Outcomex
close
  • About Us
          • About Us
          • Awards
  • Solutions
          • Networking
          • Wireless & Mobility
          • Collaboration
          • Managed Services
          • Project Management
          • Physical Security
          • Cyber Security
            • Security Operations Centre
            • Vulnerability Assessment Service
            • Penetration Testing as a Service
            • Cyber Security Risk Assessment
            • Security Control Audit & Review
            • Essential Eight
          • Cloud Services
            • Compliance as a Service
            • Multicloud Strategy
            • Storage as a Service
          • Data Centre
          • Internet of Things
            • FarmDeck
            • Smart CityDeck
            • TransportDeck
            • HealthDeck
            • FoodDeck
            • MineDeck
            • CampusOnDeck
            • WorkplaceDeck
            • Broadsecure
            • Emergency Response
            • Worksite and Personnel Safety
  • Projects
  • Blog
  • Press
  • Partners
  • Contact

Essential 8 Executive Self-Assessment

Executive Self-Assessment 

"*" indicates required fields

The best way to evaluate the effectiveness of your Essential 8 controls within your organisation is to do an Essential 8 Online Executive Assessment. By doing this assessment, you'll better understand the areas where security vulnerability and weaknesses are, allowing you to make improvements and strengthen these areas.

The Essential 8 Online Executive Assessment will only take a few minutes to complete and give you a thorough report about the effectiveness of your Essential 8 controls within your organisation. Based on your answers, we will provide you with recommendations on how to improve your security controls and can even help implement the Essential 8 or give further guidance on your organisation’s maturity level – and how we can help strengthen these.  

Please fill in your name and email address to begin the assessment. Don't worry, we won't spam you.

Application Control 

Do you have a process in place to allow only approved applications to run on your systems, and can you prevent unauthorized programs from executing?*
You've answered no or I'm not aware of.
Recommendations:
An application control solution can be implemented to enforce a defined list of executables, software libraries and scripts that are authorized to run on a system. It can be configured in one of the following modes:
  • Enforcement enabled - Only trusted executables are allowed to run.
  • Audit only - Allow all executables to run, but log untrusted executables that run in the local client event log.
Detailed Requirement for Maturity Level 1:
The execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets is prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients.

Patch Applications

Do you have a process to regularly update and patch your software applications, including operating systems, to fix known vulnerabilities?*
You've answered no or I'm not aware of.
Recommendations:
A patching software can be installed that is capable of:
  • Automatically scan the applications of devices for missing patches.
  • Automate the download of missing patches that are released by the application vendors.
  • Ensures to automatically deploy patches based on the deployment policies.
  • Reports on the status of the automated patch management tasks.
Detailed Requirement for Maturity Level 1:
  • An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
  • A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
  • A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in internet-facing services.
  • A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
  • Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
  • Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.
  • Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed.

Configure Microsoft Office Macro Settings 

Do you have a process to configure and manage Office Marcos to prevent cyber threats?*
You've answered no or I'm not aware of.
Recommendations:
    It is highly recommended to keep the Group policy setting as "Only macros digitally signed by trusted publishers are enabled". This will prevent macros getting downloaded from untrusted location or publishers.
Detailed Requirement for Maturity Level 1:
  • Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
  • Microsoft Office macros in files originating from the internet are blocked.
  • Microsoft Office macro antivirus scanning is enabled.
  • Microsoft Office macro security settings cannot be changed by users.

User Application Hardening 

Do you have a process to configure and secure your applications, such as web browsers and email clients, to prevent cyber threats?*
You've answered no or I'm not aware of.
Recommendations:
    User application hardening with respect to web browsers refers to controlling browser plugins such as Flash, Java and Web-advertisement content. This allows application to only do what they are supposed to do by allowing only the required areas of a given application to run. Application hardening on some of the popular web browsers can be implemented in the following ways:
  • On Google chrome, flash settings can be disabled by blocking all the flash plugins and pushed via group policy to all users preventing them from downloading malicious items on their PCs while trying to access any web pages.
  • The same option is available on other web browsers such as Microsoft IE, Edge, Safari and Mozilla.
Detailed Requirement for Maturity Level 1:
  • Web browsers do not process Java from the internet.
  • Web browsers do not process web advertisements from the internet.
  • Internet Explorer 11 does not process content from the internet.
  • Web browser security settings cannot be changed by users.

Restrict Administrative Privileges 

Do you have a process to limit and control access to administrative privileges for your systems and networks, and do you review and manage these privileges regularly?*
You've answered no or I'm not aware of.
Recommendations:
    The best approach of implementing enterprise privilege management is to focus on defining tasks your administrators do, assign their privileges accordingly and perform access reviews regularly. Implementing privileged access management (PAM) solution can also help control and secure administrative privileges. MFA adds an additional layer of security by requiring users to provide a second form of authentication, such as a one-time passcode or biometric verification, before accessing systems or data. PAM solutions provide centralized management and control over administrative privileges, including the ability to monitor and record privileged user activity.
Detailed Requirement for Maturity Level 1:
  • Requests for privileged access to systems and applications are validated when first requested.
  • Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services.
  • Privileged users use separate privileged and unprivileged operating environments.
  • Unprivileged accounts cannot logon to privileged operating environments.
  • Privileged accounts (excluding local administrator accounts) cannot logon to unprivileged operating environments.

