Maturity of ASD 'Essental Eight' Controls

Applicaton whitelistng

100%
Daily Backup of important data Patch Applicatons

50%

Mult-factor Authentcaton 0% Patch Operatng System Vulne

User Applicaton Hardening Restrict Admin Priv

Disable untrusted Microsoft Office macros

ASD Top 35 Control Maturity Ratngs

40
35
30
25
20
15
10
5
0
al d t
pe
d
he
d
te ed ul
rm ra is es
el
o fo lis te
g
tm lR
ev In b
nd Es
ta In Op To
ta
U
 Directions for Dashboard - Changes made in framework SOA's may re

ASD
ESSENT
IAL 8
ht' Controls
tng

Patch Applicatons

Patch Operatng System Vulnerabilites

Restrict Admin Privileges

ffice macros
e in framework SOA's may require a refresh of the Dashboard to display correctly - Click Data in tool-bar above and then click Refresh A
20% = Undeveloped
40% = Informal
60% = Established
80% = Integrated
100% = Optmised
bar above and then click Refresh All.
ed

ndeveloped
ormal
tablished
egrated
Optmised
 ISO
27001-
2013
 ISO/IEC 27001:2013 Annex A controls Statement of Applicability

Clause Sec Control Objective/Control Applicability Implementation Level Maturity of Control Justification/Evidence

