0% found this document useful (0 votes)

139 views64 pages

Cybersecurity Maturity Assessment

Uploaded by

Samuel Flores Gonzalez

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

139 views64 pages

Cybersecurity Maturity Assessment

Uploaded by

Samuel Flores Gonzalez

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 64

Essential 8 Assessment Template

This 'tool' is designed to assist in assessing the status of an organisation's cyber security posture against controls
objectives review. This considers the risk level defined for the organisation (Essential 8 Maturity Levels) and the
improvement strategy can be defined for the organisation to ensure an effective level of cyber security control is

This should be augmented by a programme of 'Continuous Assurance' to ensure the controls remain operational

Source Publications
The following publications have been used as a source of information to prepare this assessment:
Assessment against the ACSC Essential 8 criteria using the Maturity Levels (ML1 to ML3) - 2018

Essential 8 Maturity Levels (not used in this review)

Level Description

There are weaknesses in the organisation’s overall cyber security posture.

Maturity Level 0
currently in place and identify where additional controls would improve the

Mitigates against adversaries who are content to simply leverage commod

Maturity Level 1
assessed as low risk with little reason they would be targeted for informatio

Adversaries operating with a modest step-up in capability from the previou

Maturity Level 2
classified area where compromise could have a significant impact on service

Adversaries who are more adaptive and much less reliant on public tools a
Maturity Level 3
sensitive area where compromise could have significant impact on both the

Remediation Prioritisation Considerations

The following criteria for improvement are not used directly in this assessment tool; they appear in the ASD37 To
begiven to the objectives for priority outlined below.

Business Benefit Risk Mitigation

<Select> No selection <Select>

Implementation will realise

Highest Priority 3 immediate benefit and reduce 3
operational overhead
Secondary Priority 2 Operational processes somewhat 2
improved.

There is no immediate business

Lowest Priority 1 benefit however will improve 1
security posture

Score
9 Immediate
7 to 8 Within 3 to 6 months
5 to 6 Within 12 Months
3 to 4 Within 24 Months

Changes
5/24/2024 Initial release
5/29/2024 Updated to allow filtering on columns
ber security posture against controls defined by the ACSC in their initial Essential 8 control
(Essential 8 Maturity Levels) and the maturity status of the implemented control. From this, an
ctive level of cyber security control is in place.

sure the controls remain operational and effective.

pare this assessment:

s (ML1 to ML3) - 2018

tion’s overall cyber security posture. The organisation should assess all cyber security controls
dditional controls would improve the overall security posture.

content to simply leverage commodity tradecraft that is widely available. The organisation is
hey would be targeted for information or financial gain.

tep-up in capability from the previous maturity level. The organisation is operating in a more
d have a significant impact on services.

d much less reliant on public tools and techniques. The organisation is operating in a highly
d have significant impact on both the organisation and national undertakings.

ent tool; they appear in the ASD37 Tool. However, consideration should

Risk Mitigation Ease of Implementation

No selection <Select> No selection

Directly mitigates a high security Is part of an existing capability

risk 3 suite and can be easily
implemented
Supports mitigation of an Incurs some cost but has low
identified risk and improves 2 implementation and maintenance
security posture. overhead

Improves security posture but

cannot be attributed to a 1 Is a new capability requiring new
particular risk. operational skills

Capability is already in place.

0 Monitor and maintain.
Customer Information
Customer Name

Office Addresses

Primary Contact

Contact Email

Contact Phone

Scope of Work

Environment Assessed

In conducting an assessment, assessors need to gather and review credible evidence to support conclusions they
draw on the effectiveness of controls. In general terms, the evidence used to determine the effectiveness of
controls will vary in quality depending on the approach taken. As such, when conducting an assessment, assessors
should seek to gather and use the highest quality evidence where reasonably practicable. This guide defines four
levels of evidence quality:

Excellent evidence: Testing a control with a simulated activity designed to confirm it is in place and effective
(e.g. attempting to run a test application to check application control rulesets).

Good evidence: Reviewing the configuration of a system through the system’s interface to determine whether it
should enforce an expected policy.

Fair evidence: Reviewing a copy of a system’s configuration (e.g. using reports or screenshots) to determine
whether it should enforce an expected policy.

Poor evidence: A policy or verbal statement of intent (e.g. sighting mention of controls within documentation or
controls being discussing during interviews with personnel administering or managing system security).

