Essential Eight Maturity Model - Detailed

Essential Security for your Business

Overview

The Essential Eight is a set of mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to help organisations protect themselves against cyber attacks. Implementing these strategies is essential for any organisation that wants to prevent a large percentage of common cyber attacks. This page provides information about the different strategies included in the Essential Eight, as well as detailing our services to help organisations implement these strategies and stay secure. By implementing the Essential Eight, organisations can improve their security posture, reduce the risk of cyber attacks, comply with regulatory requirements, and improve customer trust and reputation.

Maturity Levels

To assist organisations in determining the maturity of their implementation of the Essential Eight, three maturity levels have been defined for each mitigation strategy. The maturity levels are defined as:

1

Maturity Level One

Partly aligned with the intent of the mitigation strategy
2

Maturity Level Two

Mostly aligned with the intent of the mitigation strategy

3

Maturity Level Three

Fully aligned with the intent of the mitigation strategy

alltasksITs Essential 8 Webinar

Watch our Essential 8 Webinar recording to learn more about the Essential 8 and the different maturity levels to suit your business.

Essential Eight Mitigation Strategy

1. Patch applications

Maturity Level One

  • An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
  • A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
  • A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.
  • A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
  • Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release.
  • Online services that are no longer supported by vendors are removed.
  • Office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.

Test Methodology

ML1-PA-01: An automated method of asset discovery is run and reviewed at least fortnightly.

Confirm that a method of asset discovery is in place (such as an asset discovery tool or a vulnerability scanner with equivalent functionality) and that it is configured to be run in an automated manner at least every fortnight. Confirm that any anomalies that are identified are reviewed and actioned.

Test Methodology

ML1-PA-02: Vulnerability scanning is performed daily for online services.

Review vulnerability scanning logs or reports to confirm that scans are conducted daily for online services. Verify that the scans identify missing patches or updates.

Test Methodology

ML1-PA-03: Critical patches for online services are applied within 48 hours.

Review patch management logs and compare them with vendor release dates for critical vulnerabilities or known exploits. Verify that patches were applied within the 48-hour timeframe for online services.

Maturity Level Two

  • A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
  • Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.

Test Methodology

ML2-PA-01: Vulnerability scanning is performed fortnightly for other applications.

Review vulnerability scanning logs or reports to confirm that scans are conducted at least fortnightly for applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. Verify that the scans identify missing patches or updates.

Test Methodology

ML2-PA-02: Patches for other applications are applied within one month.

Review patch management logs and compare them with vendor release dates. Verify that patches for applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products were applied within one month of release.

Maturity Level Three

  • Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
  • Applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.

Test Methodology

ML3-PA-01: Critical patches for office productivity suites and related software are applied within 48 hours.

Review patch management logs and compare them with vendor release dates for critical vulnerabilities or known exploits. Verify that patches were applied within the 48-hour timeframe for office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.

Test Methodology

ML3-PA-02: Unsupported applications are removed.

Conduct an inventory of installed applications and compare against a list of vendor-supported software. Verify that any applications no longer supported by vendors have been removed from the systems.

2. Patch operating systems

Maturity Level One

  • An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
  • A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
  • A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.
  • A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.
  • Operating systems that are no longer supported by vendors are replaced.

Test Methodology

ML1-PO-01: An automated method of asset discovery is run and reviewed at least fortnightly.

Confirm that a method of asset discovery is in place (such as an asset discovery tool or a vulnerability scanner with equivalent functionality) and that it is configured to be run in an automated manner at least every fortnight. Confirm that any anomalies that are identified are reviewed and actioned.

Test Methodology

ML1-PO-02: Vulnerability scanning is performed daily for internet-facing systems.

Review vulnerability scanning logs or reports to confirm that scans are conducted daily for internet-facing servers and network devices. Verify that the scans identify missing patches or updates for operating systems.

Test Methodology

ML1-PO-03: Critical patches for internet-facing systems are applied within 48 hours.

Review patch management logs and compare them with vendor release dates for critical vulnerabilities or known exploits. Verify that patches were applied within the 48-hour timeframe for operating systems of internet-facing servers and network devices.

Maturity Level Two

  • All requirements for Maturity Level One.

Test Methodology

ML2-PO-01: All Maturity Level One requirements are met.

Perform all test methodologies from Maturity Level One and confirm that all requirements are still being met.

Maturity Level Three

  • A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers.
  • A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware.
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
  • The latest release, or the previous release, of operating systems are used.

Test Methodology

ML3-PO-01: Vulnerability scanning is performed fortnightly for drivers and firmware.

