Welcome to part 1 of our blog series, we’ve already spoken about what a framework is at a high level, if you need a refresher you can look at our introductory post in the series here Cybersecurity Frameworks Unplugged: The Good, The Bad, and The Ugly of the Essential 8 – Arinco.
But the important thing to remember is that frameworks are more like…guidelines giving you practical guidance on how and importantly why to implement your cybersecurity technology. Some of the guidance may not apply to your environment, but its great to have an understanding anyway.
A cybersecurity framework is a tool that helps organisations under and improve the management of cybersecurity risk. Common examples of these frameworks would be ISO 27001, PCI DSS (Payment Card Industry Data Security Standard), ACSC/ASD Essential 8, NIST CSF 2.0).
The intention of all of these frameworks is provide practical guidance (or roadmap if you prefer) on how an organisation can protect themselves, their customers, their employees and their data from cyber threats.
Some security frameworks may be required based on industry regulations or legislation, for example New South Wales government departments are required to adopt controls from ASD Essential 8 as part of the NSW Cyber Security Policy for 2023-2024. Energy provides and organisations that take card payment fall under different requirements.
For now we will be taking a closer look at the “Essential 8”!
The “Essential 8” frameworks
“But what are the Essential 8 Scott!”
A series of 8 (shocking I know) areas to implement security controls to help improve your environment.
These areas are
- Patching Applications
- Patch operating systems
- Multi-factor authentication
- Restrict administrative privileges
- Application control
- Restrict Microsoft Office Macros
- User application hardening
- Regular backups
The ACSC says it best, when you reach Maturity Level 1 you protect yourself against “malicious actors who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, a system”. This will protect you from malicious actors who are on the hunt for a victim rather than a specific victim.
The good stuff
The Framework
The ASD Essential 8 gives you clear guidance on:
- What the requirements are
- Practical suggestions and guides on how to implement these
Appendix A available here Essential Eight Maturity Model | Cyber.gov.au outlines how to mitigate the various risks outlined in the Essential 8 and a technology agnostic description on how to mitigate these problems.
For example, when looking at “Restrict administrative privileges”, one of the requirements under Maturity Level 1 is “Privileged users are assigned a dedicated privileged user account to be used solely for duties requiring privileged access.”
To be compliant with this you would need an administrative account which is not your “daily driver” account which you would use to make administrative changes in systems to which you have privileged access.
The framework allows a standardised approach across technology teams, allowing for simpler processes of deploying new infrastructure and services in your organisation, and a method to tackle that dreaded “technical debt”.
The actionable outcomes
In addition to the guidance available on the maturity level, the ACSC has also published implementation guides for small businesses providing excellent step by step guides on some methods to meet the Essential 8 Small Business Cloud Security Guides | Cyber.gov.au.
It is also worth noting that there is not one single way to meet these requirements so you do not have to follow the guides step by step. Achieving the desired solution, being able to demonstrate it and scale it out to your whole environment is really the desired outcome here!
Bringing the team together with governance and strategy
Security frameworks have the added benefit of helping to align technology teams, sadly it quite common for technology, security and business teams to have conflict. There is a constant push/pull to help drive the business forward while remaining secure and each team has their own completely valid drivers and goals.
Security frameworks can help align everyone to a strategic goal and understand how and why changes may need to be made, or even where exceptions need to be carved out or better understood to align with business requirements.
Being able to track these and manage associated risks and decisions against a security framework is a wonderful benefit of increasing your cybersecurity governance!
What’s next?
If you need help navigating the Essential 8 or just want to discuss your cybersecurity requirements reach out to the team at Arinco, we would love to understand how we can help integrate Microsoft Solutions and the Essential 8 into your environment and help make sure it is “Done Right”.
Don’t forget to keep an eye out for Part 2 where we dive into the pitfalls of frameworks!