Instructions on Completing the Assessment

Define the Environment Scope

Assessment Rating

Recommendations

Remediation Priority

Rationale

Results
rmation

Essential 8 Assessment

ment, assessors need to gather and review credible evidence to support conclusions they
ss of controls. In general terms, the evidence used to determine the effectiveness of
ty depending on the approach taken. As such, when conducting an assessment, assessors
nd use the highest quality evidence where reasonably practicable. This guide defines four
y:

Testing a control with a simulated activity designed to confirm it is in place and effective
a test application to check application control rulesets).

ewing the configuration of a system through the system’s interface to determine whether it
ected policy.

wing a copy of a system’s configuration (e.g. using reports or screenshots) to determine

ce an expected policy.

cy or verbal statement of intent (e.g. sighting mention of controls within documentation or

ng during interviews with personnel administering or managing system security).

pleting the Assessment

Brief description of the environment being assessed. Try to ensure there are distinct
boundaries that can be define between environments. This will ensure the review
doesn't become too extensive and unmanageable.

For each of the Essential 8 elements an target objectives, assign a rating based on
those in the drop down lists. These will provide a compliance rating that will go
towards the overall Ess8 compliance rating for the Element. These will be rated
against the criteria outlined on the previous page.

NB: If the organisation is only intending to achieve ML-1 compliance, only the criteria
listed under ML-1 in each of the Elements needs to be completed. It would, however,
be beneficial to consider the other (ML-2 and ML-3) criteria for completeness.

A brief recommendation on how to address any failings should be given. These do not
need to be detailed but may reference an ongoing project or business case.

Define the priority for the remediation activity. Consideration should be given to:
Business benefit;
Addressing identified risks;
Ease of implementation.

If applicable, a rationale for the priority recommendation can be included. This will
give more context to decision makers.

The results show a summary of each of the Essential 8 Elements and there overall
status. Note, all criteria in the element need to be achieved or an alternative control
in place for the Element to be compliant.

All Elements in each of the Maturity Levels must be compliant to enable the next level
up to be deemed compliant. That is, all Elements of ML-1 must be compliant before
any Elements in ML-2 can be considered compliant.
Stewart Hayes

peopleconcepts@outlook.com.au

0423 654 080

Results of Findings
Ess 8 Maturity Status (ML) The previous Maturity Leve (ML) must have been met (gre

Objective Elements ML-1

1) Application Control 0

2) Patch Applications 0

3) Configure Microsoft Office macro settings 0

4) User application hardening 0

5) Restrict administrative privileges 0

6) Patch operating systems 0

7) Multi-factor authentication 0

8) Regular backups 0
he previous Maturity Leve (ML) must have been met (green) before the higher Level can be achieved in each of the objective areas.

Status ML-2 Status ML-3

There are weaknesses in the cyber There are weaknesses in the cyber
0 0
security posture. security posture.

There are weaknesses in the cyber

- Not Applicable 0
security posture.

There are weaknesses in the cyber There are weaknesses in the cyber
0 0
security posture. security posture.

There are weaknesses in the cyber There are weaknesses in the cyber
0 0
security posture. security posture.
of the objective areas.

Status

There are weaknesses in the cyber

security posture.

There are weaknesses in the cyber

security posture.

There are weaknesses in the cyber

security posture.

There are weaknesses in the cyber

security posture.

There are weaknesses in the cyber

security posture.

There are weaknesses in the cyber

security posture.

There are weaknesses in the cyber

security posture.

There are weaknesses in the cyber

security posture.
Essential 8 Assessment Criteria

Essential 8 criteria
Criteria Definition
1) Application control ML-1

Application control is a security approach Application control is implemented on workstations.

designed to protect against malicious code
(also known as malware) executing on
systems. When implemented robustly, it
ensures only approved applications (e.g.
executables, software libraries, scripts, Application control is applied to user profiles and temporary folders used by
operating systems, web browsers and email clients.
installers, compiled HTML, HTML applications,
control panel applets and drivers) can be
executed.
Application control restricts the execution of executables, software libraries,
While application control is primarily designed scripts, installers, compiled HTML, HTML applications and control panel applets
to prevent the execution and spread of to an organisation-approved set.
malicious code, it can also prevent the
installation or use of unapproved applications
Ess 8 Maturity Level
ML-2
Application control is implemented on internet-facing servers.

Application control is applied to all locations other than user profiles and
temporary folders used by operating systems, web browsers and email clients.

Microsoft’s recommended application blocklist is implemented.

Application control rulesets are validated on an annual or more frequent basis.