Review vulnerability scanning logs or reports to confirm that scans are conducted at least fortnightly for drivers and firmware. Verify that the scans identify missing patches or updates.

Test Methodology

ML3-PO-02: Critical patches for non-internet-facing systems, drivers, and firmware are applied within 48 hours.

Review patch management logs and compare them with vendor release dates for critical vulnerabilities or known exploits. Verify that patches were applied within the 48-hour timeframe for operating systems of workstations, non-internet-facing servers, non-internet-facing network devices, drivers, and firmware.

Test Methodology

ML3-PO-03: Operating systems are up-to-date.

Conduct an inventory of operating systems in use and compare against the latest releases from vendors. Verify that all systems are running either the latest release or the previous release of their respective operating systems.

3. Multi-factor authentication

Maturity Level One

  • Multi-factor authentication is used to authenticate users to their organisation's online services that process, store or communicate their organisation's sensitive data.
  • Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation's sensitive data.
  • Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation's non-sensitive data.
  • Multi-factor authentication is used to authenticate users to their organisation's online customer services that process, store or communicate their organisation's sensitive customer data.
  • Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation's sensitive customer data.
  • Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.
  • Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.

Test Methodology

ML1-MF-01: Multi-factor authentication is implemented for sensitive data access.

Review the authentication mechanisms for online services that process, store, or communicate sensitive organizational or customer data. Verify that multi-factor authentication is enforced for both internal and third-party services.

Test Methodology

ML1-MF-02: Multi-factor authentication methods meet the required criteria.

Examine the multi-factor authentication methods in use and confirm they use either something users have and something users know, or something users have that is unlocked by something users know or are.

Maturity Level Two

  • Multi-factor authentication is used to authenticate privileged users of systems.
  • Multi-factor authentication is used to authenticate unprivileged users of systems.
  • Multi-factor authentication used for authenticating users of online services is phishing-resistant.
  • Multi-factor authentication used for authenticating customers of online customer services provides a phishing-resistant option.
  • Multi-factor authentication used for authenticating users of systems is phishing-resistant.

Test Methodology

ML2-MF-01: Multi-factor authentication is implemented for all system users.

Review the authentication mechanisms for both privileged and unprivileged users accessing systems. Verify that multi-factor authentication is enforced for all user types.

Test Methodology

ML2-MF-02: Phishing-resistant multi-factor authentication is implemented.

Examine the multi-factor authentication methods used for online services, customer services, and system access. Confirm that these methods are phishing-resistant or provide a phishing-resistant option for customer services.

Maturity Level Three

  • Multi-factor authentication is used to authenticate users of data repositories.
  • Multi-factor authentication used for authenticating customers of online customer services is phishing-resistant.
  • Multi-factor authentication used for authenticating users of data repositories is phishing-resistant.

Test Methodology

ML3-MF-01: Multi-factor authentication is implemented for data repository access.

Review the authentication mechanisms for accessing data repositories. Verify that multi-factor authentication is enforced for all users accessing these repositories.

Test Methodology

ML3-MF-02: Phishing-resistant multi-factor authentication is comprehensive.

Examine the multi-factor authentication methods used for customer services and data repository access. Confirm that these methods are phishing-resistant for all use cases.

4. Restrict administrative privileges

Maturity Level One

  • Requests for privileged access to systems, applications and data repositories are validated when first requested.
  • Privileged users are assigned a dedicated privileged user account to be used solely for duties requiring privileged access.
  • Privileged user accounts (excluding those explicitly authorised to access online services) are prevented from accessing the internet, email and web services.
  • Privileged user accounts explicitly authorised to access online services are strictly limited to only what is required for users and services to undertake their duties.
  • Privileged users use separate privileged and unprivileged operating environments.
  • Unprivileged user accounts cannot logon to privileged operating environments.
  • Privileged user accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.

Test Methodology

ML1-RA-01: Privileged access requests are validated.

Review the process for requesting privileged access. Verify that there is a formal validation process in place for initial requests for privileged access to systems, applications, and data repositories.

Test Methodology

ML1-RA-02: Dedicated privileged accounts are used.

Examine user account listings and policies. Confirm that privileged users are assigned separate accounts for privileged and unprivileged activities.

Test Methodology

ML1-RA-03: Privileged account internet access is restricted.

Review network configurations and policies. Verify that privileged accounts (except those explicitly authorized) are prevented from accessing the internet, email, and web services.

Maturity Level Two

  • Privileged access to systems, applications and data repositories is disabled after 12 months unless revalidated.
  • Privileged access to systems and applications is disabled after 45 days of inactivity.
  • Privileged operating environments are not virtualised within unprivileged operating environments.
  • Administrative activities are conducted through jump servers.
  • Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed.

