-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathessential-eight-mapping.json
More file actions
514 lines (514 loc) · 34.4 KB
/
Copy pathessential-eight-mapping.json
File metadata and controls
514 lines (514 loc) · 34.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
{
"$schema": "http://json-schema.org/draft-07/schema#",
"standard": "Australian Cyber Security Centre (ACSC) Essential Eight",
"version": "2024",
"description": "ACSC Essential Eight Maturity Model - Strategies to mitigate cyber security incidents, mapped to Sovereign Ops Framework",
"last_updated": "2025-01-15",
"focus": "Baseline cyber security controls for Australian organizations; government-mandated for many sectors",
"maturity_model": {
"level_0": "Not implemented or partially implemented with significant weaknesses",
"level_1": "Partly aligned with intent - provides basic protection against opportunistic adversaries",
"level_2": "Mostly aligned with intent - provides better protection against tradecraft used by most adversaries",
"level_3": "Fully aligned with intent - provides the best protection against sophisticated adversaries"
},
"strategies": [
{
"strategy_number": 1,
"title": "Application Control",
"objective": "Prevent execution of unapproved/malicious programs including .exe, DLL, scripts, installers, compiled HTML, HTML applications and control panel applets",
"rationale": "Adversaries use malicious software to compromise systems. Application control prevents execution",
"maturity_levels": {
"level_1": {
"requirements": [
"Application control implemented on workstations (Windows and macOS)",
"Application control rulesets restrict execution to organization-approved applications",
"Microsoft's 'recommended block rules' or vendor equivalent are implemented",
"Application control restricts execution from user profiles and temporary folders"
],
"validation": "Verify application control is enabled; test that unapproved applications cannot execute; check block rules are configured"
},
"level_2": {
"requirements": [
"All Level 1 requirements",
"Application control implemented on servers",
"Application control restricts execution of executables, software libraries, scripts, installers from user profiles and temporary folders",
"Application control rulesets are validated on annual or more frequent basis"
],
"validation": "Verify server application control; test comprehensive file type blocking; review ruleset validation records"
},
"level_3": {
"requirements": [
"All Level 2 requirements",
"Application control is implemented using cryptographic hash rules, publisher certificate rules or path rules",
"Event logs are generated when application control events occur",
"Event logs centrally collected and protected from unauthorized modification"
],
"validation": "Verify cryptographic/certificate-based rules; check event logging enabled; verify log centralization and protection"
}
},
"sovereign_ops_mapping": {
"phases": [3],
"creature_categories": ["software", "threat", "asset"],
"domains": ["Platform/Tooling Layer", "Threat Creatures", "Asset Creatures"],
"criticality_relevance": ["High"],
"blast_radius_impact": "Amber - Malware execution leads to data breach or ransomware but not immediate kill switch"
},
"iso_27001_equivalent": "A.8.1 (User endpoint devices - endpoint protection)",
"cis_control_equivalent": "CIS Control 2.3, 2.7 (Application allowlisting)",
"nist_csf_equivalent": "PR.IP-3 (Configuration change control)",
"implementation_guidance": {
"smb_notes": "For small business: Use built-in Windows AppLocker (free on Windows Pro+) or Microsoft Defender Application Control. Start with Level 1 (workstations only) and expand to servers. Focus on blocking execution from user-writable locations (Downloads, Temp, AppData).",
"common_tools": "AppLocker (Windows), Application Control (macOS), Microsoft Defender Application Control, Carbon Black, CrowdStrike",
"quick_wins": "Block script execution (.ps1, .vbs, .js) from user profiles; implement Microsoft recommended block rules",
"common_gaps": "Application control not enabled; rules too permissive (allow mode instead of block); servers not protected; no event logging"
},
"evidence_requirements": [
"Application control configuration export (GPO, policy)",
"Ruleset documentation showing approved applications",
"Test evidence of blocked execution attempts",
"Server application control configuration (Level 2+)",
"Event log configuration and sample logs (Level 3)",
"Centralized log collection evidence (Level 3)"
],
"kill_switch_relevance": false,
"australian_context": "Essential Eight compliance is mandatory for Australian Government agencies and many regulated sectors. Application control is Strategy #1 and often the most challenging to implement."
