Essential Eight Maturity Self-Assessment

Only approved applications can execute on workstations and servers.

• Application control is implemented on workstations to prevent execution of unapproved executables, software libraries, scripts, installers, and HTML applications.
• Application control is implemented on internet-facing servers to prevent execution of unapproved executables, software libraries, scripts, installers, and HTML applications.
• Microsoft's recommended block rules (or equivalent) are implemented to prevent vulnerable application versions from running.
• Application control rule sets are validated annually; changes are logged and reviewed.

Maturity estimate: not started

Internet-facing services and apps with vulnerabilities are patched within timeframes.

• Patches for internet-facing services are applied within two weeks of vendor release (48 hours if an exploit exists).
• Patches for office productivity suites, web browsers, email clients, PDF readers, and security products are applied within one month of vendor release.
• A vulnerability scanner with a daily-updated vulnerability database is used to scan for missing patches at least daily for internet-facing services and at least fortnightly for workstations.
• Applications that are no longer supported by vendors are removed from environments.

Maturity estimate: not started

Macros from untrusted sources are blocked; trusted ones are controlled.

• Microsoft Office macros are blocked for users that don't have a demonstrated business requirement.
• Microsoft Office macros from the internet are blocked (e.g. files with Mark-of-the-Web).
• Microsoft Office macros are checked to ensure antivirus scanning is enabled (or equivalent).
• Microsoft Office macro security settings cannot be changed by users.

Maturity estimate: not started

Browsers, PDF readers, and Office are hardened against common attack vectors.

• Web browsers do not process Java from the internet; Flash, ads, and Java are blocked or removed.
• Microsoft Office is configured to block macros from the internet, OLE packages, and untrusted child processes.
• PDF readers are configured to block untrusted child processes and OLE packages.
• Web browser security settings cannot be changed by users.

Maturity estimate: not started

Admin privileges are restricted, validated, and isolated from user activity.

• Requests for privileged access to systems and applications are validated when first requested.
• Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email, and web services.
• Privileged accounts and the privileged operating environments are separated from unprivileged ones (e.g. PAW, just-in-time admin).
• Privileged access events are centrally logged and reviewed for signs of compromise.

Maturity estimate: not started

OS vulnerabilities are patched within timeframes; unsupported OS is removed.

• Patches for operating systems of internet-facing services are applied within two weeks of vendor release (48 hours if an exploit exists).
• Patches for operating systems of workstations, servers, and network devices are applied within one month of vendor release.
• A vulnerability scanner is used at least daily on internet-facing services and at least fortnightly on workstations/internal servers to identify missing patches.
• Operating systems that are no longer supported by vendors are removed.

Maturity estimate: not started

MFA is required for users, privileged users, and access to sensitive data.

• MFA is used to authenticate users to all internet-facing services (organisational and third-party) that store, process, or communicate sensitive data.
• MFA is used to authenticate privileged users when accessing important data repositories or critical systems.
• MFA is phishing-resistant (FIDO2 / WebAuthn / smartcard / TOTP — SMS is not sufficient at ML2+).
• Successful and unsuccessful MFA events are centrally logged and reviewed.

Maturity estimate: not started

Important data is backed up regularly, tested, and protected from tampering.

• Backups of important data, software, and configuration settings are performed and retained as specified by business needs.
• Restoration of systems, software, and important data from backups is tested in a coordinated manner as part of disaster recovery exercises at least annually.
• Unprivileged accounts cannot access backups belonging to other accounts; privileged accounts (excluding backup admin accounts) cannot modify or delete backups during their retention period.
• Backup admin accounts are MFA-protected; backup repositories are isolated from production credentials.

Maturity estimate: not started