Test Methodology

ML2-RA-01: Privileged access is regularly reviewed and disabled if inactive.

Review access control systems and logs. Verify that privileged access is disabled after 12 months unless revalidated, and after 45 days of inactivity for systems and applications.

Test Methodology

ML2-RA-02: Jump servers are used for administrative activities.

Examine the infrastructure and processes for administrative activities. Confirm that jump servers are in place and used for conducting administrative tasks.

Test Methodology

ML2-RA-03: Special account credentials are properly managed.

Review the policies and practices for managing credentials of break glass accounts, local administrator accounts, and service accounts. Verify that these credentials are long, unique, unpredictable, and managed securely.

Maturity Level Three

  • Privileged access to systems, applications and data repositories is limited to only what is required for users and services to undertake their duties.
  • Secure Admin Workstations are used in the performance of administrative activities.
  • Just-in-time administration is used for administering systems and applications.
  • Memory integrity functionality is enabled.
  • Local Security Authority protection functionality is enabled.
  • Credential Guard functionality is enabled.
  • Remote Credential Guard functionality is enabled.

Test Methodology

ML3-RA-01: Privileged access follows the principle of least privilege.

Review access control configurations for systems, applications, and data repositories. Verify that privileged access is limited to only what is required for users and services to perform their duties.

Test Methodology

ML3-RA-02: Secure Admin Workstations are used for administrative tasks.

Examine the infrastructure and processes for administrative activities. Confirm that Secure Admin Workstations are in place and used for performing administrative tasks.

Test Methodology

ML3-RA-03: Just-in-time administration is implemented.

Review the systems and processes for granting administrative access. Verify that just-in-time administration is used for administering systems and applications.

Test Methodology

ML3-RA-04: Advanced security features are enabled.

Check system configurations to confirm that memory integrity functionality, Local Security Authority protection, Credential Guard, and Remote Credential Guard are enabled on relevant systems.

5. Application control

Maturity Level One

  • Application control is implemented on workstations.
  • Application control is applied to user profiles and temporary folders used by operating systems, web browsers and email clients.
  • Application control restricts the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets to an organisation-approved set.

Test Methodology

ML1-AC-01: Application control is implemented on workstations.

Review workstation configurations and policies. Verify that application control is implemented on workstations, restricting the execution of applications to an organization-approved set.

Test Methodology

ML1-AC-02: Application control is applied to user profiles and temporary folders.

Examine the application control settings for user profiles and temporary folders used by operating systems, web browsers, and email clients. Confirm that appropriate restrictions are in place.

Maturity Level Two

  • Application control is implemented on internet-facing servers.
  • Application control is applied to all locations other than user profiles and temporary folders used by operating systems, web browsers and email clients.
  • Microsoft's recommended application blocklist is implemented.
  • Application control rulesets are validated on an annual or more frequent basis.

Test Methodology

ML2-AC-01: Application control is implemented on internet-facing servers.

Review configurations of internet-facing servers. Verify that application control is implemented, restricting the execution of applications to an organization-approved set.

Test Methodology

ML2-AC-02: Microsoft's recommended application blocklist is implemented.

Examine the application control policies. Confirm that Microsoft's recommended application blocklist is incorporated into the organization's application control strategy.

Test Methodology

ML2-AC-03: Application control rulesets are regularly validated.

Review documentation and logs related to application control ruleset validation. Verify that rulesets are validated at least annually.

Maturity Level Three

  • Application control is implemented on non-internet-facing servers.
  • Application control restricts the execution of drivers to an organisation-approved set.
  • Microsoft's vulnerable driver blocklist is implemented.

Test Methodology

ML3-AC-01: Application control is implemented on non-internet-facing servers.

Review configurations of non-internet-facing servers. Verify that application control is implemented, restricting the execution of applications to an organization-approved set.

Test Methodology

ML3-AC-02: Driver execution is restricted.

Examine application control policies related to driver execution. Confirm that only organization-approved drivers are allowed to execute.

Test Methodology

ML3-AC-03: Microsoft's vulnerable driver blocklist is implemented.

Review the application control policies. Verify that Microsoft's vulnerable driver blocklist is incorporated into the organization's application control strategy.

6. Restrict Microsoft Office macros

Maturity Level One

  • Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
  • Microsoft Office macros in files originating from the internet are blocked.
  • Microsoft Office macro antivirus scanning is enabled.
  • Microsoft Office macro security settings cannot be changed by users.

Test Methodology

ML1-OM-01: Microsoft Office macros are disabled by default.