},
{
"strategy_number": 2,
"title": "Patch Applications",
"objective": "Security vulnerabilities in applications which adversaries can exploit are patched, updated or mitigated",
"rationale": "Vulnerabilities in applications are frequently exploited. Timely patching reduces attack surface",
"maturity_levels": {
"level_1": {
"requirements": [
"Security vulnerabilities in applications assessed at least monthly",
"Security vulnerabilities in internet-facing services assessed within two weeks of release",
"Patches, updates or vendor mitigations for extreme risk vulnerabilities applied within 48 hours",
"Latest version of applications used"
],
"validation": "Review vulnerability scanning frequency; check patch deployment records for extreme risk vulns; verify application versions"
},
"level_2": {
"requirements": [
"All Level 1 requirements",
"Patches, updates or vendor mitigations for high risk vulnerabilities applied within two weeks"
],
"validation": "Review patch deployment records for high risk vulns within 2-week window"
},
"level_3": {
"requirements": [
"All Level 2 requirements",
"Patches, updates or vendor mitigations for moderate and low risk vulnerabilities applied within one month",
"An automated method of asset discovery used at least fortnightly",
"A vulnerability scanner used at least daily"
],
"validation": "Review patch deployment for all risk levels; verify asset discovery automation; check vulnerability scanning frequency"
}
},
"sovereign_ops_mapping": {
"phases": [3],
"creature_categories": ["software", "threat", "culture"],
"domains": ["Software Creatures", "Threat Creatures", "Culture & Entropy Creatures"],
"criticality_relevance": ["High"],
"blast_radius_impact": "Red - Unpatched vulnerabilities are frequent kill switches (e.g., Log4Shell, Heartbleed)"
},
"iso_27001_equivalent": "A.8.8 (Management of technical vulnerabilities), A.12.6.1 (Technical vulnerability management)",
"cis_control_equivalent": "CIS Control 7 (Continuous Vulnerability Management)",
"nist_csf_equivalent": "DE.CM-8 (Vulnerability scans), PR.IP-12 (Vulnerability management plan)",
"implementation_guidance": {
"smb_notes": "For small business: Enable automatic updates for Windows, macOS, browsers. Use free vulnerability scanners (OpenVAS, Nessus Essentials). Prioritize internet-facing systems. Track extreme/high risk vulns manually if needed.",
"common_tools": "WSUS, SCCM (Windows patching), Jamf (macOS), Ivanti, Qualys, Nessus, OpenVAS (vulnerability scanning)",
"quick_wins": "Enable automatic browser updates; enable Windows/macOS auto-update; patch internet-facing services first",
"common_gaps": "No vulnerability scanning; extreme risk vulns not patched within 48 hours; applications pinned to old versions; no asset discovery (unknown systems not patched)"
},
"evidence_requirements": [
"Vulnerability scan reports (monthly minimum)",
"Patch deployment records showing timeline (48 hours for extreme, 2 weeks for high, 1 month for moderate/low)",
"Application inventory with versions",
"Asset discovery automation configuration (Level 3)",
"Vulnerability scanner daily scan configuration (Level 3)"
],
"kill_switch_relevance": true,
"australian_context": "Extreme risk = CVE with CVSS 9.0+; High risk = CVSS 7.0-8.9; Moderate = 4.0-6.9; Low = 0.1-3.9. Use ACSC advisories for Australian threat context."
