requirements for privileged accounts are validated initially

No duties-based restrictions on privileged accounts are applied

Most privileged accounts are restricted from reading emails and web browsing

Requirements for privileged accounts are validated initially and on an annual basis

No duties-based restrictions on privileged accounts are applied

All privileged accounts are restricted from reading emails and web browsing using policy controls

Requirements for privileged accounts are validated initially and on an annual basis

Duties-based restrictions on privileged accounts are applied

All privileged accounts are blocked from reading emails and web browsing using technical controls

Requirements for privileged accounts are validated initially and on a monthly basis, or before they are required for a task and revoked immediately afterwards

Duties-based restrictions on privileged accounts are applied

All privileged accounts are blocked from reading emails and web browsing using technical controls

Patching operating systems

Patching for extreme risk security vulnerabilities in operating systems are not applied or applied on a greater than monthly basis

A non-vendor supported operating system is used

Patches for extreme risk security vulnerabilities in operating systems are applied within one month for all workstations

A vendor-supported yet deprecated operating system is used

Patches for extreme risk security vulnerabilities in operating systems are applied within 48 hours for workstations of high risk users and two weeks for all other workstations

A vendor-supported yet deprecated operating system is used

Patches for extreme risk security vulnerabilities in operating systems are applied and verified within 48 hours for all workstations

A vendor-supported yet deprecated operating system is used

Patches for extreme risk security vulnerabilities in operating systems are applied and verified within 48 hours for all workstations

The latest vendor-supported operating system is used

Multi-factor authentication

Multi-factor authentication is not implemented for users using remote access solutions, users performing privileged actions and users accessing important (sensitive or high-availability) data repositories

Multi-factor authentication is implemented for users using remote access solutions

In addition to passphrases, only authentication methods from the following list are used: U2F security keys, physical OTP tokens, biometrics, smartcards, mobile apps, SMS messages, emails, voice calls and/or software certificates

Multi-factor authentication is implemented for users using remote access solutions and users performing privileged actions

In addition to passphrases, only authentication methods from the following list are used: U2F security keys, physical OTP tokens, biometrics, smartcards, mobile apps, SMS messages, emails and/or voice calls

Multi-factor authentication is implemented for users using remote access solutions, users performing privileged actions and users accessing important (sensitive or high-availability) data repositories

In addition to passphrases, only additional authentication methods from the following list are used: U2F security keys, physical OTP tokens, biometrics and/or smartcards

Multi-factor authentication is implemented for users using remote access solutions, users performing privileged actions and users accessing important (sensitive or high-availability) data repositories

In addition to passphrases, only additional authentication methods from the following list are used: U2F security keys and/or physical OTP tokens

Daily backups

Backups of important new/changed data, software and configuration settings are either not performed or performed less than monthly

Full recovery has not been tested

Backups of important new/changed data, software and configuration settings are performed monthly

Backups are stored online

Backups are stored for less than three months

Full recovery has been tested at least once

Backups of important new/changed data, software and configuration settings are performed weekly

Backups are stored offline

Backups are stored for less than three months

Full recovery has been tested at least once and partial recovery is tested on an annual or more frequent basis

Backups of important new/changed data, software and configuration settings are performed daily

Backups are stored offline

Backups are stored for three months or greater

Full recovery has been tested at least once, including after fundamental IT infrastructure changes, and partial recovery is tested on an annual or more frequent basis

Backups of important new/changed data, software and configuration settings are performed daily or continuously

Backups are stored offline at multiple geographically-dispersed locations

Backups are stored for three months or greater

Full recovery has been tested at least once, including after fundamental IT infrastructure changes, and full recovery is tested on an annual or more frequent basis