The Australian Cyber Security Centre (ACSC) recommends that organisations implement eight essential cyber security mitigation strategies as a baseline, known as the Essential Eight (E8). While the E8 is primarily designed for windows-based networks, these fundamental mitigation strategies are something that ALL organisations should consider implementing as relevant to them based on their security maturity level.
WHY YOUR BUSINESS SHOULD BE IMPLEMENTING THE E8
The E8 is a risk-based approach to cyber security, it not only adds essential mitigations to provide resilience to your organisation, but also provides partner organisations with credible assurances and contributes to any future accreditation you may wish to pursue. The different maturity levels mean that it can be implemented to the level most appropriate to your organisation based on your risk and organisational need.
Winner!
THE E8 MATURITY MODEL
The E8 are cyber security fundamentals and comprise of the most effective mitigations strategies.
- Application control
- Patch applications
- Configure MS Office macro settings
- Use application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
Full detail can be found here: https://www.cyber.gov.
FUNDAMENTALLY, THE E8 COVERS THREE MAIN AIMS
- Prevention of Malware Attacks
- Limiting the extent to which Cyber Security incidents affect your organisation
- Data and Systems recovery
The combination of these three factors should ensure a business is sufficiently robust in today’s operating environment.
The model uses four levels of maturity, starting from 0 to 4, based upon organisational goals and risks, giving precise risk controls to implement to enable the desired level of security.
Although the E8 model provides a risk-based approach to organisational security, the process can also leverage the use of a compliance-based approach, meaning you can have trust in partner organisations who also use these metrics, enabling easier integration of your organisations third party risks.
WHO’S USING IT?
The E8 can be implemented by organisations of all sizes and from all industry sectors. The standard is integrated within the Australian Cyber Security Centre’s Information Security Manual (ISM) and can be further mapped to internationally recognised standards such as ISO/IEC27001, and to the NIST CSF and NIST SP 800-53.
It is also worth noting that E8 is also one of the few recognised standards for Defence Industry Security Program (DISP) membership.
APPLICATION OF THE E8
The E8 identifies numerous controls across its three fundamental aims.
The implementation starts with a detailed scoping of work phase which includes:
- Enterprise risk-assessment,
- Understand the organisations desired maturity level
- An audit of the current maturity level.
This enables the delivery of a gap analysis and a strategic and actionable roadmap to your organisation’s cyber security goals.
If you’d like to know more about the E8, and what implementation looks like for your business, get in touch with Ravinn’s highly experienced Governance, Risk and Compliance team.