5.1
Management directon for informaton security

5 Security Policies 5.1.1 Yes

Policies for informaton

5.1.2 Yes
Review of the policies for informaton security

6.1
Internal organisaton

6.1.1
Informaton security roles and responsibilites

6.1.2
Segregaton of dutes

6.1.3
Contact with authorites
6 Organisation of information 6.1.4
security
Contact with special interest groups

6.1.5
Informaton security in project management

6.2
Mobile devices and teleworking

6.2.1
Mobile device policy

6.2.2
Teleworking

7.1
Prior to employment

7.1.1
Screening

7.1.2
Terms and conditons of employment

7 Human resource security

 7.2
During employment

7 Human resource security 7.2.1

Management responsibilites

7.2.2 Informaton security awareness, educaton and

training

7.2.3
Disciplinary process

7.3
Terminaton and change of employment

7.3.1
Terminaton or change of employment responsibilites

8.1
Responsibility for assets

8.1.1
Inventory of assets

8.1.2
Ownership of assets

8.1.3
Acceptable use of assets

8.1.4
Return of assets

8.2
Informaton classificaton

8 Asset management 8.2.1

Classificaton of informaton

8.2.2
Labeling of informaton

8.2.3
Handling of assets

8.3
Media handling

8.3.1
Management of removable media
 8.3.2
Disposal of media

8.3.3
Physical media transfer

9.1
Business requirements of access control

9.1.1
Access control policy

9.1.2
Access to networks and network services

9.2
User access management

9.2.1
User registraton and de-registraton

9.2.2
User access provisioning

9.2.3
Management of privileged access rights

9.2.4 Management of secret authentcaton informaton of

users

9.2.5
Review of user access rights
9 Access control
9.2.6
Removal or adjustment of access rights

9.3
User responsibilites

9.3.1
Use of secret authentcaton informaton

9.4
System and applicaton access control

9.4.1
Informaton access restricton

9.4.2
Secure log-on procedures
 9.4.3
Password management system

9.4.4
Use of privileged utlity programs

9.4.5
Access control to program source code

10.1
Cryptographic controls

10 Cryptography 10.1.1
Policy on the use of cryptographic controls

10.1.2
Key management

11.1
Secure areas

11.1.1
Physical security perimeter

11.1.2
Physical entry controls

11.1.3
Securing office, room and facilites

11.1.4
Protectng against external end environmental threats

11.1.5
Working in secure areas

11.1.6
Delivery and loading areas

11.2
Equipment
11 Physical and environmental 11.2.1
security
Equipment sitng and protecton

11.2.2
Supportng utlites
 security

11.2.3
Cabling security

11.2.4
Equipment maintenance

11.2.5
Removal of assets

11.2.6
Security of equipment and assets off-premises

11.2.7
Secure disposal or re-use of equipment

11.2.8
Unattended user equipment

11.2.9
Clear desk and clear screen policy

12.1
Operatonal procedures and responsibilites

12.1.1
Documented operatng procedures

12.1.2
Change management

12.1.3
Capacity management

12.1.4 Separaton of development, testng and operatonal

environments

12.2
Protecton from malware

12.2.1
Controls against malware

12.3
Backup

12.3.1
Informaton backup

12.4
Logging and monitoring

12 Operations security
 12 Operations security 12.4.1
Event logging

12.4.2
Protecton of log informaton

12.4.3
Administrator and operator logs

12.4.4
Clock synchronisaton

12.5
Control of operatonal software

12.5.1
Installaton of software on operatonal systems

12.6
Technical vulnerability management

12.6.1
Management of technical vulnerabilites

12.6.2
Restrictons on software installaton

12.7
Informaton systems audit consideratons

12.7.1
Informaton systems audit controls

13.1
Network security management

13.1.1
Network controls

13.1.2
Security of network services

13.1.3
Segregaton in networks

13 Communications security 13.2

Informaton transfer

13.2.1
Informaton transfer policies and procedures
 13.2.2
Agreements on informaton transfer

13.2.3
Electronic messaging

13.2.4
Confidentality or Yesn-disclosure agreements

14.1
Security requirements of informaton systems

14.1.1 Informaton security requirements analysis and

specificaton

14.1.2
Securing applicatons services on public networks

14.1.3
Protectng applicaton services transactons
14.2

Security in development and support processes

14.2.1
Secure development policy

14.2.2
System change control procedures

14.2.3 Technical review of applicatons after operatng

14 System acquisition, platform changes
development and maintenance
14.2.4
Restrictons on changes to software packages

14.2.5
Secure system engineering principles

14.2.6
Secure development environment

14.2.7
Outsourced development

14.2.8
System security testng

14.2.9
System acceptance testng
 14.3
Test data

14.3.1
Protecton of test data

15.1
Informaton security in supplier relatonships

15.1.1
Informaton security policy for supplier relatonships

15.1.2
Addressing security within supplier agreements

15 Supplier relationships 15.1.3 Informaton and communicaton techYeslogy supply

chain

15.2
Supplier service delivery management

15.2.1
Monitoring and review of supplier services

15.2.2
Managing changes to supplier services

16.1 Management of informaton security incidents and

improvements

16.1.1
Responsibilites and procedures

16.1.2
Reportng informaton security events

16.1.3
16 Information security incident Reportng informaton security weaknesses
management
16.1.4 Assessment of and decision on informaton security
events

16.1.5
Response to informaton security incidents

16.1.6
Learning from informaton security incidents
 16.1.7
Collecton of evidence

17.1
Informaton security contnuity

17.1.1
Planning informaton security contnuity

17.1.2
17 Information security aspects Implementng informaton security contnuity
of business continuity
management
17.1.3 Verify, review and evaluate informaton security
contnuity

17.2
Redundancies

17.2.1
Availability of informaton processing facilites

18.1
Compliance with legal and contractual requirements

18.1.1 Identficaton of applicable legislaton and contractual

requirements

18.1.2
Intellectual property rights

18.1.3
Protecton of records

18.1.4 Privacy and protecton of personally identfiable

informaton
18 Compliance
18.1.5
Regulaton of cryptographic controls

18.2
Informaton security reviews

18.2.1
Independent review of informaton security

18.2.2
Compliance with security policies and standards
18.2.3
Technical compliance review
Relative Security
Effectiveness
Rating

Mitigation Strategies to Prevent Malware Delivery and Execution:

