Ultimate Governance, Risk &
Compliance (GRC) Guides
ASD Essential 8 Guide
The expert's guide to ASD Essential 8
This authoritative guide provides an in-depth look at the ASD Essential 8 (E8), a set of eight measures developed by the Australian Signals Directorate (ASD) to protect organizations from cyber threats. It explores whether the ASD Essential 8 are mandatory or not for your organisations and covers the fundamentals of each of the eight measures, including the maturity levels, how to perform an assessment and implementation guidenace.
What is the ASD Essential Eight?
The ASD Essential Eight, also known as the Australian Signals Directorate Essential Eight, is a set of mitigation strategies developed by the Australian Signals Directorate (ASD). These strategies are designed to help organizations mitigate cybersecurity incidents and protect against a range of cyber threats. The ASD Essential Eight was created to address the most common methods used by adversaries to compromise computer systems.
The ASD Essential Eight consists of the following strategies:
- Application Control - This strategy involves implementing measures to control and allow only approved software to run on systems, helping prevent the execution of malicious programs.
- Patching Applications - Keeping software applications up to date with the latest security patches helps protect against vulnerabilities that attackers can exploit.
- Configuring Microsoft Office Macro Settings - Restricting the use of Microsoft Office macros, or enabling only digitally signed macros, helps prevent the execution of malicious macros embedded in Office documents.
- User Application Hardening - Configuring web browsers and other user applications to reduce the risk of being exploited by malicious actors.
- Restricting Administrative Privileges - Limiting administrative privileges to only authorized personnel minimizes the potential impact of unauthorized access and malicious actions.
- Patching Operating Systems - Ensuring that operating systems are up to date with the latest security patches helps protect against known vulnerabilities.
- Multi-Factor Authentication (MFA) - Implementing MFA, also known as two-factor authentication, adds an extra layer of security by requiring users to provide additional credentials, such as a code sent to their mobile device, in addition to a password.
Regular Backups - Ensuring that critical data is backed up on a regular basis helps to safeguard against data loss or a ransomware attack and allows for data restoration when needed.
These strategies are considered essential because they address common attack vectors and can significantly improve an organization's resilience against cyber threats. Implementing the ASD Essential Eight is recommended by the Australian Signals Directorate as part of a comprehensive cybersecurity defense strategy.
What are the objectives of ASD Essential 8?
The Australian Signals Directorate (ASD) Essential 8 is a set of eight strategies that organisations can use to protect their systems from cyber attacks. This set of strategies is designed to help organisations prevent, limit the impact of, and recover from cyber attacks.
The objective of the ASD Essential 8 is to help organisations protect their systems from cyber threats. The strategies are divided into three primary objectives: prevent attacks, limit attack impact, and data availability.
The first objective of the ASD Essential 8 is to prevent cyber attacks. This is done by patching application vulnerabilities, using application control, user application hardening, and configuring MS Office Macro settings. These strategies are designed to address the most common attack vectors, such as malicious software, phishing, and unpatched software.
The second objective of the ASD Essential 8 is to limit the impact of cyber attacks. This is done by patching operating system vulnerabilities, restricting admin access, and implementing multi-factor authentication (MFA). These strategies are designed to reduce the risk of attackers gaining access to sensitive data and systems.
The third objective of the ASD Essential 8 is to ensure data recovery and system availability. This is done by taking daily backups of data and systems, as well as implementing a disaster recovery plan. This ensures that organisations can recover from any attack and minimise the impact of the attack.
By implementing the ASD Essential 8, organisations can reduce the risk of data breaches and ensure the security of their systems.
Is the ASD Essential Eight mandatory?
Yes, the Australian Government Protective Security Policy Framework (PSPF) Policy 10: Safeguarding data from cyber threats (Policy 10) was amended in 2022 to mandate the implementation of the ASD Essential Eight by non-corporate Commonwealth entities.
The updated policy requires all non-corporate Commonwealth entities to implement the ASD Essential Eight Maturity Level Two mitigations to achieve a PSPF maturity rating of 'Managing'. The ASD Essential 8 mitigation strategies are:
- application control
- patch applications
- configure Microsoft Office macro settings
- user application hardening
- restrict administrative privileges
- patch operating systems
- multi-factor authentication
- regular backups.
