Maturity of ASD 'Essential Eight' Controls

Application whitelisting

100%
Daily Backup of important data Patch Application

50%

Multi-factor Authentication 0% Patch Operating System Vu

User Application Hardening Restrict Admin Pr

Disable untrusted Microsoft Office macros

ASD Top 35 Control Maturity Ratings

40

35

30

25

20
 ASD Top 35 Control Maturity Ratings
40

35

30

25

20

15

10

5
Directions for Dashboard - Changes made in framework SOA's may r
0
Undeveloped Informal Established Integrated Optimised Total Result
ASD
ESSENT
IAL 8
ht' Controls
ng

Patch Applications

Patch Operating System Vulnerabilities

Restrict Admin Privileges

ffice macros

urity Ratings
urity Ratings

in framework SOA's may require a refresh of the Dashboard to display correctly - Click Data in tool-bar above and then click Refresh Al

ted Optimised Total Result

 20% = Undeveloped
40% = Informal
60% = Established
80% = Integrated
100% = Optimised

ASD Top 35 Implementation Levels

9

13

37
 ASD Top 35 Implementation Levels
9

13

37

15

above and then click Refresh All. No - Not Implemented

Yes - Partially Implemented
Yes - Fully Implemented
 Maturity of ISO 27001:2013 Annex A Control Sections

Security Policies
Compliance Organisation of information se
100%

Information security aspects of business continuity management Human resource secu

50%

Information security incident management Asset managem

0%

Supplier relationships Access control

System acquisition, development and maintenance Cryptography

Communications security Physical and environmental sec

Operations security
 ISO
27001-
2013
 ISO/IEC 27001:2013 Annex A controls Statement of Applicability

Clause Sec Control Objective/Control Applicability Implementation Level Maturity of Control Justification/Evidence