},
{
"strategy_number": 3,
"title": "Configure Microsoft Office Macro Settings",
"objective": "Microsoft Office macros are disabled or only enabled in specific trusted circumstances",
"rationale": "Macros are a common delivery mechanism for malware. Restricting macros prevents initial compromise",
"maturity_levels": {
"level_1": {
"requirements": [
"Microsoft Office macros disabled for users that do not have a demonstrated business requirement",
"Microsoft Office macros from the internet blocked",
"Microsoft Office macro antivirus scanning enabled"
],
"validation": "Verify GPO settings disable macros; test that macros from internet are blocked; check antivirus scanning enabled"
},
"level_2": {
"requirements": [
"All Level 1 requirements",
"Microsoft Office macros only allowed to execute in documents from Trusted Locations (controlled and limited)",
"Only privileged users can write to and modify contents of Trusted Locations"
],
"validation": "Verify Trusted Locations configured; test non-Trusted Location macro blocking; verify privileged-only write access to Trusted Locations"
},
"level_3": {
"requirements": [
"All Level 2 requirements",
"Microsoft Office macros digitally signed by publisher using a trusted certificate",
"Validation performed against a curated publisher certificate allow list"
],
"validation": "Verify digital signature requirement; check publisher certificate allow list; test unsigned macro blocking"
}
},
"sovereign_ops_mapping": {
"phases": [3],
"creature_categories": ["software", "threat", "human"],
"domains": ["Software Creatures", "Threat Creatures", "Human Creatures"],
"criticality_relevance": ["High"],
"blast_radius_impact": "Amber - Macro-based malware common entry vector but not immediate kill switch"
},
"iso_27001_equivalent": "A.8.1 (Endpoint devices - secure configuration)",
"cis_control_equivalent": "CIS Control 9.3 (Email and web browser protections)",
"nist_csf_equivalent": "PR.PT-3 (Principle of least functionality)",
"implementation_guidance": {
"smb_notes": "For small business: Use Group Policy (free) or Microsoft Intune to configure Office macro settings. Disable macros for all users unless specific business requirement. If macros needed, use Trusted Locations on file server (not local drives).",
"common_tools": "Group Policy, Microsoft Intune, SCCM",
"quick_wins": "Disable macros from the internet via GPO; block .xlsm, .xlam, .docm at email gateway",
"common_gaps": "Macros allowed from internet; no Trusted Locations configured; users have write access to Trusted Locations; no digital signature requirement"
},
"evidence_requirements": [
"GPO export showing macro settings",
"Test evidence of blocked macro execution from internet",
"Antivirus scanning configuration for macros",
"Trusted Locations list and access controls (Level 2+)",
"Publisher certificate allow list (Level 3)"
],
"kill_switch_relevance": false,
"australian_context": "ACSC statistics show macros remain a top initial access vector. Many Australian organizations have moved to disable macros entirely and use alternative solutions (Power Automate, etc.)."
},
{
"strategy_number": 4,
"title": "User Application Hardening",
"objective": "Web browsers and associated plugins are configured securely to reduce exploitation",
"rationale": "Browsers and plugins have large attack surfaces. Hardening reduces exploitation risk and attack surface",
"maturity_levels": {
"level_1": {
"requirements": [
"Web browsers: Flash Player disabled, ads blocked, Java disabled",
"Web browser security settings configured via GPO or equivalent",
"Unprivileged users cannot change web browser security settings"
],
"validation": "Verify Flash/Java disabled; check ad blocker deployed; verify GPO locks security settings"
},
"level_2": {
"requirements": [
"All Level 1 requirements",
"Web browsers: additional controls implemented (DNS-over-HTTPS, block http://, disable autofill for credentials, disable saved passwords)",
".NET Framework 3.5 (includes 2.0 and 3.0) disabled"
],
"validation": "Verify DoH enabled, HTTP blocked, autofill/saved passwords disabled; check .NET 3.5 removed"
},
"level_3": {
"requirements": [
"All Level 2 requirements",
"Web browsers: Enhanced security features enabled (isolation/sandboxing, exploit mitigations)",
"Microsoft Office: OLE package and ActiveX blocking, DDE disabled"
],
"validation": "Verify browser sandboxing enabled; check Office OLE/ActiveX/DDE blocking configured"
}
},
"sovereign_ops_mapping": {
"phases": [3],
"creature_categories": ["software", "threat", "asset"],
"domains": ["Asset Creatures", "Software Creatures", "Threat Creatures"],
"criticality_relevance": ["Med"],
"blast_radius_impact": "Amber - Browser/plugin exploitation common but mitigated by other controls"
},
"iso_27001_equivalent": "A.8.1 (Endpoint devices - secure configuration)",
"cis_control_equivalent": "CIS Control 9 (Email and Web Browser Protections)",
"nist_csf_equivalent": "PR.IP-3 (Configuration change control)",
"implementation_guidance": {
"smb_notes": "For small business: Use Group Policy to configure browser settings. Deploy ad blocker via GPO (uBlock Origin enterprise version). Disable legacy plugins (Flash, Java). Use Microsoft Edge with enhanced security mode.",
"common_tools": "Group Policy, Microsoft Intune, browser management extensions",
"quick_wins": "Disable Flash and Java; deploy ad blocker; enable Edge Enhanced Security mode",
"common_gaps": "Users can modify browser settings; ad blocker not deployed; saved passwords enabled; legacy .NET Framework not removed"
},
"evidence_requirements": [
"Browser configuration GPO export",
"Test evidence of blocked Flash/Java",
"Ad blocker deployment evidence",
"DNS-over-HTTPS configuration (Level 2+)",
"Browser sandboxing enabled (Level 3)",
"Office OLE/ActiveX/DDE blocking configuration (Level 3)"
],
"kill_switch_relevance": false,
"australian_context": "Flash Player end-of-life 2020; ACSC recommends complete removal. DNS-over-HTTPS controversial in some Australian contexts (corporate visibility vs. privacy)."