Four of the ASD Essential 8 controls were already mandatory as a part of the previous ASD Top 4. These 4 strategies are:
- application control
- patch applications
- patch operating systems
- restrict administrative privileges
Policy 10 requires the implementation of the additional mitigation strategies as a core requirement from 1 July 2022. These 4 strategies are:
- configure Microsoft Office macro settings
- user application hardening
- multi-factor authentication
- regular backups
Even if you're not a non-corporate Commonwealth entity, the ASD Essential 8 represents a strong baseline of security controls to prevent cyber threats. You may also wish to consider implementing broader technical and non-technical security controls based on other industry standards like ISO 27001 and the NIST Cyber Security Framework.
ASD Essential 8: Application control
Application control is an important tool for organizations to utilize in order to protect their systems from malicious software, such as malware, ransomware, and other cyber threats.
The Australian Signals Directorate (ASD) Essential Eight is a set of eight security strategies that organizations should use to protect their systems from cyber threats. Application control is one of the eight strategies and is used as a way to block any unauthorized applications from running on a system.
Application control works by allowing only approved applications to run on the system, while blocking all others. This is achieved through the use of a whitelist, which is a list of approved applications. Any application not on the whitelist is automatically blocked.
By implementing application control, organizations can ensure that only approved applications, as determined by an IT administrator, are allowed to run on the system. This provides an additional layer of security by preventing unauthorized or potentially malicious applications from executing.
The process of implementing application control involves reviewing each application and determining whether it should be approved or denied. IT administrators must have a deep understanding of the application's functionality and potential security risks. They also need to keep the whitelist up to date and promptly address any security vulnerabilities.
While implementing and maintaining application control can be time-consuming, it is still an important tool for organizations to protect their systems. It helps reduce the risk of malicious software and ensures that only approved applications run on the system. Organizations should regularly review and update the whitelist to account for application updates and new additions.
ASD Essential 8: Patch applications
The Australian Signals Directorate’s Essential Eight is a set of eight security strategies designed to help organisations protect their networks and environment from cyber threats.
The eighth of these strategies is ‘Patch Applications’, and it is a key element of the security framework. Patch Applications is the process of regularly updating applications and software to ensure that any known security vulnerabilities are addressed. This is an important step in mitigating the risk of malicious actors exploiting known weaknesses in an application.
It is important to note that patching applications is not a one-time event; rather, it should be an ongoing process to ensure that all applications are kept up to date and secure.
When patching applications, organisations should ensure that they are using the latest version of the software and that all security patches are applied. This includes patches for operating systems, web browsers, plugins, and other applications.
It is also important to ensure that all applications are regularly scanned for vulnerabilities and that any identified vulnerabilities are addressed.
Organisations should also ensure that their patching processes are automated, as this will help to ensure that applications are kept up to date and that any security patches are applied quickly. Automation also ensures that the patching process is consistent and that it is not overlooked. Automation can also help to reduce the amount of time and resources needed to patch applications.
Organisations should also ensure that they are aware of any new security vulnerabilities that may have been discovered in applications. This can be done by subscribing to security mailing lists and staying up to date with the latest security news.
It is also important to ensure that applications are tested regularly to ensure that they are secure and that any security vulnerabilities are addressed.
Finally, it is important to ensure that all users are aware of the need to patch applications and that they are given the necessary training to do so. This includes ensuring that users are aware of the importance of patching applications and that they know how to do it. It is also important to ensure that users are aware of the risks associated with not patching applications, such as the potential for malicious actors to exploit known security vulnerabilities.
The Patch Applications strategy is an important element of the Essential Eight and is essential for ensuring that applications are kept secure. It is important for organisations to ensure that they are regularly patching applications and that they are aware of any new security vulnerabilities that may have been discovered. Automation, user training, and regular testing are also important elements of the Patch Applications strategy. By following these steps, organisations can ensure that their applications are secure and that they are not vulnerable to malicious actors.
ASD Essential 8: Configure Microsoft Office macros
The Australian Signals Directorate (ASD) Essential 8 is a set of security controls that organizations should adopt to reduce the risk of cyber incidents. One of these controls is ‘Configure Microsoft Office macros’, which is designed to reduce the risk of malicious macros from being executed on a user’s system.
Malicious macros are a common way for attackers to gain access to a system and can be used to download and execute malicious code, steal data, or even take control of the system. To reduce the risk of malicious macros, the ASD Essential 8 recommends that organizations take the following steps:
Disable all macros by default to ensure that users cannot execute any macros unless they are explicitly enabled. This makes it more difficult for an attacker to execute a malicious macro.
