Evolving Standards: Recent Changes in Maturity Models

The ‎last‏ ‎update ‎Essential ‎Eight ‎Maturity ‎Model‏ ‎introduced ‎several‏ ‎significant‏ ‎changes ‎aimed ‎at‏ ‎enhancing ‎cybersecurity‏ ‎measures ‎across ‎various ‎maturity‏ ‎levels.

Patch‏ ‎Applications ‎and‏ ‎Operating ‎Systems

📌 Increased‏ ‎Priority ‎on ‎Patching: ‎Organizations ‎are‏ ‎now‏ ‎urged ‎to‏ ‎patch ‎critical‏ ‎vulnerabilities ‎within ‎48 ‎hours. ‎The‏ ‎focus‏ ‎has‏ ‎also ‎been‏ ‎placed ‎on‏ ‎patching ‎applications‏ ‎that‏ ‎interact ‎with‏ ‎untrusted ‎content ‎within ‎a ‎two-week‏ ‎timeframe.

📌 Regular ‎Vulnerability‏ ‎Scanning:‏ ‎The ‎frequency ‎of‏ ‎scanning ‎systems‏ ‎for ‎critical ‎vulnerabilities ‎has‏ ‎been‏ ‎increased ‎from‏ ‎at ‎least‏ ‎fortnightly ‎to ‎at ‎least ‎weekly.

Multi-Factor‏ ‎Authentication‏ ‎(MFA)

📌 Enhanced ‎MFA‏ ‎Requirements: ‎The‏ ‎update ‎introduced ‎stricter ‎MFA ‎requirements,‏ ‎including‏ ‎the‏ ‎use ‎of‏ ‎'something ‎users‏ ‎have' ‎in‏ ‎addition‏ ‎to ‎'something‏ ‎users ‎know' ‎starting ‎from ‎Maturity‏ ‎Level ‎One.‏ ‎MFA‏ ‎is ‎now ‎mandatory‏ ‎for ‎web‏ ‎portals ‎storing ‎sensitive ‎data‏ ‎and‏ ‎for ‎staff‏ ‎logging ‎onto‏ ‎business ‎systems ‎at ‎higher ‎maturity‏ ‎levels.

📌 Phishing-Resistant‏ ‎MFA: ‎There‏ ‎is ‎a‏ ‎new ‎emphasis ‎on ‎implementing ‎phishing-resistant‏ ‎MFA‏ ‎to‏ ‎enhance ‎security‏ ‎further.

Restrict ‎Administrative‏ ‎Privileges

📌 Governance ‎of‏ ‎Privileged‏ ‎Access: Enhanced ‎processes‏ ‎for ‎managing ‎privileged ‎access, ‎including‏ ‎the ‎need‏ ‎for‏ ‎secure ‎admin ‎workstations‏ ‎and ‎break‏ ‎glass ‎accounts. ‎Privileged ‎accounts‏ ‎accessing‏ ‎the ‎internet‏ ‎must ‎be‏ ‎explicitly ‎identified ‎and ‎their ‎access‏ ‎strictly‏ ‎limited.

Application ‎Control

📌 Annual‏ ‎Reviews ‎and‏ ‎Blocklists: ‎Organizations ‎are ‎required ‎to‏ ‎conduct‏ ‎annual‏ ‎reviews ‎of‏ ‎application ‎control‏ ‎rule ‎sets‏ ‎and‏ ‎implement ‎Microsoft’s‏ ‎recommended ‎application ‎blocklist ‎at ‎Maturity‏ ‎Level ‎Two.

User‏ ‎Application‏ ‎Hardening

📌 Discontinuation ‎of ‎Internet‏ ‎Explorer ‎11:‏ ‎Organizations ‎must ‎disable ‎or‏ ‎remove‏ ‎Internet ‎Explorer‏ ‎11 ‎following‏ ‎its ‎support ‎discontinuation. ‎There ‎is‏ ‎also‏ ‎a ‎focus‏ ‎on ‎implementing‏ ‎stringent ‎vendor ‎and ‎ASD ‎hardening‏ ‎guidance,‏ ‎including‏ ‎PowerShell ‎logging‏ ‎and ‎command-line‏ ‎process ‎creation‏ ‎events‏ ‎at ‎higher‏ ‎maturity ‎levels.

Regular ‎Backups

📌 Data ‎Criticality ‎Consideration:‏ ‎While ‎there‏ ‎are‏ ‎no ‎significant ‎changes‏ ‎to ‎the‏ ‎backup ‎requirements, ‎organizations ‎are‏ ‎encouraged‏ ‎to ‎consider‏ ‎the ‎business‏ ‎criticality ‎of ‎data ‎when ‎prioritizing‏ ‎backups.

Logging

📌 Centralized‏ ‎Logging ‎Requirements:‏ ‎The ‎requirement‏ ‎for ‎centralized ‎logging ‎has ‎been‏ ‎moved‏ ‎from‏ ‎Maturity ‎Level‏ ‎3 ‎to‏ ‎Maturity ‎Level‏ ‎2,‏ ‎which ‎will‏ ‎substantially ‎increase ‎the ‎size ‎of‏ ‎log ‎repositories.

Cloud‏ ‎Service‏ ‎Management ‎and ‎Incident‏ ‎Detection ‎and‏ ‎Response

📌 New ‎Focus ‎Areas: ‎These‏ ‎have‏ ‎been ‎added‏ ‎as ‎new‏ ‎focus ‎areas ‎in ‎the ‎update,‏ ‎reflecting‏ ‎the ‎need‏ ‎to ‎manage‏ ‎cloud ‎services ‎more ‎effectively ‎and‏ ‎respond‏ ‎to‏ ‎incidents ‎more‏ ‎robustly.

General ‎Enhancements

📌 Consistency‏ ‎with ‎Information‏ ‎Security‏ ‎Manual ‎(ISM):‏ ‎The ‎update ‎has ‎adopted ‎language‏ ‎from ‎mapped‏ ‎controls‏ ‎within ‎the ‎ISM‏ ‎to ‎ensure‏ ‎consistency ‎between ‎the ‎two‏ ‎frameworks‏ ‎and ‎facilitate‏ ‎the ‎automatic‏ ‎ingestion ‎of ‎Essential ‎Eight ‎tracking‏ ‎and‏ ‎reporting ‎by‏ ‎governance, ‎compliance,‏ ‎and ‎reporting ‎tools