},
{
"strategy_number": 5,
"title": "Restrict Administrative Privileges",
"objective": "Administrative privileges are limited to reduce the opportunities for adversaries to compromise systems",
"rationale": "Privileged access abuse is a primary technique for adversaries. Restricting privileges limits lateral movement and damage",
"maturity_levels": {
"level_1": {
"requirements": [
"Unprivileged accounts used for email, web browsing, and standard user activities",
"Privileged accounts used only when performing administrative activities",
"Privileged accounts prevented from accessing internet, email, and web services"
],
"validation": "Verify separate admin accounts exist; test admin accounts cannot browse internet/email; verify users have unprivileged accounts for daily work"
},
"level_2": {
"requirements": [
"All Level 1 requirements",
"Just-in-time (JIT) administration used for privileged access where possible",
"Privileged accounts cannot logon to unprivileged operating environments (e.g., admin accounts can't logon to workstations)"
],
"validation": "Verify JIT admin solution; test that privileged accounts blocked from workstation logon"
},
"level_3": {
"requirements": [
"All Level 2 requirements",
"Privileged access events logged and protected",
"Privileged account and group management logged and protected",
"Privileged operating environments are segregated from unprivileged operating environments"
],
"validation": "Verify privileged access logging and log protection; check segregated privileged admin environment (PAW, jump server)"
}
},
"sovereign_ops_mapping": {
"phases": [3],
"creature_categories": ["identity", "human", "governance", "killswitch"],
"domains": ["Identity & Access", "Human Ops & Authority", "Kill-Switch Creatures"],
"criticality_relevance": ["High"],
"blast_radius_impact": "Red - Compromised privileged access is kill switch"
},
"iso_27001_equivalent": "A.8.2 (Privileged access rights), A.5.3 (Segregation of duties)",
"cis_control_equivalent": "CIS Control 5 (Account Management), 6.8 (Define and maintain privileged account management)",
"nist_csf_equivalent": "PR.AC-4 (Access permissions managed)",
"implementation_guidance": {
"smb_notes": "For small business: Create separate admin accounts (username-admin) for all IT staff. Remove local admin rights from daily-use accounts. Block admin accounts from internet via firewall rule. For JIT, use Microsoft Entra PIM (requires Azure AD P2) or simple time-limited group membership scripts.",
"common_tools": "Active Directory, Microsoft Entra Privileged Identity Management (PIM), CyberArk, Thycotic, PowerShell JIT scripts",
"quick_wins": "Create separate admin accounts; remove admin rights from user accounts; block admin accounts from internet",
"common_gaps": "Users have admin rights on workstations; same account used for admin and email; no JIT admin; privileged access not logged; no Privileged Access Workstations (PAWs)"
},
"evidence_requirements": [
"Privileged account inventory (separate from user accounts)",
"Group Policy restricting admin account internet/email access",
"Test evidence of blocked admin internet access",
"JIT admin solution configuration (Level 2+)",
"Privileged access logging configuration (Level 3)",
"Segregated admin environment (PAW/jump server) (Level 3)"
],
"kill_switch_relevance": true,
"australian_context": "ACSC reports privileged access abuse in majority of incidents. Essential Eight Strategy #5 alignment directly maps to ISO 27001 A.8.2 for international compliance synergy."