Configure Microsoft Office to only allow trusted macros from trusted locations. This can be done by setting up a list of trusted locations, such as the organization’s network, which will only allow macros from these locations to be executed.
Limit macro write access to users with macro approval jurisdiction. This can be done by setting up a list of users who are authorized to approve and execute macros.
Block all MS Office macros within documents that were accessed from the internet. This can be done by configuring the organization’s firewall to block any incoming connections from the internet that contain MS Office macros.
By following the ASD Essential 8 control ‘Configure Microsoft Office macros’, organizations can significantly reduce the risk of malicious macros being executed on their systems. By disabling macros by default, only allowing trusted macros from trusted locations, limiting macro write access to users with macro approval jurisdiction, and blocking all MS Office macros within documents that were accessed from the internet, organizations can ensure that their systems are protected from malicious macros.
ASD Essential 8: Application hardening
Application hardening is an essential part of the Australian Signals Directorate’s (ASD) Essential 8 Cyber Security Mitigation Strategies. The goal of application hardening is to reduce the attack surface of online applications and increase their cyber resilience. It is essential for organizations to understand the importance of application hardening and how it can help protect their applications from cyber threats.
Application hardening involves the implementation of specialized security solutions and the regular updating of applications with the latest patches. This helps to ensure that applications are secure and up to date with the latest security features. It also helps to reduce the risk of malicious actors exploiting known vulnerabilities in outdated applications.
The ASD recommends a number of strategies for achieving application hardening control compliance. These include:
- Disabling Flash content support in web browsers and Microsoft Office
- Blocking web advertisements
- Blocking Java on accessed websites
Additionally, organizations should ensure that their applications are regularly patched, and that they are configured to prevent Object Linking and Embedding packages from activating. Organizations should also consider implementing additional security measures such as two-factor authentication, intrusion detection systems, and whitelisting. These measures can help to further reduce the attack surface of applications and increase their cyber resilience.
Organizations should also ensure that their applications are regularly tested for vulnerabilities. This can be done using a range of automated and manual testing methods, such as penetration testing, fuzz testing, and static code analysis. These tests can help to identify potential vulnerabilities in applications and allow organizations to address them before they can be exploited by malicious actors.
Finally, organizations should ensure that their applications are regularly monitored for suspicious activity. This can be done using a range of log analysis tools and intrusion detection systems. This can help to identify any malicious activity and allow organizations to take appropriate action to mitigate the risk.
ASD Essential 8: Restrict administrative privileges
The Australian Signals Directorate (ASD) Essential 8 is a set of best-practice strategies for cybersecurity that organizations should implement to protect their systems and data from malicious actors. One of the most important of these strategies is the restriction of administrative privileges. By limiting the access of privileged users, organizations can reduce the risk of unauthorized access and malicious activity.
The primary goal of restricting administrative privileges is to ensure that only authorized personnel have access to sensitive systems and data. This is done by limiting the number of users who have access to privileged accounts, as well as by implementing technical controls that prevent privileged users from accessing certain types of content. For example, privileged users should not be able to read emails, browse the internet, or obtain files via online services.
Organizations should also ensure that privileged access is validated upon first request and then cyclically at a given frequency. This helps to ensure that users are who they say they are and that their accounts are not being used by unauthorized personnel. Additionally, organizations should limit privileged access to only those personnel who absolutely need it, such as system administrators, database administrators, and security personnel.
By limiting privileged access to only authorized personnel and implementing technical controls, organizations can reduce the risk of unauthorized access and malicious activity. Additionally, by validating privileged access upon first request and then cyclically at a given frequency, organizations can ensure that their accounts are not being used by unauthorized personnel.
ASD Essential 8: Patch opearting systems
The ASD Essential 8 Patch Operating Systems is one of the most important security measures organizations must take when it comes to protecting their data and systems from potential threats. By patching operating systems, organizations can ensure that their systems are up-to-date with the latest security patches and fixes, thus reducing the risk of potential threats.
The ASD Essential 8 Patch Operating Systems requires organizations to regularly update their operating systems with the latest security patches and fixes. This includes both the operating system itself, as well as any applications that are installed on the system. This is done to ensure that the system is secure and up-to-date with the latest security measures.
Organizations should also ensure that they are running the latest version of their operating system. This is important because older versions of operating systems may have known vulnerabilities that can be exploited by malicious actors. By keeping the system up-to-date, organizations can reduce the risk of potential threats.