Allowed and blocked application control events are centrally logged.

Event logs are protected from unauthorised modification and deletion.

Event logs from internet-facing servers are analysed in a timely manner to

detect cyber security events.
Cyber security events are analysed in a timely manner to identify cyber security
incidents.

Cyber security incidents are reported to the Chief Information Security Officer,
or one of their delegates, as soon as possible after they occur or are discovered.

Cyber security incidents are reported to ASD as soon as possible after they occur
or are discovered.

Following the identification of a cyber security incident, the cyber security

incident response plan is enacted.

Ess 8 Maturity Level

ML-3
Application control is implemented on non-internet-facing servers.

Application control restricts the execution of drivers to an organisation-

approved set.

Microsoft’s vulnerable driver blocklist is implemented.

Event logs from non-internet-facing servers are analysed in a timely manner to

detect cyber security events.

Ess 8 Maturity Level

2) Patch applications ML-1

Once a patch is released by a vendor, the An automated method of asset discovery is used at least fortnightly to support
patch should be applied in a timeframe the detection of assets for subsequent vulnerability scanning activities.
commensurate with an organisation’s
exposure to the security vulnerability and the
level of cyber threat the organisation is aiming
to protect themselves against. For example, A vulnerability scanner with an up-to-date vulnerability database is used for
once a security vulnerability in an internet- vulnerability scanning activities.
facing service is made public, it can be
expected that malicious code will be
developed by adversaries within 48 hours. In
fact, there are cases in which adversaries have A vulnerability scanner is used at least daily to identify missing patches or
developed malicious code within hours of updates for vulnerabilities in online services.
newly discovered security vulnerabilities

A vulnerability scanner is used at least weekly to identify missing patches or

updates for vulnerabilities in office productivity suites, web browsers and their
extensions, email clients, PDF software, and security products.
Patches, updates or other vendor mitigations for vulnerabilities in online
services are applied within 48 hours of release when vulnerabilities are assessed
as critical by vendors or when working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in online

services are applied within two weeks of release when vulnerabilities are
assessed as non-critical by vendors and no working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in office

productivity suites, web browsers and their extensions, email clients, PDF
software, and security products are applied within two weeks of release.

Online services that are no longer supported by vendors are removed.

Office productivity suites, web browsers and their extensions, email clients, PDF
software, Adobe Flash Player, and security products that are no longer
supported by vendors are removed.

Ess 8 Maturity Level

ML-2
A vulnerability scanner is used at least fortnightly to identify missing patches or
updates for vulnerabilities in applications other than office productivity suites,
web browsers and their extensions, email clients, PDF software, and security
products.

Patches, updates or other vendor mitigations for vulnerabilities in applications

other than office productivity suites, web browsers and their extensions, email
clients, PDF software, and security products are applied within one month of
release.

Ess 8 Maturity Level

ML-3
Patches, updates or other vendor mitigations for vulnerabilities in office
productivity suites, web browsers and their extensions, email clients, PDF
software, and security products are applied within 48 hours of release when
vulnerabilities are assessed as critical by vendors or when working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in office

productivity suites, web browsers and their extensions, email clients, PDF
software, and security products are applied within two weeks of release when
vulnerabilities are assessed as non-critical by vendors and no working exploits
exist.

Applications other than office productivity suites, web browsers and their
extensions, email clients, PDF software, Adobe Flash Player, and security
products that are no longer supported by vendors are removed.

Ess 8 Maturity Level

3) Configure Microsoft Office macro ML-1
settings Microsoft Office macros are disabled for users that do not have a demonstrated
business requirement.
Microsoft Office applications can execute
macros to automate routine tasks. However,
macros can contain malicious code resulting in
unauthorised access to sensitive information
as part of a targeted cyber intrusion.

An increasing number of attempts to

compromise organisations using malicious
macros have been observed. In particular,
adversaries have been observed using social
settings
Microsoft Office applications can execute
macros to automate routine tasks. However,
macros can contain malicious code resulting in
unauthorised access to sensitive information Microsoft Office macros in files originating from the internet are blocked.
as part of a targeted cyber intrusion.

An increasing number of attempts to

compromise organisations using malicious
macros have been observed. In particular, Microsoft Office macro antivirus scanning is enabled.
adversaries have been observed using social
engineering techniques to entice users into
executing malicious macros in Microsoft Office
files.
Microsoft Office macro security settings cannot be changed by users.

Ess 8 Maturity Level

ML-2
Microsoft Office macros are blocked from making Win32 API calls.

