Discover how to successfully implement the Australian Government’s Essential Eight Framework with simple articles and guides that you can work through to achieve level 3 maturity in your organisation

Download the Framework Now

In response to all the cybersecurity incidents that seem to be popping up more and more lately (or even perceived threats – ahem Tik Tok) The Australian Cyber Security Centre (ACSC) has gone ahead and developed a Framework for helping organisations big and small mitigate the risks of cyber threats

Cyber threats come in a range of forms, from ransomware, stolen data, or even the trusty ole’ computer virus. And so, there are several strategies to combat each of the various forms of threats.

Unfortunately, we’ve found the information on the ACSC website a little light in the ‘how’ to implement the framework, and that’s where this guide comes in. Over the next several weeks we’ll be releasing a more comprehensive step-by-step on implementing the Essential Eight Framework so that you can protect yourself from all those scary Russian hackers.

Let’s begin by looking at the overall framework:

The framework overview

Summary of steps

As you can see, there are 8 steps with 3 maturity levels for each. We’ll dig deeper into each step on separate posts, but for now, an overview of each step is provided by the ACSC as follows:

Application control
Application control to prevent the execution of unapproved/malicious programs including .exe, DLL, scripts (eg Windows Script Host, PowerShell, and HTA) and installers.

Patch Applications
Patch Applications eg Flash, web browsers, Microsoft Office, Java, and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications.

Configure Microsoft Office macro settings
Configure Microsoft Office macro settings to block macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.

User application hardening
User application hardening Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (eg OLE), web browsers and PDF viewers.

Restrict administrative access
Restrict administrative access to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Do not use privileged accounts for reading email and web browsing.

Patch operating systems
Patch operating systems Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Do not use unsupported versions.

Multi-factor authentication
Multi-factor authentication including for VPNs, RDP, SSH, and other remote access, and for all users when they perform a privileged action or access and critical (sensitive/high-availability) data repository.

Daily backups
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

ElasticIT step by step

Over the next several weeks we’ll be adding links to the below maturity levels for each of the guides we create in implementing the ACSC framework.

Maturity level 1

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict admin privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Daily backups

Maturity level 2

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict admin privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Daily backups

Maturity level 3

  1. Application control
  2. Patch applications
  3. Configure Microsoft Office macro settings
  4. User application hardening
  5. Restrict admin privileges
  6. Patch operating systems
  7. Multi-factor authentication
  8. Daily backups

Of course, in the meantime, if you need help from an Aussie tried and tested IT company in implementing the framework for your business feel free to reach out to us.