Organizations should also regularly review their patching processes to ensure that they are up-to-date. This includes ensuring that the organization has a patch management system in place that is regularly monitored and updated. This system should also include a process for testing and verifying that the patch has been properly installed and that it is working correctly.
Organizations should also ensure that they are regularly monitoring their systems for any potential security threats. This includes regularly scanning for vulnerabilities and ensuring that any patches that have been applied are effective. Any potential threats should be addressed immediately to ensure that the system remains secure.
Finally, organizations should ensure that they are regularly training their staff on the importance of patching operating systems. This includes educating staff on how to properly patch their systems and how to identify any potential threats. This will help ensure that the organization is taking the necessary steps to protect their data and systems.
ASD Essential 8: Multi-factor authentication
Multi-factor authentication (MFA) is an essential security control for organizations of all sizes, as it provides an additional layer of security beyond passwords alone. MFA requires users to provide two or more pieces of evidence (factors) to prove their identity. The most common factors are something you know (such as a password), something you have (such as a security key or token), and something you are (such as a biometric).
The Australian Signals Directorate (ASD) recommends that organizations implement MFA for all privileged accounts, as well as for all sensitive resource access requests. This is part of the ASD’s Essential 8: Strategies to Mitigate Cyber Security Incidents. The Essential 8 is a set of eight security controls which are designed to protect against malicious cyber activity and data breaches.
MFA is an effective way to protect against unauthorized access to sensitive information and systems. It adds an additional layer of protection beyond the use of passwords alone, which can be easily guessed or stolen. By requiring multiple factors, it makes it much harder for an attacker to gain access to an account.
When implementing MFA, it is important to choose the right authentication factors. The most commonly used factors are something you know (such as a password), something you have (such as a security key or token), and something you are (such as a biometric). Organizations should also consider using other factors, such as location and time-based authentication.
Organizations should also ensure that their MFA implementation is secure and up to date. This includes ensuring that all authentication factors are kept secure and that any changes to the authentication process are properly tested and implemented.
Finally, organizations should consider using additional security controls to protect their systems and data. These can include using firewalls, encryption, access control lists, and intrusion detection systems.
ASD Essential 8: Regular backups of important data
The Australian Signals Directorate (ASD) Essential Eight is an important set of cybersecurity controls that organizations should implement to protect their systems, networks, and data from malicious cyber threats.
One of the eight controls is regular backups of important data and configurations. This control is essential to ensure that organizations can maintain a consistent and untainted backup of all essential data in the event of a cyber attack.
Regular backups are necessary to ensure that organizations have the most up-to-date information available in the event of a cyber incident. This includes data such as customer information, financial records, critical system configurations, and other sensitive information.
It is important to ensure that all critical data and configurations are backed up on a regular basis and that the backups are stored in multiple geographical locations to minimize the chances of all versions being compromised.
Organizations should also have multiple data backup and restoration processes in place. This includes a primary process and a secondary process. The primary process should be tested at least once during initial implementation and then every time fundamental information technology infrastructure changes occur. The secondary process should be tested at least every three months.
Additionally, organizations should have digital preservation policies in place to ensure that all data is stored properly and securely. Organizations should also ensure that they have the necessary resources and personnel in place to facilitate the regular backup process. This includes having the right hardware, software, and personnel to ensure that the backups are completed on a regular basis.
Organizations should also ensure that they have a reliable and secure storage solution in place to store the backups. Finally, organizations should ensure that the backups are monitored on a regular basis. This includes ensuring that the backups are being created properly and that the data is being stored securely. Additionally, organizations should ensure that the backups are being tested regularly to ensure that they are working properly and that the data can be restored in the event of a cyber incident.
What are the Essential 8 maturity levels?
The Essential Eight is a set of eight mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to protect organizations from the most prevalent cybersecurity threats. The Essential Eight focuses on the most effective and efficient controls that organizations should implement to protect their systems and data.
The Essential Eight maturity levels are a way of assessing the effectiveness of an organization’s implementation of the Essential Eight. The ACSC has defined three maturity levels for each mitigation strategy (in addition to matruity level zero) to help organizations determine how well they have implemented the Essential Eight.
- Matrity Level Zero is the lowest level of maturity and indicates that there are vulnerabilities in the overall cybersecurity position of an organization. If these vulnerabilities are exploited, they could lead to the compromise of data confidentiality or the integrity and availability of systems and data, as outlined in the practices and targeting described in Maturity Level One below.