Ess 8 Maturity Level

ML-3
Only Microsoft Office macros running from within a sandboxed environment, a
Trusted Location or that are digitally signed by a trusted publisher are allowed
to execute.

Microsoft Office macros are checked to ensure they are free of malicious code
before being digitally signed or placed within Trusted Locations.

Only privileged users responsible for checking that Microsoft Office macros are
free of malicious code can write to and modify content within Trusted Locations.

Microsoft Office macros digitally signed by an untrusted publisher cannot be

enabled via the Message Bar or Backstage View.

Microsoft Office macros digitally signed by signatures other than V3 signatures

cannot be enabled via the Message Bar or Backstage View.

Microsoft Office’s list of trusted publishers is validated on an annual or more

frequent basis.

Ess 8 Maturity Level

4) User application hardening ML-1

Application Hardening is an activity we should Internet Explorer 11 is disabled or removed.

undertake when we first onboard an
application to ensure it works and does so
securely, limiting the system’s power to only
those who should have it. Many vendors
publish hardening guides for their products,
and cybersecurity consultants are skilled at
helping you configure systems safely and
securely. Hardening is not a “set and forget”
task but must be reviewed as the threat
landscape changes.
Application Hardening is an activity we should
undertake when we first onboard an
application to ensure it works and does so
securely, limiting the system’s power to only
those who should have it. Many vendors
publish hardening guides for their products, Web browsers do not process Java from the internet.
and cybersecurity consultants are skilled at
helping you configure systems safely and
securely. Hardening is not a “set and forget”
task but must be reviewed as the threat
Web browsers do not process web advertisements from the internet.
landscape changes.

Web browser security settings cannot be changed by users.

Ess 8 Maturity Level

ML-2
Web browsers are hardened using ASD and vendor hardening guidance, with
the most restrictive guidance taking precedence when conflicts occur.

Microsoft Office is blocked from creating child processes

Microsoft Office is blocked from creating executable content.

Microsoft Office is blocked from injecting code into other processes.

Microsoft Office is configured to prevent activation of Object Linking and

Embedding packages.
Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 publication.

Office productivity suites are hardened using ASD and vendor hardening
guidance, with the most restrictive guidance taking precedence when conflicts
occur.

Office productivity suite security settings cannot be changed by users

PDF software is blocked from creating child processes.

Security Configuration Guide for Acrobat publication

PDF software is hardened using ASD and vendor hardening guidance, with the
most restrictive guidance taking precedence when conflicts occur.

PDF software security settings cannot be changed by users.

PowerShell module logging, script block logging and transcription events are
centrally logged.

Command line process creation events are centrally logged.

Event logs are protected from unauthorised modification and deletion.

Event logs from internet-facing servers are analysed in a timely manner to

detect cyber security events.

Cyber security events are analysed in a timely manner to identify cyber security
incidents.

Cyber security incidents are reported to the Chief Information Security Officer,
or one of their delegates, as soon as possible after they occur or are discovered.

Cyber security incidents are reported to ASD as soon as possible after they occur
or are discovered.

Following the identification of a cyber security incident, the cyber security

incident response plan is enacted.

Ess 8 Maturity Level

ML-3
.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.

Windows PowerShell 2.0 is disabled or removed.

PowerShell is configured to use Constrained Language Mode.

Event logs from non-internet-facing servers are analysed in a timely manner to

detect cyber security events.

Event logs from workstations are analysed in a timely manner to detect cyber
security events.
Ess 8 Maturity Level
5) Restrict administrative privileges ML-1

Users with administrative privileges for Privileged users are assigned a dedicated privileged account to be used solely
operating systems and applications are able to for duties requiring privileged access.
make significant changes to their
configuration and operation, bypass critical
security settings and access sensitive
information. Domain administrators have Requests for privileged access to systems, applications and data repositories are
similar abilities for an entire network domain, validated when first requested.
which usually includes all of the workstations
and servers on the network
Privileged accounts (excluding those explicitly authorised to access online
services) are prevented from accessing the internet, email and web services.

Privileged accounts explicitly authorised to access online services are strictly

limited to only what is required for users and services to undertake their duties.

Privileged users use separate privileged and unprivileged operating

environments.

Unprivileged accounts cannot logon to privileged operating environments.

Privileged accounts (excluding local administrator accounts) cannot logon to

unprivileged operating environments.

Ess 8 Maturity Level

ML-2
Privileged access to systems, applications and data repositories is disabled after
12 months unless revalidated.

