A CISO’s Thoughts, by Prashant Haldankar, Privasec’s CISO
Australian Cyber Security Centre’s (ACSC) Strategy to Mitigate Cyber Security Incidents provides a prioritised list of mitigation strategies to assist organisations in protecting their systems and their crown jewels against a range of adversaries. The mitigation strategies advised by ACSC vary and can be customised based on the risk profile, the industry sector and the adversaries the organisation is most concerned with.
The Essential Eight
While all organizations operate differently and have different risk profiles, no single mitigation strategy is guaranteed to prevent cyber-security incidents from occurring. ACSC’s recommendation of implementing the Essential Eight mitigation strategies as a baseline effectively makes it harder for adversaries to compromise systems. ACSC found that an Effective implementation of Essential Eight strategies can mitigate 85% of cyber threats. Proactive approaches to implementing these strategies are cost-effective solutions in terms of time, money and effort than simply being reactive to responding to large scale cyber-security incidents.
NSW Government Cyber Security Policy requires the implementation, amongst others, of the Australian Cyber Security Centre’s (ACSC) Essential Eight security controls. The policy requires (Requirement 3.1 and 3.2) an independent annual assessment of all mandatory requirements in the policy for the previous financial year, including a maturity assessment (referred to by Privasec as ‘gap and maturity assessment’) against the ACSC Essential Eight.
ACSC’s recommended implementation order for each adversary can assist organisations in building a strong cyber-security posture for their business and the support systems, which are critical to an organisation’s success in delivering business objectives, i.e., no business interruption due to a cyber-security incident.