Review Microsoft Office settings across the organization. Verify that macros are disabled by default for users without a demonstrated business requirement.

Test Methodology

ML1-OM-02: Macros from internet sources are blocked.

Examine Microsoft Office configurations. Confirm that macros in files originating from the internet are blocked from executing.

Test Methodology

ML1-OM-03: Macro antivirus scanning is enabled.

Check antivirus settings related to Microsoft Office. Verify that macro antivirus scanning is enabled and functioning correctly.

Maturity Level Two

  • Microsoft Office macros are blocked from making Win32 API calls.

Test Methodology

ML2-OM-01: Macros are blocked from making Win32 API calls.

Review Microsoft Office macro security settings. Confirm that macros are prevented from making Win32 API calls.

Maturity Level Three

  • Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute.
  • Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations.
  • Only privileged users responsible for checking that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations.
  • Microsoft Office macros digitally signed by an untrusted publisher cannot be enabled via the Message Bar or Backstage View.
  • Microsoft Office macros digitally signed by signatures other than V3 signatures cannot be enabled via the Message Bar or Backstage View.
  • Microsoft Office's list of trusted publishers is validated on an annual or more frequent basis.

Test Methodology

ML3-OM-01: Macro execution is restricted to secure environments.

Examine Microsoft Office configurations. Verify that macros are only allowed to execute from sandboxed environments, Trusted Locations, or when digitally signed by a trusted publisher.

Test Methodology

ML3-OM-02: Macro code is checked before approval.

Review processes for approving macros. Confirm that macros are checked for malicious code before being digitally signed or placed in Trusted Locations.

Test Methodology

ML3-OM-03: Trusted Location access is restricted.

Examine access controls for Trusted Locations. Verify that only privileged users responsible for checking macros can write to and modify content within these locations.

Test Methodology

ML3-OM-04: Untrusted macros cannot be enabled through user interfaces.

Test Microsoft Office configurations. Confirm that macros signed by untrusted publishers or with non-V3 signatures cannot be enabled via the Message Bar or Backstage View.

Test Methodology

ML3-OM-05: Trusted publishers list is regularly validated.

Review documentation and logs related to the Microsoft Office trusted publishers list. Verify that the list is validated at least annually.

7. User application hardening

Maturity Level One

  • Internet Explorer 11 is disabled or removed.
  • Web browsers do not process Java from the internet.
  • Web browsers do not process web advertisements from the internet.
  • Web browser security settings cannot be changed by users.

Test Methodology

ML1-AH-01: Internet Explorer 11 is disabled or removed.

Check system configurations and installed applications. Verify that Internet Explorer 11 is either disabled or completely removed from all systems.

Test Methodology

ML1-AH-02: Java processing from the internet is disabled.

Review web browser settings. Confirm that Java processing from internet sources is disabled across all web browsers.

Test Methodology

ML1-AH-03: Web advertisement processing is blocked.

Examine web browser configurations. Verify that processing of web advertisements from internet sources is blocked.

Test Methodology

ML1-AH-04: Users cannot change browser security settings.

Test user permissions and browser configurations. Confirm that users are unable to modify web browser security settings.

Maturity Level Two

  • Web browsers are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
  • Microsoft Office is blocked from creating child processes.
  • Microsoft Office is blocked from creating executable content.
  • Microsoft Office is blocked from injecting code into other processes.
  • Microsoft Office is configured to prevent activation of Object Linking and Embedding packages.
  • Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
  • Office productivity suite security settings cannot be changed by users.
  • PDF software is blocked from creating child processes.
  • PDF software is hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.
  • PDF software security settings cannot be changed by users.

Test Methodology

ML2-AH-01: Web browsers are hardened according to guidelines.

Review web browser configurations against ASD and vendor hardening guidance. Verify that the most restrictive settings are applied when conflicts occur.

Test Methodology

ML2-AH-02: Microsoft Office has restricted functionality.

Examine Microsoft Office settings. Confirm that it is blocked from creating child processes, creating executable content, injecting code into other processes, and activating OLE packages.

Test Methodology

ML2-AH-03: Office suites are hardened according to guidelines.

Review office productivity suite configurations against ASD and vendor hardening guidance. Verify that the most restrictive settings are applied when conflicts occur.

Test Methodology

ML2-AH-04: PDF software has restricted functionality and is hardened.

Examine PDF software settings. Confirm that it is blocked from creating child processes and is hardened according to ASD and vendor guidance.

Test Methodology

ML2-AH-05: Users cannot change security settings.