5.1
Management direction for information security

5 Security Policies 5.1.1 Yes

Policies for information

5.1.2 Yes
Review of the policies for information security

6.1
Internal organisation

6.1.1
Information security roles and responsibilities

6.1.2
Segregation of duties

6.1.3
Contact with authorities
6 Organisation of information
security 6.1.4
Contact with special interest groups

6.1.5
Information security in project management

6.2
Mobile devices and teleworking

6.2.1
Mobile device policy

6.2.2
Teleworking

7.1
Prior to employment

7.1.1
Screening

7.1.2
Terms and conditions of employment

7 Human resource security

 7.2
During employment

7 Human resource security 7.2.1

Management responsibilities

7.2.2
Information security awareness, education and training

7.2.3
Disciplinary process

7.3
Termination and change of employment

7.3.1
Termination or change of employment responsibilities

8.1
Responsibility for assets

8.1.1
Inventory of assets

8.1.2
Ownership of assets

8.1.3
Acceptable use of assets

8.1.4
Return of assets

8.2
Information classification

8 Asset management 8.2.1

Classification of information

8.2.2
Labeling of information

8.2.3
Handling of assets

8.3
Media handling

8.3.1
Management of removable media
 8.3.2
Disposal of media

8.3.3
Physical media transfer

9.1
Business requirements of access control

9.1.1
Access control policy

9.1.2
Access to networks and network services

9.2
User access management

9.2.1
User registration and de-registration

9.2.2
User access provisioning

9.2.3
Management of privileged access rights

9.2.4 Management of secret authentication information of

users

9.2.5
Review of user access rights
9 Access control
9.2.6
Removal or adjustment of access rights

9.3
User responsibilities

9.3.1
Use of secret authentication information

9.4
System and application access control

9.4.1
Information access restriction

9.4.2
Secure log-on procedures
 9.4.3
Password management system

9.4.4
Use of privileged utility programs

9.4.5
Access control to program source code

10.1
Cryptographic controls

10 Cryptography 10.1.1
Policy on the use of cryptographic controls

10.1.2
Key management

11.1
Secure areas

11.1.1
Physical security perimeter

11.1.2
Physical entry controls

11.1.3
Securing office, room and facilities

11.1.4
Protecting against external end environmental threats

11.1.5
Working in secure areas

11.1.6
Delivery and loading areas

11.2
Equipment
11 Physical and environmental 11.2.1
security
Equipment siting and protection

11.2.2
Supporting utilities
 security

11.2.3
Cabling security

11.2.4
Equipment maintenance

11.2.5
Removal of assets

11.2.6
Security of equipment and assets off-premises

11.2.7
Secure disposal or re-use of equipment

11.2.8
Unattended user equipment

11.2.9
Clear desk and clear screen policy

12.1
Operational procedures and responsibilities

12.1.1
Documented operating procedures

12.1.2
Change management

12.1.3
Capacity management

12.1.4 Separation of development, testing and operational

environments

12.2
Protection from malware

12.2.1
Controls against malware

12.3
Backup

12.3.1
Information backup

12.4
Logging and monitoring

12 Operations security
 12 Operations security 12.4.1
Event logging

12.4.2
Protection of log information

12.4.3
Administrator and operator logs

12.4.4
Clock synchronisaton

12.5
Control of operational software

12.5.1
Installation of software on operational systems

12.6
Technical vulnerability management

12.6.1
Management of technical vulnerabilities

12.6.2
Restrictions on software installation

12.7
Information systems audit considerations

12.7.1
Information systems audit controls

13.1
Network security management

13.1.1
Network controls

13.1.2
Security of network services

13.1.3
Segregation in networks

13 Communications security 13.2

Information transfer

13.2.1
Information transfer policies and procedures
 13.2.2
Agreements on information transfer

13.2.3
Electronic messaging

13.2.4
Confidentiality or Yesn-disclosure agreements

14.1
Security requirements of information systems

14.1.1 Information security requirements analysis and

specification

14.1.2
Securing applications services on public networks

14.1.3
Protecting application services transactions
14.2

Security in development and support processes

14.2.1
Secure development policy

14.2.2
System change control procedures

14.2.3 Technical review of applications after operating

14 System acquisition, platform changes
development and maintenance
14.2.4
Restrictions on changes to software packages

14.2.5
Secure system engineering principles

14.2.6
Secure development environment

14.2.7
Outsourced development

14.2.8
System security testing

14.2.9
System acceptance testing
 14.3
Test data

14.3.1
Protection of test data

15.1
Information security in supplier relationships

15.1.1
Information security policy for supplier relationships

15.1.2
Addressing security within supplier agreements

15 Supplier relationships 15.1.3 Information and communication techYeslogy supply

chain

15.2
Supplier service delivery management

15.2.1
Monitoring and review of supplier services

15.2.2
Managing changes to supplier services

16.1 Management of information security incidents and

improvements

16.1.1
Responsibilities and procedures

16.1.2
Reporting information security events

16.1.3
16 Information security incident Reporting information security weaknesses
management
16.1.4 Assessment of and decision on information security
events

16.1.5
Response to information security incidents

16.1.6
Learning from information security incidents
 16.1.7
Collection of evidence

17.1
Information security continuity

17.1.1
Planning information security continuity

17.1.2
17 Information security aspects Implementing information security continuity
of business continuity
management
17.1.3 Verify, review and evaluate information security
continuity

17.2
Redundancies

17.2.1
Availability of information processing facilities

18.1
Compliance with legal and contractual requirements

18.1.1 Identification of applicable legislation and contractual

requirements

18.1.2
Intellectual property rights

18.1.3
Protection of records

18.1.4 Privacy and protection of personally identifiable

information
18 Compliance
18.1.5
Regulation of cryptographic controls

18.2
Information security reviews

18.2.1
Independent review of information security

18.2.2
Compliance with security policies and standards
18.2.3
Technical compliance review
 Relative Security
Effectiveness
Rating

Mitigation Strategies to Prevent Malware Delivery and Execution:

Essential
Essential
Essential
Essential
Excellent
Excellent
Excellent
Excellent
Excellent
Very Good
Very Good
Very Good
Very Good
Very Good
Good
Limited
Limited
Mitigation Strategies to Limit the Extent of Cyber Security Incidents:
Essential
Essential
Essential
Excellent
Excellent
Excellent
Very Good
Very Good
Very Good
Very Good
Mitigation Strategies to Detect Cyber Security Incidents and Respond:
Excellent
Very Good
Very Good
Very Good
Limited
Limited
Mitigation Strategies to Recover Data and System Availability:
Essential
Very Good
Very Good
Mitigation Strategy Specific to Preventing Malicious Insiders:
Very Good
 Mitigation Strategy

on Strategies to Prevent Malware Delivery and Execution:

Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs
and
Patch HTA) and installers.
applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers w
version of applications.
Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros eith
with
User aapplication
trusted certificate.
hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Inte
browsers and
Automated dynamic PDF viewers.
analysis of email and web content run in a sandbox, blocked if suspicious behaviour is ide
configuration changes.
Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/
Quarantine
Web content Microsoft
filtering.Office macros.
Whitelist allowed types of web content and websites with good reputation ratings. Block
networks and free domains.
Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS serv
outbound
Operating web systemconnections.
generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Rando
(EMET).
Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL)
(sensitive/high-availability)
Operating system hardening data.
(including for network devices) based on a Standard Operating Environment, disab
SMB/NetBIOS, LLMNR and WPAD.
Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior
gateways versus computers.
Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block
Bluetooth/Wi-Fi/3G/4G
Block spoofed emails. Use devices.
Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use “hard fail”
organisation’s domain.
User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase r
devices
Antivirusand cloud services.
software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures fo
gateways versus computers.
TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently lev
traffic
on Strategies is decrypted.
to Limit the Extent of Cyber Security Incidents:
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalida
email
Patch and web browsing.
operating systems. Patch/mitigate computers (including network devices) with “extreme risk”1 vulnerabil
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they p
availability)
Disable localdata repository.accounts or assign passphrases that are random and unique for each computer’s loc
administrator
administrator credentials.Deny traffic between computers unless required. Constrain devices with low assurance
Network segmentation.
repositories based on user
Protect authentication duties. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Us
credentials.
complex passphrases.
Non-persistent virtualised sandboxed environment, denying access to important (sensitive/high-availability) da
Microsoft Office application
Software-based and PDF files. firewall, blocking incoming network traffic that is malicious/unauthorised, and den
and SMB/NetBIOS traffic.
Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trust
Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size
sensitive
on Strategies to Detectwords
Cyberor data patterns.
Security Incidents and Respond:
Continuous incident detection and response with automated immediate analysis of centralised time-synchronis
file access, network
Host-based intrusionactivity.
detection/prevention system to identify anomalous behaviour during program execution
persistence.
Endpoint detection and response software on all computers to centrally log system behaviour and facilitate inci
option.
Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting o
just indicators ofintrusion
Network-based compromise.detection/prevention system using signatures and heuristics to identify anomalous tr
Capture network traffic to and from corporate computers storing important data or considered as critical assets
incident
on Strategies detection
to Recover Dataand andanalysis.
System Availability:
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retaine
when
BusinessIT infrastructure
continuity andchanges.
disaster recovery plans which are tested, documented and printed in hardcopy with a s
data to recover.
System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems an
on Strategyonsite
Specificvendor support contracts.
to Preventing Malicious Insiders:
Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all a
obligations and penalties.
 Upfront Cost Ongoing
(staff,
Potential User Maintenance
Resistance equipment, Cost Applicability
technical
complexity) (mainly staff)

s Script Host, PowerShell Medium High Medium Yes

n 48 hours. Use the latest Low High High Yes
e access or digitally signed Medium Medium Medium Yes
soft Office (e.g. OLE), web Medium Medium Medium Yes
ed files, or other system Low High Medium No
ffice attachments. Medium Medium Medium No
esses, ads, anonymity Medium Medium Medium No
d web proxy server for Medium Medium Low No
Experience Toolkit Low Low Low No
at access important Low Medium Medium No
oRun, LanMan, Medium Medium Low No
m different vendors for Low Low Low No
nes, tablets and High High Medium No
tigate emails that spoof the Low Low Low No
storage media, connected Medium High Medium No
rom different vendors for Low Low Low No
ontent scanning after email Low Low Low No

