Olivier Reuland
Pragmatic Information Security and Privacy Expert
|
Services
|
Clients
|
Posts
|
Tools
|
About
|
Contact
|
/
Assessment
/
Essential Eight
Essential Eight Assessment
A high-level assessment of the Australian Signals Directorate's Essential Eight Maturity Level 1 - the minimum baseline cybersecurity requirements for all businesses.
Essential Eight Assessment
A high-level assessment of the Australian Signals Directorate's Essential Eight Maturity Level 1 - the minimum baseline cybersecurity requirements for all businesses.
Progress: 0 of 8 questions answered
0%
1
Patch Applications
How do you manage security patches for applications?
Why this matters:
Maturity Level 1 requires automated asset discovery, vulnerability scanning, and timely patching to meet minimum baseline security.
We have automated asset discovery, vulnerability scanning, and apply patches within required timeframes (48 hours for critical online services, 2 weeks for office productivity suites).
We have vulnerability scanning and apply most patches within 2 weeks.
We apply patches irregularly without systematic scanning.
We have no systematic patching process.
Not Applicable
2
Patch Operating Systems
How do you manage security patches for operating systems?
Why this matters:
Maturity Level 1 requires automated discovery, vulnerability scanning, and timely OS patching across all systems.
We have automated asset discovery, daily scanning of internet-facing systems, fortnightly scanning of other systems, and apply patches within required timeframes.
We scan most systems and apply patches within one month.
We patch operating systems irregularly without systematic scanning.
We have no systematic OS patching process.
Not Applicable
3
Multi-Factor Authentication
Do you use multi-factor authentication (MFA) to protect accounts?
Why this matters:
Maturity Level 1 requires MFA for organisational and third-party online services, and customer services processing sensitive data.
MFA is implemented for all organisational online services, third-party services, and customer services processing sensitive data, using appropriate authentication factors.
MFA is implemented for most organisational and third-party services.
MFA is only implemented for some critical services.
MFA is not implemented.
Not Applicable
4
Restrict Administrative Privileges
How do you manage privileged (administrative) accounts?
Why this matters:
Maturity Level 1 requires validated privileged access, dedicated accounts, restricted internet access, and separated operating environments.
Privileged access is validated, users have dedicated privileged accounts, internet access is restricted, and privileged/unprivileged environments are separated with proper logon restrictions.
We have dedicated privileged accounts and some access restrictions.
Some administrative accounts are separate but not fully restricted.
Administrative privileges are not restricted or managed.
Not Applicable
5
Application Control
Do you control what software can be installed and executed on systems?
Why this matters:
Maturity Level 1 requires application control on workstations, restricting execution to organisation-approved applications including user profiles and temporary folders.
Application control is implemented on workstations, applied to user profiles and temporary folders, and restricts execution to an organisation-approved set of executables, libraries, scripts, and other executable content.
Application control is implemented on workstations with some restrictions.
Some application restrictions exist but not comprehensive control.
No application control is implemented.
Not Applicable
6
Restrict Microsoft Office Macros
How do you manage Microsoft Office macros?
Why this matters:
Maturity Level 1 requires macros to be disabled for users without business requirement, blocked from internet sources, with antivirus scanning enabled and user-unchangeable settings.
Microsoft Office macros are disabled for users without demonstrated business requirement, blocked from internet sources, antivirus scanning is enabled, and macro security settings cannot be changed by users.
Microsoft Office macros are mostly restricted with some controls in place.
Microsoft Office has basic macro security settings but allows user changes.
Microsoft Office macros are allowed without restriction.
Not Applicable
7
User Application Hardening
How do you harden user applications against security risks?
Why this matters:
Maturity Level 1 requires Internet Explorer 11 disabled/removed, browsers blocking Java and advertisements from internet, with user-unchangeable security settings.
Internet Explorer 11 is disabled or removed, web browsers do not process Java or advertisements from internet, and browser security settings cannot be changed by users.
Most browser security settings are configured but some gaps remain.
Some browser security measures are in place but not comprehensive.
No specific application hardening is implemented.
Not Applicable
8
Regular Backups
Do you have data backup and recovery procedures?
Why this matters:
Maturity Level 1 requires backups according to business criticality, synchronised for common point-in-time recovery, securely retained, tested, with access controls preventing unauthorised modification.
Backups are performed according to business criticality, synchronised for point-in-time recovery, securely retained, regularly tested, with unprivileged users prevented from accessing others' backups or modifying any backups.
Regular automated backups are performed with some access controls.
Some backup procedures exist but not comprehensive.
No regular backup procedures are in place.
Not Applicable
Please answer all 8 remaining questions.
Submit Assessment