Evolving Standards: Recent Changes in Maturity Models
The last update Essential Eight Maturity Model introduced several significant changes aimed at enhancing cybersecurity measures across various maturity levels.
Patch Applications and Operating Systems
📌 Increased Priority on Patching: Organizations are now urged to patch critical vulnerabilities within 48 hours. The focus has also been placed on patching applications that interact with untrusted content within a two-week timeframe.
📌 Regular Vulnerability Scanning: The frequency of scanning systems for critical vulnerabilities has been increased from at least fortnightly to at least weekly.
Multi-Factor Authentication (MFA)
📌 Enhanced MFA Requirements: The update introduced stricter MFA requirements, including the use of 'something users have' in addition to 'something users know' starting from Maturity Level One. MFA is now mandatory for web portals storing sensitive data and for staff logging onto business systems at higher maturity levels.
📌 Phishing-Resistant MFA: There is a new emphasis on implementing phishing-resistant MFA to enhance security further.
Restrict Administrative Privileges
📌 Governance of Privileged Access: Enhanced processes for managing privileged access, including the need for secure admin workstations and break glass accounts. Privileged accounts accessing the internet must be explicitly identified and their access strictly limited.
Application Control
📌 Annual Reviews and Blocklists: Organizations are required to conduct annual reviews of application control rule sets and implement Microsoft’s recommended application blocklist at Maturity Level Two.
User Application Hardening
📌 Discontinuation of Internet Explorer 11: Organizations must disable or remove Internet Explorer 11 following its support discontinuation. There is also a focus on implementing stringent vendor and ASD hardening guidance, including PowerShell logging and command-line process creation events at higher maturity levels.
Regular Backups
📌 Data Criticality Consideration: While there are no significant changes to the backup requirements, organizations are encouraged to consider the business criticality of data when prioritizing backups.
Logging
📌 Centralized Logging Requirements: The requirement for centralized logging has been moved from Maturity Level 3 to Maturity Level 2, which will substantially increase the size of log repositories.
Cloud Service Management and Incident Detection and Response
📌 New Focus Areas: These have been added as new focus areas in the update, reflecting the need to manage cloud services more effectively and respond to incidents more robustly.
General Enhancements
📌 Consistency with Information Security Manual (ISM): The update has adopted language from mapped controls within the ISM to ensure consistency between the two frameworks and facilitate the automatic ingestion of Essential Eight tracking and reporting by governance, compliance, and reporting tools