},
{
"strategy_number": 6,
"title": "Patch Operating Systems",
"objective": "Security vulnerabilities in operating systems which adversaries can exploit are patched, updated or mitigated",
"rationale": "OS vulnerabilities provide adversaries system-level access. Timely patching is critical",
"maturity_levels": {
"level_1": {
"requirements": [
"Security vulnerabilities in operating systems assessed at least monthly",
"Security vulnerabilities in internet-facing services assessed within two weeks of release",
"Patches, updates or vendor mitigations for extreme risk vulnerabilities applied within 48 hours",
"Latest operating system version used"
],
"validation": "Same as Strategy #2 (Patch Applications) but for OS; verify latest OS version in use"
},
"level_2": {
"requirements": [
"All Level 1 requirements",
"Patches, updates or vendor mitigations for high risk vulnerabilities applied within two weeks"
],
"validation": "Same as Strategy #2 Level 2 but for OS"
},
"level_3": {
"requirements": [
"All Level 2 requirements",
"Patches, updates or vendor mitigations for moderate and low risk vulnerabilities applied within one month",
"An automated method of asset discovery used at least fortnightly",
"A vulnerability scanner used at least daily"
],
"validation": "Same as Strategy #2 Level 3 but for OS; includes both OS and application patching"
}
},
"sovereign_ops_mapping": {
"phases": [3],
"creature_categories": ["asset", "threat", "culture"],
"domains": ["Asset Creatures", "Platform/Tooling Layer", "Threat Creatures"],
"criticality_relevance": ["High"],
"blast_radius_impact": "Red - Unpatched OS vulnerabilities frequently exploited as kill switches"
},
"iso_27001_equivalent": "A.8.8 (Technical vulnerability management), A.12.6.1",
"cis_control_equivalent": "CIS Control 7 (Continuous Vulnerability Management)",
"nist_csf_equivalent": "DE.CM-8, PR.IP-12",
"implementation_guidance": {
"smb_notes": "Identical to Strategy #2 but for operating systems. Use WSUS (Windows), Jamf (macOS), or automatic updates. Prioritize servers and internet-facing systems.",
"common_tools": "WSUS, SCCM, Jamf, Intune, apt/yum (Linux)",
"quick_wins": "Enable automatic OS updates; patch internet-facing servers first; retire unsupported OS versions (Windows 7, Server 2008)",
"common_gaps": "Unsupported OS versions still in use; extreme risk OS vulns not patched within 48 hours; servers not patched as frequently as workstations"
},
"evidence_requirements": [
"OS vulnerability scan reports",
"OS patch deployment records with timelines",
"OS version inventory (verify latest versions)",
"Asset discovery automation (Level 3)",
"Daily vulnerability scanning (Level 3)"
],
"kill_switch_relevance": true,
"australian_context": "ACSC reports OS vulnerabilities among top exploited attack vectors. EternalBlue (Windows SMB) and similar OS exploits caused widespread damage in Australia."
},
{
"strategy_number": 7,
"title": "Multi-Factor Authentication",
"objective": "MFA is used to authenticate standard users and privileged users of systems",
"rationale": "Passwords alone are insufficient. MFA significantly reduces account compromise risk",
"maturity_levels": {
"level_1": {
"requirements": [
"MFA used for authenticating privileged users (e.g., administrators)",
"MFA used for authenticating users to important data repositories (e.g., customer databases)"
],
"validation": "Verify MFA enforced for all admin accounts; verify MFA for critical data access; test that privileged access blocked without MFA"
},
"level_2": {
"requirements": [
"All Level 1 requirements",
"MFA used for authenticating all users of internet-facing services",
"MFA used for VPN and remote access"
],
"validation": "Verify MFA for all internet-facing services; test VPN/remote access requires MFA; verify no MFA bypass mechanisms"
},
"level_3": {
"requirements": [
"All Level 2 requirements",
"MFA used for authenticating all users",
"Phishing-resistant MFA used (FIDO2, smartcard, Windows Hello for Business)",
"Successful and unsuccessful MFA events logged and protected"
],
"validation": "Verify MFA for all users; verify phishing-resistant MFA methods; check MFA event logging and log protection"
}
},
"sovereign_ops_mapping": {
"phases": [3],
"creature_categories": ["identity", "human", "killswitch"],
"domains": ["Identity & Access", "Human Creatures", "Kill-Switch Creatures"],
"criticality_relevance": ["High"],
"blast_radius_impact": "Red - Authentication bypass is kill switch"
},
"iso_27001_equivalent": "A.8.5 (Secure authentication), A.8.2 (Privileged access)",
"cis_control_equivalent": "CIS Control 6.3, 6.4 (Require MFA)",
"nist_csf_equivalent": "PR.AC-7 (Use MFA)",
"implementation_guidance": {
"smb_notes": "For small business: Use Microsoft Entra MFA (free with M365), Google Workspace MFA, or Duo (free tier). Start with Level 1 (admin and critical data). Expand to Level 2 (all internet-facing). Use authenticator apps (Microsoft Authenticator, Google Authenticator) - avoid SMS where possible. Level 3 phishing-resistant: Use Windows Hello for Business (requires AAD join) or FIDO2 keys (YubiKey).",
"common_tools": "Microsoft Entra MFA, Google Workspace MFA, Duo, Okta, Ping Identity, YubiKey (FIDO2)",
"quick_wins": "Enable MFA for all admin accounts; enable MFA for M365/Google Workspace; use authenticator apps",
"common_gaps": "MFA not enforced for privileged accounts; SMS-based MFA used (vulnerable to SIM swapping); MFA bypass mechanisms exist (legacy protocols enabled); not all users have MFA (Level 3)"
},
"evidence_requirements": [
"MFA configuration for privileged accounts",
"MFA enforcement policy",
"Test evidence of blocked access without MFA",
"MFA coverage report (% users with MFA enabled)",
"Phishing-resistant MFA deployment (Level 3)",
"MFA event logs (Level 3)"
],
"kill_switch_relevance": true,
"australian_context": "ACSC reports credential compromise in majority of incidents. MFA effectiveness: blocks 99.9% of automated attacks (Microsoft). SMS MFA vulnerable but better than no MFA. Phishing-resistant MFA (FIDO2) blocks advanced phishing."