Essential
Essential
Essential
Essential
Excellent
Excellent
Excellent
Excellent
Excellent
Very Good
Very Good
Very Good
Very Good
Very Good
Good
Limited
Limited
Mitigation Strategies to Limit the Extent of Cyber Security Incidents:
Essential
Essential
Essential
Excellent
Excellent
Excellent
Very Good
Very Good
Very Good
Very Good
Mitigation Strategies to Detect Cyber Security Incidents and Respond:
Excellent
Very Good
Very Good
Very Good
Limited
Limited
Mitigation Strategies to Recover Data and System Availability:
Essential
Very Good
Very Good
Mitigation Strategy Specific to Preventing Malicious Insiders:
Very Good
 Mitigation Strategy

on Strategies to Prevent Malware Delivery and Execution:

Application whitelisting of approved/trusted programs to prevent executon of unapproved/malicious programs
and
Patch HTA) and installers.
applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitgate computers w
version of applicatons.
Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros eithe
signed with a trusted
User application certficate.
hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Inter
browsers and PDF viewers.
Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is iden
configuraton
Email contentchanges.
filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/s
Quarantne
Web content filtering.Office
Microsoft macros.
Whitelist allowed types of web content and websites with good reputaton ratngs. Block a
networks and free domains.
Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS serv
outbound
Operating web system connectons.
generic exploit mitigation e.g. Data Executon Preventon (DEP), Address Space Layout Random
(EMET).
Server application hardening especially Internet-accessible web applicatons (sanitse input and use TLS not SSL)
(sensitve/high-availability)
Operating system hardening data.
(including for network devices) based on a Standard Operatng Environment, disabl
SMB/NetBIOS, LLMNR and WPAD.
Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior
gateways versus computers.
Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block
Bluetooth/Wi-Fi/3G/4G
Block spoofed emails. Use devices.
Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use “hard fail”
the organisaton’s domain.
User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase re
devices
Antivirusand cloud services.
software with up-to-date signatures to identfy malware, from a vendor that rapidly adds signatures fo
gateways versus computers.
TLS encryption between email servers to help prevent legitmate emails being intercepted and subsequently lev
email
on Strategies trafficthe
to Limit is decrypted.
Extent of Cyber Security Incidents:
Restrict administrative privileges to operatng systems and applicatons based on user dutes. Regularly revalidat
reading email and
Patch operatng web browsing.
systems. Patch/mitgate computers (including network devices) with “extreme risk”1 vulnerabilit
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they p
availability)
Disable localdata repository. accounts or assign passphrases that are random and unique for each computer’s loca
administrator
administrator credentals.Deny traffic between computers unless required. Constrain devices with low assurance e
Network segmentation.
repositories based on user
Protect authentication dutes. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use
credentials.
complex passphrases.
Non-persistent virtualised sandboxed environment, denying access to important (sensitve/high-availability) dat
Microsoft Office application
Software-based and PDF files. firewall, blocking incoming network traffic that is malicious/unauthorised, and deny
and SMB/NetBIOS traffic.
Software-based application firewall, blocking outgoing network traffic that is not generated by approved/truste
Outbound web and email data loss prevention. Block unapproved cloud computng services. Log recipient, size a
sensitve
on Strategies to DetectwordsCyberor data patterns.
Security Incidents and Respond:
Continuous incident detection and response with automated immediate analysis of centralised tme-synchronise
file access, network
Host-based intrusionactvity.
detection/prevention system to identfy anomalous behaviour during program executon e
persistence.
Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incid
opton.
Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consistng o
just indicators ofintrusion
Network-based compromise.detection/prevention system using signatures and heuristcs to identfy anomalous tra
Capture network traffic to and from corporate computers storing important data or considered as critcal assets,
incident
on Strategies detecton
to Recover Dataandandanalysis.
System Availability:
Daily backups of important new/changed data, software and configuraton settings, stored disconnected, retaine
when
BusinessIT infrastructure
continuity and changes.
disaster recovery plans which are tested, documented and printed in hardcopy with a so
data to recover.
System recovery capabilities e.g. virtualisaton with snapshot backups, remotely installing operatng systems and
on Strategyonsite
Specificvendor support contracts.
to Preventing Malicious Insiders:
Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all a
obligatons and penaltes.
 Upfront Cost Ongoing
(staff,
Potential User equipment, Maintenance Applicability
Resistance Cost
technical (mainly staff)
complexity)

