FrameworksEssential Eight
control catalogv2023Published
ASD Essential Eight
Essential Eight
The Essential Eight is a prioritized set of eight mitigation strategies that ASD recommends as a baseline for cyber security. Each strategy has four maturity levels. They are mandatory for Australian government entities and widely adopted in the private sector.
Issuing Body
Australian Signals Directorate (ASD)
Version
2023
Published
2023-11-01
Controls
21
Mapped Laws
5
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| E8-1.1 | Application Control — Maturity Level 1 An application control policy exists and is enforced. Application control is implemented on workstations. Allowed and blocked executions are logged. | — | initial |
| E8-1.2 | Application Control — Maturity Level 2 Application control is implemented on internet-facing servers and non-internet-facing servers. Application control events are centrally logged and protected from unauthorised modification and deletion. | — | developing |
| E8-1.3 | Application Control — Maturity Level 3 Application control is implemented on all workstations, servers and network devices. Allowed and blocked execution events are centrally logged. Logs are analysed in a timely manner. | — | defined |
| E8-2.1 | Patch Applications — Maturity Level 1 A vulnerability scanner is used to identify missing patches or updates for security vulnerabilities in internet-facing services. Patches, updates or other vendor mitigations are applied to internet-facing services within two weeks of release. | — | initial |
| E8-2.2 | Patch Applications — Maturity Level 2 A vulnerability scanner is used to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. Patches applied within one month. | — | developing |
| E8-2.3 | Patch Applications — Maturity Level 3 A vulnerability scanner is used to identify missing patches or updates for all other applications. Patches, updates or other vendor mitigations for security vulnerabilities in all applications are applied within one month of release. | — | defined |
| E8-3.1 | Configure Microsoft Office Macro Settings — Level 1 Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. Microsoft Office macros in files originating from the internet are blocked. | — | initial |
| E8-3.2 | Configure Microsoft Office Macro Settings — Level 2 Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location, or that are digitally signed by a trusted publisher are allowed to execute. Microsoft Office macro antivirus scanning is enabled. | — | developing |
| E8-4.1 | User Application Hardening — Level 1 Web browsers do not process Java from the internet. Web browsers do not process web advertisements from the internet. Internet Explorer 11 is disabled or removed. | — | initial |
| E8-4.2 | User Application Hardening — Level 2 Web browser security settings cannot be changed by users. Web browsers are hardened using the latest vendor-recommended security configuration guidance. PowerShell is configured to use Constrained Language Mode. | — | developing |
| E8-5.1 | Restrict Administrative Privileges — Level 1 Requests for privileged access to systems and applications are validated when first requested. Privileged accounts are not used for reading email and web browsing. | — | initial |
| E8-5.2 | Restrict Administrative Privileges — Level 2 Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties. Just-in-time administration is used for privileged access to systems. | — | developing |
| E8-5.3 | Restrict Administrative Privileges — Level 3 Privileged accounts are prevented from accessing the internet, email, and web services. Privileged users use separate privileged and unprivileged operating environments. | — | defined |
| E8-6.1 | Patch Operating Systems — Level 1 A vulnerability scanner is used to identify missing patches for security vulnerabilities in operating systems. Patches applied within one month for internet-facing systems. | — | initial |
| E8-6.2 | Patch Operating Systems — Level 2 The latest release, or the previous release, of operating systems is used for all workstations, servers and network devices. Patches applied within two weeks for critical vulnerabilities. | — | developing |
| E8-7.1 | Multi-Factor Authentication — Level 1 Multi-factor authentication is used to authenticate all users of remote access solutions. Multi-factor authentication is used to authenticate all users when they access important data repositories. | — | initial |
| E8-7.2 | Multi-Factor Authentication — Level 2 Multi-factor authentication is used to authenticate all users of systems. Multi-factor authentication uses phishing-resistant methods where available. | — | developing |
| E8-7.3 | Multi-Factor Authentication — Level 3 Multi-factor authentication is used to authenticate all users and privileged users. Multi-factor authentication is phishing-resistant and verifier-impersonation resistant. | — | defined |
| E8-8.1 | Regular Backups — Level 1 Backups of important data, software and configuration settings are performed and retained with a frequency and retention period in accordance with business continuity requirements. | — | initial |
| E8-8.2 | Regular Backups — Level 2 Backups are stored offline. Backups are stored offsite or in a cloud service. The restoration of backups is tested at least once when initially implemented. | — | developing |
| E8-8.3 | Regular Backups — Level 3 Backups are stored offline, offsite, and in a cloud service. Restoration from backups is tested at least once a year. Backups are monitored for failures and anomalies. | — | defined |