},
{
"strategy_number": 8,
"title": "Regular Backups",
"objective": "Backups of important information, software and configuration settings are performed and tested regularly",
"rationale": "Ransomware and destructive attacks can be recovered from if backups are available and restorable",
"maturity_levels": {
"level_1": {
"requirements": [
"Backups of important information performed at least daily",
"Backups stored offline or online with multi-factor authentication and access limited to specific personnel",
"Full restoration of backups tested at least once when initially implemented"
],
"validation": "Verify daily backup schedule; check backup storage is offline or MFA-protected; verify initial restoration test performed"
},
"level_2": {
"requirements": [
"All Level 1 requirements",
"Partial restoration of backups tested at least quarterly",
"Unprivileged accounts cannot access backups belonging to other accounts"
],
"validation": "Review quarterly backup restoration test records; verify backup access controls prevent cross-account access"
},
"level_3": {
"requirements": [
"All Level 2 requirements",
"Full restoration of backups tested at least quarterly",
"Backups are synchronized to enable at least daily restoration to a known good state",
"Retention of backups for three months"
],
"validation": "Review quarterly full restoration test records; verify daily incremental + recovery point objective; verify 3-month retention"
}
},
"sovereign_ops_mapping": {
"phases": [3],
"creature_categories": ["data", "environmental"],
"domains": ["Data Creatures", "Environmental & Physical Continuity Creatures"],
"criticality_relevance": ["High"],
"blast_radius_impact": "Amber - Backup failure increases ransomware impact but not immediate kill switch (unless combined with attack)"
},
"iso_27001_equivalent": "A.8.13 (Backup), A.17.1.2 (Business continuity)",
"cis_control_equivalent": "CIS Control 11 (Data Recovery)",
"nist_csf_equivalent": "PR.IP-4 (Backups managed), RC.RP-1 (Backup restoration)",
"implementation_guidance": {
"smb_notes": "For small business: Use cloud backup (M365 retention, Google Vault) + offline backup (external drive rotated offsite or air-gapped NAS). Enable versioning. Test restores quarterly (set calendar reminder). Use 3-2-1 rule: 3 copies, 2 different media, 1 offsite. Protect backup accounts with MFA and separate credentials.",
"common_tools": "Veeam, Acronis, Azure Backup, AWS Backup, Datto, cloud-native (M365 retention, Google Workspace Vault), Duplicati (free)",
"quick_wins": "Enable cloud backup for critical data; test restore once; store one backup copy offline (air-gapped); protect backup admin account with MFA",
"common_gaps": "Backups not tested (restoration fails when needed); backups on same network (ransomware encrypts backups); backups not retained long enough (3 months minimum); backup accounts compromised during attack"
},
"evidence_requirements": [
"Backup schedule configuration (daily minimum)",
"Backup storage location (offline or MFA-protected online)",
"Initial backup restoration test record (Level 1)",
"Quarterly partial restoration test records (Level 2+)",
"Quarterly full restoration test records (Level 3)",
"Backup retention configuration (3 months minimum for Level 3)",
"Backup access control configuration"
],
"kill_switch_relevance": false,
"australian_context": "Ransomware major threat to Australian organizations. ACSC reports many ransomware victims unable to recover due to backup failures (not tested, not offline, or compromised during attack). 3-2-1 backup rule + offline/immutable storage critical."