Privileged access to systems and applications is disabled after 45 days of

inactivity.

Privileged operating environments are not virtualised within unprivileged

operating environments.

Administrative activities are conducted through jump servers.

Credentials for break glass accounts, local administrator accounts and service
accounts are long, unique, unpredictable and managed.
Privileged access events are centrally logged.

Privileged account and group management events are centrally logged.

Event logs are protected from unauthorised modification and deletion.

Event logs from internet-facing servers are analysed in a timely manner to

detect cyber security events.

Cyber security events are analysed in a timely manner to identify cyber security
incidents.

Cyber security incidents are reported to the Chief Information Security Officer,
or one of their delegates, as soon as possible after they occur or are discovered.

Cyber security incidents are reported to ASD as soon as possible after they occur
or are discovered.

Following the identification of a cyber security incident, the cyber security

incident response plan is enacted.

Ess 8 Maturity Level

ML-3
Privileged access to systems, applications and data repositories is limited to only
what is required for users and services to undertake their duties.

Secure Admin Workstations are used in the performance of administrative

activities.

Just-in-time administration is used for administering systems and applications.

Memory integrity functionality is enabled.

Local Security Authority protection functionality is enabled.

Credential Guard functionality is enabled.

Remote Credential Guard functionality is enabled.

Event logs from non-internet-facing servers are analysed in a timely manner to

detect cyber security events.

Event logs from workstations are analysed in a timely manner to detect cyber
security events.

Ess 8 Maturity Level

6) Patch operating systems ML-1

Applying patches to applications and An automated method of asset discovery is used at least fortnightly to support
operating systems is critical to ensuring the the detection of assets for subsequent vulnerability scanning activities.
security of system. Once a patch is released
by a vendor, the patch should be applied in a
timeframe commensurate with an
organisation’s exposure to the security A vulnerability scanner with an up-to-date vulnerability database is used for
vulnerability and the level of cyber threat the vulnerability scanning activities.
organisation is aiming to protect themselves
against. For example, once a security
vulnerability in an internet-facing service is
made public, it can be expected that malicious A vulnerability scanner is used at least daily to identify missing patches or
code will be developed by adversaries within updates for vulnerabilities in operating systems of internet-facing servers and
internet-facing network devices.
48 hours.

A vulnerability scanner is used at least fortnightly to identify missing patches or

updates for vulnerabilities in operating systems of workstations, non-internet-
facing servers and non-internet-facing network devices.

Patches, updates or other vendor mitigations for vulnerabilities in operating

systems of internet-facing servers and internet-facing network devices are
applied within 48 hours of release when vulnerabilities are assessed as critical
by vendors or when working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in operating

systems of internet-facing servers and internet-facing network devices are
applied within two weeks of release when vulnerabilities are assessed as non-
critical by vendors and no working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in operating

systems of workstations, non-internet-facing servers and non-internet-facing
network devices are applied within one month of release.

Operating systems that are no longer supported by vendors are replaced.

Ess 8 Maturity Level

ML-2 (No criteria)
Ess 8 Maturity Level
ML-3
A vulnerability scanner is used at least fortnightly to identify missing patches or
updates for vulnerabilities in drivers.

A vulnerability scanner is used at least fortnightly to identify missing patches or

updates for vulnerabilities in firmware.

Patches, updates or other vendor mitigations for vulnerabilities in operating

systems of workstations, non-internet-facing servers and non-internet-facing
network devices are applied within 48 hours of release when vulnerabilities are
assessed as critical by vendors or when working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in operating

systems of workstations, non-internet-facing servers and non-internet-facing
network devices are applied within one month of release when vulnerabilities
are assessed as non-critical by vendors and no working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in drivers are

applied within 48 hours of release when vulnerabilities are assessed as critical
by vendors or when working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in drivers are

applied within one month of release when vulnerabilities are assessed as non-
critical by vendors and no working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in firmware are

applied within 48 hours of release when vulnerabilities are assessed as critical
by vendors or when working exploits exist.

Patches, updates or other vendor mitigations for vulnerabilities in firmware are

applied within one month of release when vulnerabilities are assessed as non-
critical by vendors and no working exploits exist.

The latest release, or the previous release, of operating systems are used.

