So you have mastered the ASD Top 4? What do you need to tame the Essential 8?
In this ASD Essential 8 Summary, we will answer:
- What has stayed the same?
- What has changed?
- What that means?
- What do I need to do to achieve this baseline standard?
- When do I need to complete it by?
What has stayed the same?
The key thing that has remained constant from the ASD Top 4 to the Essential 8, is the pragmatic, good advice provided by ASD. The focus is still on making systems and information secure, in order to safeguard organisational reputations and save time and money. However, unlike a great number of global compliance regimes such as SOX, JSOX, PCI, SSAE, etc, the Essential 8:
- Helps organisations manage risks that are relevant to their specific context
- Provides prioritised steps to address relevant threats
- Represents a baseline for organisations to achieve
The risk-based approach and the prioritised controls are world class and equate to a cost effective and intelligent use of security budgets.
The evolution of the Top 4 to the Essential 8 quite firmly underlines the core message that good security is a process and not a project. Organisations that have conducted a ‘Top 4 project’ and not implemented an ongoing security process, may in fact have missed the point. The Essential 8 is ASD’s reminder to keep improving.
What has changed?
There is one large change and a number of smaller changes. The large change shifts focus from the Top 4 being Strategies to Mitigate Targeted Cyber Intrusions, to being an essential 8 Strategies to Mitigate Cyber Security Incidents. Top 4 was designed to keep the malicious out. Essential 8 recognises that whilst a lot can be done to keep people out, the reality is that you need to plan and design for when eventually they do get in.
The smaller changes add 4 more controls and shift the initial Top 4 around. You now have two columns:
|Prevent Malware from running
Keep ‘em Out
|Limit the extent of incidents and recover data
Plan for when they get in and respond
|Application Whitelisting (Top 4 original)||Restrict administrative privileges (Top 4 original)|
|Patch Application (Top 4 original)||Patch Operating Systems (Top 4 original)|
|Disable untrusted Microsoft Office macros (New)||Multi-factor authentication (New)|
|User application hardening (New)||Daily backup of important data (New)|
What this means?
The ASD has reinforced that good security is a journey that never ends. In other words, you should expect the Essential 8 to continually change over time. ASD’s subliminal challenge is to think about what will provide you with the best returns for your effort and investment across both prevention and response. ASD wants organisations and security leaders to answer 4 searching questions:
- Do I know what my mission critical assets are and what needs protecting?
- Who are my adversaries, or who do I need to guard against?
- What is the gap between my current security controls and those outlined in the Essential 8? In other words, what other strategies do I need to implement based on my risks?
If your security posture is risk based, pragmatic and process rather than project driven, adding a few more tasks or re-ordering a few initiatives within your work programme should be straight forward.
When do I need to have done it?
With respect, you are asking the wrong question! The goal of establishing a layered defence to protect against and respond to threats does not have an end date. But if you want to know where to start, Shearwater are the experts who can help you avoid wastage of time, effort and money. Engaging our expert team of advisors will allow you to plan at the strategic level whilst executing at the tactical.
If you don’t know where or how to start with the Essential 8, Shearwater can assist. For expert help, please contact us.