}
],
"implementation_order_recommendation": "ACSC recommends prioritizing in order: #5 (Admin privileges), #7 (MFA), #6 (Patch OS), #2 (Patch Apps), #8 (Backups), #1 (App Control), #3 (Office Macros), #4 (User Hardening). Rationale: Strategies 5 and 7 address credential and privilege abuse (most common attack vector); patching addresses exploitation; backups provide recovery; app control and hardening provide defense-in-depth.",
"maturity_progression_guidance": {
"getting_started": "Start with Level 1 for high-impact strategies (#5, #7, #8). Essential Eight Level 1 across all 8 strategies provides baseline protection.",
"level_1_to_2": "Once Level 1 achieved for all strategies, progressively implement Level 2. Focus on strategies #5 and #7 first (JIT admin, MFA for all internet-facing).",
"level_2_to_3": "Level 3 requires significant investment (phishing-resistant MFA, daily vulnerability scanning, comprehensive logging). Reserve for high-security environments or where mandated.",
"resource_constraints": "Small organizations: Achieve Level 1 first. Use free/low-cost tools (Windows AppLocker, WSUS, Windows Hello, cloud backups). Accept some Level 2/3 gaps if risk tolerable."
},
"australian_regulatory_context": {
"government_mandate": "Essential Eight compliance mandatory for Australian Government agencies. Maturity level determined by system classification (PROTECTED requires minimum Level 2).",
"regulatory_sectors": "Financial services (APRA CPS 234), critical infrastructure (SOCI Act) strongly recommend or mandate Essential Eight alignment.",
"acsc_resources": "ACSC publishes Essential Eight Maturity Model documentation, implementation guides, and assessment tools. Consult acsc.gov.au/essential-eight."
},
"sovereign_ops_integration_summary": {
"phase_1_creature_enumeration": "Use Essential Eight to ensure comprehensive enumeration: E8 #5 identifies privileged accounts (Human Creatures), E8 #7 identifies MFA systems (Identity Creatures), E8 #8 identifies backup systems (Data Creatures)",
"phase_3_ledger_mapping": "Map each E8 strategy to relevant domain ledger: E8 #5 → Identity & Access + Human Authority Map, E8 #1 → Platform/Tooling, E8 #8 → Data Creatures + Business Continuity",
"phase_4_blast_radius": "Use E8 to prioritize gaps: Red-tier (kill switches) lacking E8 #5, #7 = CRITICAL; Amber-tier lacking E8 #2, #6 = HIGH; Green-tier = MEDIUM",
"phase_5_maturity_assessment": "Generate Essential Eight Maturity Assessment as part of audit artifacts showing current maturity level per strategy and path to next level"
},
"cross_framework_mapping": {
"iso_27001_overlap": "E8 strategies map to ISO 27001 Annex A controls. Organizations implementing Essential Eight simultaneously address many ISO 27001 requirements. See compliance-matrix.json for detailed mapping.",
"cis_controls_overlap": "Essential Eight aligns closely with CIS Controls Implementation Group 1 (IG1) for small/medium organizations. E8 provides Australia-specific implementation of international best practices.",
"nist_csf_overlap": "Essential Eight strategies map across all five NIST CSF functions (Identify, Protect, Detect, Respond, Recover). E8 #8 (Backups) directly supports Recover function."
},
"usage_instructions_for_gpt": {
"maturity_assessment": "During Phase 5 (Audit Preparation Mode), assess Essential Eight maturity level (0-3) for each strategy based on operational findings. Generate maturity assessment showing current level, gaps, and path to next level.",
"gap_prioritization": "Flag E8 gaps affecting Red/Amber blast radius components as CRITICAL. E8 Level 1 gaps for strategies #5, #7 always CRITICAL. Other strategies prioritize by operational impact.",
"australian_context": "For Australian organizations, explicitly state Essential Eight compliance level. Map to regulatory requirements (APRA CPS 234, SOCI Act, ISM) where relevant.",
"smb_guidance": "For small business entities, provide Essential Eight implementation using SMB-appropriate tools and resource constraints. Highlight free/low-cost options and prioritize strategies with highest ROI."
}
}