ACSC updates the Essential Eight


By Dylan Bushell-Embling
Wednesday, 29 November, 2023
ACSC updates the Essential Eight

The Australian Cyber Security Centre has updated the Essential Eight Maturity Model to ensure it remains fit for purpose for both government and industry.

Key modifications to the model include balancing patching timeframes, increasing adoption of phishing-resistant multifactor authentication, supporting management of cloud services, and performing incident detection and response for internet-facing infrastructure.

The updated model recommends that when vendors assess a discovered vulnerability to be of a critical nature, organisations should patch, update or otherwise mitigate vulnerabilities within 48 hours.

In addition, increased emphasis has been placed on patching applications that routinely interact with untrusted content from the internet, such as web browsers and email clients. Patching timeframes for these applications has been strengthened from within one month to within two weeks for Maturity Level One.

To counterbalance these changes in high-risk scenarios, patching of systems for less important devices such as workstations has been modified from within two weeks to within one month for Maturity Level Two and Three.

Other significant changes revolve around multi-factor authentication. These include a new minimum standard for Maturity Level One for the adoption of stronger forms of MFA, an amendment to the existing requirement for Maturity Levels One to Three, which had previously allowed customers to easily opt out of MFA, and a new requirement for users to authenticate to their workstations using a form of phishing-resistant MFA for Maturity Levels Two and Three.

Other requirements at higher maturity levels include protecting event logs from unauthorised modification and deletion and monitoring them for signs of compromise.

There are also new requirements to implement application control in response to malicious actors increasingly using living off the land techniques, to either disable or uninstall Internet Explorer 11 due to its discontinuation by Microsoft, and to consider the business criticality of data when prioritising backups.

Image credit: iStock.com/Andreus

Related News

Half of government agencies falling short on email security measures: report

Lack of consistency across Australian Government bodies leaves critical vulnerabilities in the...

CISA and Microsoft warn of “active attacks” on SharePoint

Alerts have been published active attacks exploiting a remote code execution vulnerability in...

NSW Government agencies have ineffective cybersecurity controls: report

The Audit Office of New South Wales has found that NSW Government agencies still have minimal...

Content from other channels on our network

ACS releases annual Digital Pulse report

AI-first telcos: agentic AI enables connectivity providers to perform intelligently

Oracle launches warehouse management tool

Tenable uses AI to further refine threat risk rating

Commvault launches tool for recovering DynamoDB tables

BAI announces Titan ICT acquisition, Telstra connectivity deal

Doubling communication beams for small satellites

Researchers demo real-time flood-sensing technology

Hytera sells Teltronic to Nazca Capital

Starlink suffers global outage; interferes with radio astronomy

Group Captain Kath Stein FACN GAICD becomes ACN president

ACSQHC unveils first new brand and 2025–30 strategic plan

Queensland-wide senior medical officers audit underway

Ramsay to close 17 psychology clinics by end of August

Doctors shouldn't be allowed to object to medical care if it harms their patients

  • All content Copyright © 2025 Westwick-Farrow Pty Ltd