Ess 8 Maturity Level

7) Multifactor Authentication ML-1

Multi-factor authentication is one of the most Multi-factor authentication is used to authenticate users to their organisation’s
effective controls an organisation can online services that process, store or communicate their organisation’s sensitive
implement to prevent malicious actors from data.
gaining access to a system, online service or
application. When implemented correctly,
multi-factor authentication can make it Multi-factor authentication is used to authenticate users to third-party online
significantly more difficult for malicious actors services that process, store or communicate their organisation’s sensitive data.
to steal and abuse legitimate credentials as it
is not as susceptible to brute force attacks that
target traditional single-factor authentication
methods based on memorised secrets (e.g. Multi-factor authentication (where available) is used to authenticate users to
personal identification numbers [PINs], third-party online services that process, store or communicate their
organisation’s non-sensitive data.
passwords and passphrases).

At this maturity level, the implementation of

multi-factor authentication should focus on
online services. In addition, the authentication
factors that can be used, and in what
combination, are restricted to avoid weaker
multi-factor authentication implementations.
target traditional single-factor authentication
methods based on memorised secrets (e.g.
personal identification numbers [PINs],
passwords and passphrases).
At this maturity level, the implementation of
multi-factor authentication should focus on Multi-factor authentication is used to authenticate users to their organisation’s
online customer services that process, store or communicate their
online services. In addition, the authentication organisation’s sensitive customer data.
factors that can be used, and in what
combination, are restricted to avoid weaker
multi-factor authentication implementations.
Multi-factor authentication is used to authenticate users to third-party online
customer services that process, store or communicate their organisation’s
sensitive customer data.

Multi-factor authentication is used to authenticate customers to online

customer services that process, store or communicate sensitive customer data.

Multi-factor authentication uses either: something users have and something

users know, or something users have that is unlocked by something users know
or are.

Ess 8 Maturity Level

ML-2
Multi-factor authentication is used to authenticate privileged users of systems.

Multi-factor authentication is used to authenticate unprivileged users of

systems.

Multi-factor authentication used for authenticating users of online services is

phishing-resistant.

Multi-factor authentication used for authenticating customers of online

customer services provides a phishing-resistant option.

Multi-factor authentication used for authenticating users of systems is phishing-

resistant.

Successful and unsuccessful multi-factor authentication events are centrally

logged.

Event logs are protected from unauthorised modification and deletion.

Event logs from internet-facing servers are analysed in a timely manner to

detect cyber security events.

Cyber security events are analysed in a timely manner to identify cyber security
incidents.
Cyber security incidents are reported to the Chief Information Security Officer,
or one of their delegates, as soon as possible after they occur or are discovered.

Cyber security incidents are reported to ASD as soon as possible after they occur
or are discovered.

Following the identification of a cyber security incident, the cyber security

incident response plan is enacted.

Ess 8 Maturity Level

ML-3
Multi-factor authentication is used to authenticate users of data repositories.

Multi-factor authentication used for authenticating customers of online

customer services is phishing-resistant.

Multi-factor authentication used for authenticating users of data repositories is

phishing-resistant.

Event logs from non-internet-facing servers are analysed in a timely manner to

detect cyber security events.

Event logs from workstations are analysed in a timely manner to detect cyber
security events.

Ess 8 Maturity Level

8) Regular backups ML-1

A backup is a digital copy of your important Backups of data, applications and settings are performed and retained in
data, such as photos, documents, and financial accordance with business criticality and business continuity requirements.
records. If your data is lost, you can use your
backup to restore it. Backups can be stored
using cloud storage or on physical media (such
as external hard drives). The data backed up Backups of data, applications and settings are synchronised to enable
should be determined by how important it is restoration to a common point in time.
to the organisation and the impact it would
have if it was lost. Note; this is likely to
increase over time.
Backups of data, applications and settings are retained in a secure and resilient
manner.

Restoration of data, applications and settings from backups to a common point

in time is tested as part of disaster recovery exercises.
Unprivileged accounts cannot access backups belonging to other accounts.

Unprivileged accounts are prevented from modifying and deleting backups.

Ess 8 Maturity Level

ML-2
Privileged accounts (excluding backup administrator accounts) cannot access
backups belonging to other accounts.

Privileged accounts (excluding backup administrator accounts) are prevented

from modifying and deleting backups.

Ess 8 Maturity Level

ML-3
Unprivileged accounts cannot access their own backups.

Privileged accounts (excluding backup administrator accounts) cannot access

their own backups.

Backup administrator accounts are prevented from modifying and deleting

backups during their retention period.

Ess 8 Maturity Level

Assessment Maturity Maturity Maturity
Rating Findings (ML-1) (ML-2) (ML-3)