Skip to main content

ACSC Essential 8 maturity checklist

This resource provides a detailed checklist for organisations to assess and improve their cybersecurity maturity according to the ACSC Essential 8 guidelines.

The Australian Cyber Security Centre (ACSC) has developed the Essential 8, a set of mitigation strategies designed to help organisations bolster their cyber defences. Implementing these strategies can significantly reduce the risk of cyber threats. The Essential 8 Maturity Model outlines the levels of maturity that organisations should aim to achieve in their cybersecurity practices. This resource provides a comprehensive checklist to help your organisation assess and improve its maturity level according to the ACSC Essential 8 guidelines.

Maturity Levels Overview

The Essential 8 Maturity Model consists of four maturity levels:

  • Maturity Level 0: Inadequate implementation of the Essential 8 strategies.
  • Maturity Level 1: Partially aligned implementation, providing a basic level of protection.
  • Maturity Level 2: Mostly aligned implementation, offering a robust level of protection.
  • Maturity Level 3: Fully aligned implementation, ensuring a comprehensive and proactive defense against cyber threats.

Essential 8 Strategies Checklist

1. Application Whitelisting

Objective: Ensure only approved applications can execute on systems.

  • Maturity Level 0: No application whitelisting implemented.
  • Maturity Level 1:
    • Implement application whitelisting on workstations.
    • Regularly review and update the whitelist.
  • Maturity Level 2:
    • Extend application whitelisting to servers.
    • Automatically update the whitelist based on threat intelligence.
  • Maturity Level 3:
    • Whitelist applications on all systems (workstations, servers, etc.).
    • Continuously monitor and refine the whitelist using advanced threat detection.

2. Patch Applications

Objective: Regularly update applications to protect against known vulnerabilities.

  • Maturity Level 0: No patching process in place.
  • Maturity Level 1:
    • Apply security patches to applications within 30 days of release.
    • Maintain an inventory of applications and their patch status.
  • Maturity Level 2:
    • Apply critical patches within 14 days of release.
    • Use automated tools to manage and deploy patches.
  • Maturity Level 3:
    • Apply patches within 48 hours for critical vulnerabilities.
    • Continuously monitor applications for vulnerabilities and patch status.

3. Configure Microsoft Office Macro Settings

Objective: Minimise the risk of macro-based malware.

  • Maturity Level 0: No restrictions on macros.
  • Maturity Level 1:
    • Disable macros in Microsoft Office by default.
    • Allow macros only from trusted locations.
  • Maturity Level 2:
    • Use Group Policy to enforce macro settings.
    • Require digital signatures for all macros.
  • Maturity Level 3:
    • Block all macros from the internet.
    • Continuously review and update macro policies based on emerging threats.

4. User Application Hardening

Objective: Reduce the attack surface of applications.

  • Maturity Level 0: No hardening measures implemented.
  • Maturity Level 1:
    • Disable unnecessary features in applications (e.g., Flash, Java).
    • Configure applications to block suspicious content.
  • Maturity Level 2:
    • Apply security configurations to all user applications.
    • Regularly review and update hardening policies.
  • Maturity Level 3:
    • Continuously monitor applications for configuration drift.
    • Enforce application hardening policies using automated tools.

5. Restrict Administrative Privileges

Objective: Limit administrative privileges to reduce the risk of credential misuse.

  • Maturity Level 0: No restriction on administrative privileges.
  • Maturity Level 1:
    • Grant administrative privileges only to those who need them.
    • Regularly review and revoke unnecessary privileges.
  • Maturity Level 2:
    • Implement multi-factor authentication for all administrative accounts.
    • Use privileged access management (PAM) tools.
  • Maturity Level 3:
    • Continuously monitor and audit administrative activities.
    • Enforce just-in-time (JIT) access for administrative privileges.

6. Patch Operating Systems

Objective: Regularly update operating systems to protect against known vulnerabilities.

  • Maturity Level 0: No patching process for operating systems.
  • Maturity Level 1:
    • Apply security patches to operating systems within 30 days of release.
    • Maintain an inventory of operating systems and their patch status.
  • Maturity Level 2:
    • Apply critical patches within 14 days of release.
    • Use automated tools to manage and deploy patches.
  • Maturity Level 3:
    • Apply patches within 48 hours for critical vulnerabilities.
    • Continuously monitor operating systems for vulnerabilities and patch status.

7. Multi-Factor Authentication

Objective: Strengthen authentication processes to protect against credential theft.

  • Maturity Level 0: No multi-factor authentication (MFA) implemented.
  • Maturity Level 1:
    • Implement MFA for remote access and administrative accounts.
    • Use SMS-based MFA.
  • Maturity Level 2:
    • Extend MFA to all users.
    • Use stronger MFA methods (e.g., app-based, hardware tokens).
  • Maturity Level 3:
    • Enforce MFA for all access, including internal systems.
    • Continuously review and update MFA policies based on emerging threats.

8. Regular Backups

Objective: Ensure data can be recovered in the event of a cyber incident.

  • Maturity Level 0: No regular backup process in place.
  • Maturity Level 1:
    • Perform regular backups of critical data.
    • Store backups in a secure location.
  • Maturity Level 2:
    • Test backups periodically to ensure data can be restored.
    • Implement automated backup solutions.
  • Maturity Level 3:
    • Perform continuous backups with near real-time recovery capabilities.
    • Regularly review and update backup policies and procedures.

Conclusion

Achieving a high level of maturity in the Essential 8 strategies is crucial for protecting your organisation against cyber threats. By following this checklist and continuously improving your cybersecurity practices, you can significantly enhance your organisation’s resilience and ability to respond to cyber incidents. For further assistance in implementing the ACSC Essential 8, contact Empire Technologies and speak to one of our experts today.

Trusted by some the world’s leading organisations

Empire Technologies is trusted by some the world’s leading organisations, for example, AWS.Empire Technologies is trusted by some the world’s leading organisations, for example, Veeam.Empire Technologies is trusted by some the world’s leading organisations, for example, vmwear.Empire Technologies is trusted by some the world’s leading organisations, for example, Mircrosoft.Empire Technologies is trusted by some the world’s leading organisations, for example, SOPHOS cyber security.Empire Technologies is trusted by some the world’s leading organisations, for example, Vocus.Empire Technologies is trusted by some the world’s leading organisations, for example, Fortinet.Empire Technologies is trusted by some the world’s leading organisations, for example, Pure Storage.Empire Technologies is trusted by some the world’s leading organisations, for example, Sentinal One.

Connect with our IT team to discuss how we can help secure your business

Contact our team
This field is for validation purposes and should be left unchanged.