As the ASD update the Essential Eight Maturity Model - are you prepared?
The Australian Signals Directorate (ASD) has recently released its annual update to the Essential Eight Maturity Model. The revisions encompass various aspects, including patching timeframes, adoption of phishing-resistant multifactor authentication, management of cloud services, and incident detection and response for internet-facing infrastructure.
One notable change emphasises a heightened focus on promptly addressing critical vulnerabilities. If a vendor identifies a vulnerability as critical, organisations are now required to patch, update, or otherwise mitigate it within 48 hours. This modification applies across Maturity Level One through Maturity Level Three.
The updates also address the adoption of weaker forms of multifactor authentication, such as biometrics, security questions, or ‘Trusted Signals,’ which are no longer recognised as valid authentication factors within standards. Previously, Maturity Level One did not specify the types of authentication factors for multifactor authentication.
At Maturity Level One, a new minimum standard necessitates “something users have” in addition to “something users know” for multifactor authentication. This change aims to enhance security.
In response to ongoing attacks relying solely on passwords for online customer services, organisations are now mandated to enforce multifactor authentication for web portals storing sensitive customer data, such as personal, health, or identity-related information. This amendment restricts the easy opt-out option for customers using weak password-based authentication.
Phishing-resistant multifactor authentication for customers at lower maturity levels is also introduced in the updated Essential Eight.
Additionally, the revised Essential Eight incorporates considerations for data governance processes. To ensure consistency with governance processes for granting, controlling, and rescinding privileged access to systems and applications, requirements have been added. This impacts Maturity Level One through Maturity Level Three.
We feel these are important changes to the Essential Eight framework and where Com-X partner closely with MyCISO we are able to support our customers on critical assessments against Cyber Security Frameworks (including Essential Eight), Supply Chain Risk and internal team Culture.
We couple this with Consultant Grade reporting, giving guidance and direction on actions and where Com-X can assist your team to meet expected standards.
Contact Com-X today if you wish to understand how we can support your organisations cyber security readiness.
Posted by Nick Cross – Com-X General Manager – Sales and Marketing