ws Script Host, PowerShell Medium High Medium Yes

n 48 hours. Use the latest Low High High Yes
te access or digitally Medium Medium Medium Yes
osoft Office (e.g. OLE), web Medium Medium Medium Yes
fied files, or other system Low High Medium No
ffice attachments. Medium Medium Medium No
esses, ads, anonymity Medium Medium Medium No
d web proxy server for Medium Medium Low No
n Experience Toolkit Low Low Low No
hat access important Low Medium Medium No
toRun, LanMan, Medium Medium Low No
m different vendors for Low Low Low No
ones, tablets and High High Medium No
itgate emails that spoof Low Low Low No
storage media, connected Medium High Medium No
from different vendors for Low Low Low No
ontent scanning after Low Low Low No

ileged accounts for Medium High Medium Yes

atng system version. Don’t use unsupported
Low versions.
Medium Medium Yes
mportant (sensitve/high- Medium High Medium Yes
pagaton using shared local Low Medium Low No
work drives and data Low High Medium No
phrases. Require long Medium Medium Low No
and viewing untrusted Medium Medium Medium No
eded/unauthorised RDP Low Medium Medium No
c by default. Medium Medium Medium No
k and log emails with Medium Medium Medium No

uter events, authentcaton, Low Very High Very High No

driver loading and Low Medium Medium No
tool is an entry level Low Medium Medium No
bling mitgatng acton, not Low Very High Very High No
k perimeter boundaries. Low High Medium No
ork perimeter, to perform Low High Medium No

ton initally, annually and Low High High Yes

hest priority systems and Low High Medium No
enterprise mobility, and Low High Medium No
users of their security High High High No
 Maturity of
Implementation Level Justification/Evidence
Control

Yes - Partally Implemented Optmised

Yes - Fully Implemented Established
Yes - Fully Implemented Integrated
Yes - Partally Implemented Informal
Yes - Fully Implemented Informal
Yes - Partally Implemented Established
Yes - Fully Implemented Optmised
No - Not Implemented Undeveloped
Yes - Fully Implemented Integrated
Yes - Partally Implemented Informal
Yes - Fully Implemented Established
Yes - Fully Implemented Integrated
No - Not Implemented Informal
No - Not Implemented Integrated
Yes - Fully Implemented Established
Yes - Partally Implemented Integrated
Yes - Partally Implemented Undeveloped

Yes - Fully Implemented Informal

No - Not Implemented Optmised
No - Not Implemented Optmised
Yes - Partally Implemented Optmised
Yes - Partally Implemented Optmised
Yes - Partally Implemented Integrated
Yes - Fully Implemented Integrated
No - Not Implemented Established
No - Not Implemented Informal
Yes - Partally Implemented Established

Yes - Partally Implemented Undeveloped

Yes - Fully Implemented Established
Yes - Fully Implemented Integrated
Yes - Partally Implemented Undeveloped
Yes - Fully Implemented Informal
Yes - Partally Implemented Established

Yes - Fully Implemented Integrated

Yes - Fully Implemented Undeveloped
No - Not Implemented Undeveloped
No - Not Implemented Undeveloped
Mapping Toolset - ISO27001:2013 and ASD This latest version
Applicability/Matu
Top 35 Mitigations each framework sh
provide simple tra
For Queensland Government Chief Information Office the implementatio
your organisation.

This tool is provided fr

Please provide recogn
Report Dashboard
Dashboard
Contains Summary of Report Findings 1 as the creater of this t
and Graphs/Charts All feedback for the im
this tool is considered
appreciated.

ISO 27001/2:2013 Controls

2

ASD Top 35 Mitigations

3
This latest version includes Statement of
Applicability/Maturity functionality within
each framework sheet. This can be used to
provide simple tracking and monitoring of
the implementation of frameworks within
your organisation.

This tool is provided free of charge.

Please provide recognition of Agilient
as the creater of this tool.

All feedback for the improvement of

this tool is considered and
appreciated.