- Maturity Level One is where the focus is on adversaries who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, systems. At this level adversaries are looking for any victim rather than a specific victim and will opportunistically seek common weaknesses in many targets rather than investing heavily in gaining access to a specific target.
- Maturity Level Two is where the focus is on adversaries operating with a modest step-up in capability from the previous maturity level. These adversaries are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools. At this level adversaries are likely to be more selective in their targeting but still somewhat conservative in the time, money and effort they may invest in a target.
- Maturity Level Three is where the focus is on adversaries who are more adaptive and much less reliant on public tools and techniques. These adversaries are able to exploit the opportunities provided by weaknesses in their target’s cyber security posture, such as the existence of older software or inadequate logging and monitoring. At this level adversaries may be more focused on particular targets and, more importantly, are willing and able to invest some effort into circumventing the idiosyncrasies and particular policy and technical security controls implemented by their targets.
Organizations should strive to achieve the same maturity level across all components of the Essential Eight before progressing to higher maturity levels. This will ensure comprehensive coverage against various threats.
Organizations should begin by identifying a target maturity level that is suitable for their environment. This should be done before any implementation of the Essential Eight begins. Once the target maturity level has been identified, organizations should progressively implement the Essential Eight to achieve that target.
By assessing their implementation of the Essential Eight against the maturity levels, organizations can determine how effective their security measures are. This will help them identify any areas that need to be improved or strengthened and ensure that their systems and data are properly protected.
What is the Essential 8 assessment process?
An ASD Essential 8 maturity assessment is carried out in four stages including assessment planning and preparation, determining scope and approach, assessment of controls and development of a security assessment report.
Stage 1: Assessment planning and preparation
- Assessment planning - The assessor conducts planning activities and discusses system classification, assessment scope, access requirements, assessment approach, evidence collection and protection, report development location, stakeholder engagement, involvement of managed service providers, access to prior security assessment reports, and use of the security assessment report.
Stage 2: Determination of assessment scope and approach
Determine assessment scope - Assessors clarify the target maturity level and familiarize themselves with the requirements for that level. They document the scope within the security assessment report and justify any components deemed out-of-scope.
Determine assessment approach - Assessors consider qualitative and quantitative testing techniques, such as documentation reviews, interviews, system configuration reviews, and the use of scripts and tools. They determine sample sizes and seek approval from the system owner if using their own scripts and tools. Assessment limitations should be documented.
Stage 3: Assessment of controls
- Assessment of controls - Assessors review and test the effectiveness of controls associated with each mitigation strategy. The assessment guidance is cumulative, with each maturity level building upon the requirements of the previous level. The section provides guidance on assessing each mitigation strategy and determining control effectiveness.
Stage 4: Development of the security assessment report
- Development of the report - Assessors use the ACSC's Essential Eight Assessment Report Template (or their own templates with all sections from the ACSC's template) to develop the security assessment report.
Do Australian businesses need to report data breaches?
Data breaches are a significant threat to Australian businesses, with the potential to cause substantial damage to the business, its customers, and the wider economy. As such, it is essential that businesses are aware of their obligations in relation to reporting data breaches and take all necessary steps to ensure they are compliant.
The Office of the Australian Information Commissioner (OAIC) is the primary regulator responsible for overseeing data breach reporting in Australia. According to the OAIC, all Australian businesses with an annual turnover of $3 million are required to report data breaches to both impacted customers and the OAIC within 72 hours. This is regardless of whether or not they have implemented the Essential Eight framework.
The reporting requirements are an essential part of Australia’s data protection regime and are designed to ensure that businesses are held accountable for the protection of customer data. Not only does it allow the OAIC to investigate potential breaches and take appropriate action, but it also allows customers to be notified of any potential risks to their data and take steps to protect themselves.
The reporting requirements also help to ensure that businesses are taking the necessary steps to protect customer data. By having a clear and consistent reporting process, businesses are encouraged to take proactive measures to prevent data breaches from occurring in the first place. This includes implementing robust security measures such as encryption, multi-factor authentication, and regular security patching.
It is also important to note that the reporting requirements are just one part of a comprehensive data protection regime. Businesses must also ensure they are compliant with other relevant laws and regulations, such as the Privacy Act 1988, the Notifiable Data Breaches scheme, and the Australian Privacy Principles.