Patch Operating Systems

Do you have a process to regularly update and patch your operating systems, including servers, desktops, laptops, and other devices, to fix known vulnerabilities?*
You've answered no or I'm not aware of.
Recommendations:
A patch management solution can be installed that is capable of:
  • Scanning systems: The solution should be able to scan systems and software to identify missing patches and vulnerabilities.
  • Prioritizing patches: The solution should prioritize patches based on the severity of the vulnerabilities and the potential impact on the organization.
  • Testing patches: The solution should be able to test patches in a non-production environment to ensure that they don't cause any compatibility issues or break existing functionality.
  • Deploying patches: The solution should be able to deploy patches to systems and software using automated tools, such as patch management software or configuration management tools.
  • Scheduling and automation: The solution should be able to schedule and automate patching tasks, such as scanning for updates, testing patches, and deploying them.
  • Reporting and monitoring: The solution should be able to provide reports on patch compliance and vulnerabilities and monitor systems and software for patch compliance.
  • Integrating with other security tools: The solution should be able to integrate with other security tools, such as antivirus software, firewalls, and intrusion detection systems.
  • Supporting various platforms: The solution should support various platforms, including servers, workstations, mobile devices, operating systems, and applications.
Detailed Requirement for Maturity Level 1:
  • An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
  • A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
  • A vulnerability scanner is used at least daily to identify missing patches or updates for security vulnerabilities in operating systems of internet-facing services.
  • A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in operating systems of workstations, servers and network devices.
  • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
  • Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release.
  • Operating systems that are no longer supported by vendors are replaced.

Multi-Factor Authentication

Do you require more than one form of identification to access critical systems and data, such as passwords and smart cards or biometrics?*
You've answered no or I'm not aware of.
Recommendations:
  • Use MFA for all remote access: Require MFA for all remote access to systems, networks, and applications, including virtual private network (VPN) connections, remote desktop protocol (RDP) sessions, and web applications.
  • Use MFA for all administrative access: Require MFA for all administrative access to systems, networks, and applications, including privileged accounts and administrative consoles.
  • Use risk-based MFA: Implement risk-based MFA that adjusts the level of authentication required based on the risk of the access request, such as the location, device, or behavior of the user.
  • Use MFA for cloud applications: Require MFA for all cloud applications, such as email, file sharing, and customer relationship management (CRM) systems, to protect against unauthorized access.
  • Use MFA for privileged access management: Use MFA for privileged access management (PAM) systems to protect against unauthorized access to critical systems and data.
  • Monitor MFA usage: Monitor MFA usage and audit logs to identify potential security incidents, such as unauthorized access attempts or compromised credentials.
Detailed Requirement for Maturity Level 1:
  • Multi-factor authentication is used by an organisation's users if they authenticate to their organisation’s internet-facing services.
  • Multi-factor authentication is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their orgainisation's sensitive data.
  • Multi-factor authentication (where available) is used by an organisation’s users if they authenticate to third-party internet-facing services that process, store or communicate their organisation's non-sensitive data.
  • Multi-factor authentication is enabled by default for non-organisational users (but users can choose to opt out) if they authenticate to an organisation’s internet-facing services.

Regular backups 

Do you regularly back up your data and systems, and do you have a process to test the backup and recovery processes?*
You've answered no or I'm not aware of.
Recommendations:
    • Regular backups are essential for protecting against data loss, ensuring business continuity, complying with regulatory requirements, being cost-effective, and providing peace of mind. By implementing a regular backup schedule, testing backup and recovery processes, organizations can minimize the risk of data loss and ensure business continuity in the event of an unexpected event or outage.
    To implement regular backups, organizations should follow these best practices:
    • Determine backup frequency: The backup frequency should align with the organization's data retention policies and business needs. For example, critical systems and data may require daily backups, while less important data may only need to be backed up weekly or monthly.
    • Choose a backup method: There are several backup methods, including full backups, incremental backups, and differential backups. Each method has its advantages and disadvantages, so organizations should choose the method that best suits their needs.
    • Select a backup location: Backups should be stored in a secure location that is separate from the original data, such as an offsite facility or a cloud storage service.
    • Test backups regularly: Backups should be tested regularly to ensure that data can be restored quickly and accurately in the event of an outage or disaster.
    • Document backup procedures: Backup procedures should be documented, including backup schedules, backup methods, backup locations, and testing procedures.
    • Automate backups: Automated backup solutions can simplify the backup process and ensure that backups are performed consistently and reliably.
Detailed Requirement for Maturity Level 1:
  • Backups of important data, software and configuration settings are performed and retained with a frequency and retention timeframe in accordance with business continuity requirements
  • Backups of important data, software and configuration settings are synchronised to enable restoration to a common point in time.
  • Backups of important data, software and configuration settings are retained in a secure and resilient manner.
  • Restoration of important data, software and configuration settings from backups to a common point in time is tested as part of disaster recovery exercises.
  • Unprivileged accounts cannot access backups belonging to other accounts.
  • Unprivileged accounts are prevented from modifying and deleting backups.
This field is hidden when viewing the form
  • Solutions
  • Blog
  • Projects
  • Careers
  • About Us
careers: recruitment@outcomex.com.au
Solutions
  • Cloud Services
  • Collaboration
  • Compliance as a Service
  • Cyber Security
  • Data Centre
  • Internet of Things
  • Managed Services
  • Networking
  • Physical Security
  • Project Management
  • Wireless & Mobility
Partners
  • See all partners
Contact

P 02 8879 3888

E admin@outcomex.com.au

502/32 Delhi Road
North Ryde 2113 NSW
Australia

Terms & Conditions
Privacy Policy
SaaS Terms of Use