ACSC Essential Eight Assessment Services
A CISO’s Thoughts, by Prashant Haldankar, Privasec’s CISO
Australian Cyber Security Centre’s (ACSC) Strategy to Mitigate Cyber Security Incidents provides a prioritised list of mitigation strategies to assist organisations in protecting their systems and their crown jewels against a range of adversaries. The mitigation strategies advised by ACSC vary and can be customised based on the risk profile, the industry sector and the adversaries the organisation is most concerned with.
The Essential Eight
While all organisations operate differently and have different risk profiles, no single mitigation strategy is guaranteed to prevent cyber-security incidents from occurring. ACSC’s recommendation of implementing the Essential Eight mitigation strategies as a baseline effectively makes it harder for adversaries to compromise systems. ACSC found that an Effective implementation of Essential Eight strategies can mitigate 85% of cyber threats. Proactive approaches to implementing these strategies are cost-effective solutions in terms of time, money and effort than simply being reactive to responding to large scale cyber-security incidents.
NSW Government Cyber Security Policy requires the implementation, amongst others, of the Australian Cyber Security Centre’s (ACSC) Essential Eight security controls. The policy requires (Requirement 3.1 and 3.2) an independent annual assessment of all mandatory requirements in the policy for the previous financial year, including a maturity assessment (referred to by Privasec as ‘gap and maturity assessment’) against the ACSC Essential Eight.
ACSC’s recommended implementation order for each adversary can assist organisations in building a strong cyber-security posture for their business and the support systems, which are critical to an organisation’s success in delivering business objectives, i.e., no business interruption due to a cyber-security incident.
ASCS Essential Eight Controls and their Importance:
The Essential Eight strategies focus on three key objectives for mitigation strategy. The table below sourced from ACSC explains each of the mitigation strategies, the controls, and the importance of these controls:
Effective implementation of these controls is a starting point, and continual improvement to bring maturity is key in keeping up with the changing cyber threat landscape. Once the baseline controls are implemented, organisations should focus on increasing the maturity of their implementation such that they eventually reach full alignment in keeping the intent of each mitigation strategy.
ACSC has defined three maturity levels to assist organisations in determining the maturity of their implementation. The maturity criteria defined in ACSC Maturity Model includes:
- Maturity Level One – Partly aligned with intent of mitigation strategy.
- Maturity Level Two – Mostly aligned with intent of mitigation strategy.
- Maturity Level Three – Fully aligned with intent of mitigation strategy.
Privasec’s ACSC Essential Eight Maturity Assessment Approach
Privasec follows a mature assessment and auditing approach to provide organisations with assurance on its effective alignment with the Essential Eight controls and roadmap to achieve the highest level of maturity.
Our assessment process leverages the people, process, and technology aspects with a combination of advanced auditing tools to provide an objective assessment of risk and compliance to the Essential Eight controls.
Our Assessment adheres to the following steps. A Privasec consultant will be a key part of this process to ensure you achieve the desired outcome:
- Scope Assessment: Validation of the assessment scope and confirmation that the scope and the identified services are appropriately covered by the system components that are defined in the scope. This includes systems and business applications.
- Gap Assessment and Risk Reporting: An initial review of the documentation and technology controls for the in-scope system and applications will be conducted. This includes a gap analysis of people, process and technology control against the Essential Eight’s stipulated controls and strategies. Your consultant will keep you updated with any early findings and areas of non-compliance to give you as much time to remediate them as possible.
- We will also conduct an audit leveraging our tools and assessment process to perform an objective measure of cyber-risk exposure and cyber maturity for the in-scope systems and applications.
- A risk-based review of the organisation’s IT security processes and supporting technologies and controls to draw a baseline of current compliance and maturity.
- An assessment of the likely effectiveness of the controls in place to protect the organisation against any cyber-security threats.
- Once a clear understanding of the risks impacting an organisation have been identified, the Privasec consultant will work with your process, key stakeholders, and asset owners to:
- Identify, at a high level, practical solutions and remediation options,
- Create a tailored mitigation approach to effectively reduce risks and align with your business objectives.
- Prepare a detailed roadmap to reach the desired maturity level in comparison to the current maturity level.
- Risk Remediation: Your consultant will provide guidance and support during the remediation process to ensure your compliance/risk objectives are met.
- Once the report is finalised, Privasec will prepare and deliver the presentation to your organisation’s key stakeholders and to its board (as required). Our presentation will be tailored to the audience and will address business and technical stakeholders.
Our reports provide a holistic and detailed view of the organisation’s current compliance to the Essential Eight, cyber-risk exposure profile and the current maturity. We also deliver a detailed compliance roadmap against each of the mitigation strategies, with recommendations of ways to achieve the highest level of maturity.
These reports form a baseline for the Annual Compliance Reporting and can be used to support the organisation’s cyber-security reporting, for example, NSW Cyber Security Policy Annual reporting and attestations submissions to relevant governance bodies including the Cyber Security Senior Officers Group (CSSOG) and the ICT and Digital Leadership Group (IDLG).