leged accounts for reading Medium High Medium Yes

ating system version. Don’t use unsupported
Low versions.
Medium Medium Yes
mportant (sensitive/high- Medium High Medium Yes
agation using shared local Low Medium Low No
work drives and data Low High Medium No
hrases. Require long Medium Medium Low No
and viewing untrusted Medium Medium Medium No
ded/unauthorised RDP Low Medium Medium No
by default. Medium Medium Medium No
and log emails with Medium Medium Medium No

er events, authentication, Low Very High Very High No

driver loading and Low Medium Medium No
ool is an entry level Low Medium Medium No
ling mitigating action, not Low Very High Very High No
perimeter boundaries. Low High Medium No
ork perimeter, to perform Low High Medium No

tion initially, annually and Low High High Yes

est priority systems and Low High Medium No
nterprise mobility, and Low High Medium No
users of their security High High High No
 Maturity of
Implementation Level Control Justification/Evidence

Yes - Partially Implemented Optimised

Yes - Fully Implemented Established
Yes - Fully Implemented Integrated
Yes - Partially Implemented Informal
Yes - Fully Implemented Informal
Yes - Partially Implemented Established
Yes - Fully Implemented Optimised
No - Not Implemented Undeveloped
Yes - Fully Implemented Integrated
Yes - Partially Implemented Informal
Yes - Fully Implemented Established
Yes - Fully Implemented Integrated
No - Not Implemented Informal
No - Not Implemented Integrated
Yes - Fully Implemented Established
Yes - Partially Implemented Integrated
Yes - Partially Implemented Undeveloped

Yes - Fully Implemented Informal

No - Not Implemented Optimised
No - Not Implemented Optimised
Yes - Partially Implemented Optimised
Yes - Partially Implemented Optimised
Yes - Partially Implemented Integrated
Yes - Fully Implemented Integrated
No - Not Implemented Established
No - Not Implemented Informal
Yes - Partially Implemented Established

Yes - Partially Implemented Undeveloped

Yes - Fully Implemented Established
Yes - Fully Implemented Integrated
Yes - Partially Implemented Undeveloped
Yes - Fully Implemented Informal
Yes - Partially Implemented Established

Yes - Fully Implemented Integrated

Yes - Fully Implemented Undeveloped
No - Not Implemented Undeveloped
No - Not Implemented Undeveloped
 This latest versio
Mapping Toolset - ISO27001:2013 and ASD Applicability/Ma
Top 35 Mitigations each framework
provide simple tr
For Queensland Government Chief Information Office the implementati
your organisatio

This tool is provided

1
Report Dashboard
Dashboard Please provide reco
as the creater of thi
Contains Summary of Report Findings
and Graphs/Charts All feedback for the
this tool is consider
appreciated.

ISO 27001/2:2013 Controls

2

ASD Top 35 Mitigations

3
This latest version includes Statement of
Applicability/Maturity functionality within
each framework sheet. This can be used to
provide simple tracking and monitoring of
the implementation of frameworks within
your organisation.

This tool is provided free of charge.

Please provide recognition of Agilient
as the creater of this tool.

All feedback for the improvement of

this tool is considered and
appreciated.

Sydney Head O
Level 4, 655 Pacific High
ST LEONARDS NSW 2

Canberra O
Suite 117, 2 Endeavour H
Captain Cook Cres
MANUKA ACT

Melbourne O
Level 9, 440 Collins S
MELBOURNE VIC

Phone: 1300 341

Fax: 02 9751

enquiries@agilient.com
www.agilient.com
 Sydney Head Office
Level 4, 655 Pacific Highway
ST LEONARDS NSW 2065

Canberra Office
uite 117, 2 Endeavour House
Captain Cook Crescent
MANUKA ACT 2603

Melbourne Office
Level 9, 440 Collins Street
MELBOURNE VIC 3000

Phone: 1300 341 692

Fax: 02 9751 0195

enquiries@agilient.com.au
www.agilient.com.au