Test user permissions for office productivity suites and PDF software. Verify that users are unable to modify security settings for these applications.

Maturity Level Three

  • .NET Framework 3.5 (includes .NET 2.0 and 3.NET Framework 3.5 (includes .NET 2.0 and 3.0) is disabled or removed.
  • Windows PowerShell 2.0 is disabled or removed.
  • PowerShell is configured to use Constrained Language Mode.

Test Methodology

ML3-AH-01: Older .NET Framework versions are disabled or removed.

Check system configurations and installed components. Verify that .NET Framework 3.5 (including .NET 2.0 and 3.0) is either disabled or completely removed from all systems.

Test Methodology

ML3-AH-02: Windows PowerShell 2.0 is disabled or removed.

Examine system configurations and installed components. Confirm that Windows PowerShell 2.0 is either disabled or completely removed from all systems.

Test Methodology

ML3-AH-03: PowerShell is configured to use Constrained Language Mode.

Review PowerShell configurations across the organization. Verify that PowerShell is set to use Constrained Language Mode to limit its capabilities.

8. Regular backups

Maturity Level One

  • Backups of data, applications and settings are performed and retained in accordance with business criticality and business continuity requirements.
  • Backups of data, applications and settings are synchronised to enable restoration to a common point in time.
  • Backups of data, applications and settings are retained in a secure and resilient manner.
  • Restoration of data, applications and settings from backups to a common point in time is tested as part of disaster recovery exercises.
  • Unprivileged user accounts cannot access backups belonging to other user accounts.
  • Unprivileged user accounts are prevented from modifying and deleting backups.

Test Methodology

ML1-RB-01: Regular backups are performed and retained.

Review backup policies, schedules, and retention periods. Verify that backups are performed and retained in accordance with business criticality and continuity requirements.

Test Methodology

ML1-RB-02: Backups are synchronized for common point-in-time restoration.

Examine backup configurations and processes. Confirm that backups of data, applications, and settings are synchronized to allow restoration to a common point in time.

Test Methodology

ML1-RB-03: Backup security and resilience.

Assess the storage and protection measures for backups. Verify that backups are retained in a secure and resilient manner.

Test Methodology

ML1-RB-04: Backup restoration is tested.

Review disaster recovery exercise logs and reports. Confirm that restoration of data, applications, and settings from backups to a common point in time is tested regularly.

Test Methodology

ML1-RB-05: Backup access is restricted.

Examine access controls for backup systems. Verify that unprivileged user accounts cannot access backups belonging to other user accounts and are prevented from modifying and deleting backups.

Maturity Level Two

  • Privileged user accounts (excluding backup administrator accounts) cannot access backups belonging to other user accounts.
  • Privileged user accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.

Test Methodology

ML2-RB-01: Privileged user backup access is restricted.

Review access controls for backup systems. Verify that privileged user accounts (excluding backup administrator accounts) cannot access backups belonging to other user accounts.

Test Methodology

ML2-RB-02: Privileged users cannot modify or delete backups.

Examine backup system permissions. Confirm that privileged user accounts (excluding backup administrator accounts) are prevented from modifying and deleting backups.

Maturity Level Three

  • Unprivileged user accounts cannot access their own backups.
  • Privileged user accounts (excluding backup administrator accounts) cannot access their own backups.
  • Backup administrator accounts are prevented from modifying and deleting backups during their retention period.

Test Methodology

ML3-RB-01: Users cannot access their own backups.

Review access controls for backup systems. Verify that both unprivileged and privileged user accounts (excluding backup administrator accounts) cannot access their own backups.

Test Methodology

ML3-RB-02: Backup administrators cannot modify or delete backups during retention.

Examine backup system permissions and processes. Confirm that backup administrator accounts are prevented from modifying and deleting backups during their specified retention period.

What maturity level should your business aim for?

To ensure robust protection against cyber threats, it is recommended that organisations strive to achieve Maturity Level Three for each mitigation strategy outlined in the Essential 8 framework. However, certain organisations may face greater risks due to factors such as the level of targeted attacks or the nature of their operations. In such cases, the Australian Cyber Security Centre (ACSC) may determine that a higher level of maturity is necessary and will provide customised guidance to meet the unique needs of the organisation.

Download our Essential8 Audit Template

As a starting point, we’re giving you a valuable tool: a downloadable template for self-auditing your Essential8 compliance. This template, used in our professional audits, offers insights for everyone—from techs seeking granular control details to executives looking for high-level alignment with cybersecurity maturity.

Take action now to enhance your organisation's cybersecurity posture with the Essential Eight mitigation strategies.

Fill in the form to download the Essential8 Template.