A summary of the changes states that they cover patching timeframes, adoption of phishing-resistant multifactor authentication, management of cloud services, and incident detection and response for internet-facing infrastructure”, among other aspects.
The update includes “additional focus on higher priority patching scenarios”. For example, when vendors assess a vulnerability to be of a critical nature, “organisations should patch, update or otherwise mitigate vulnerabilities within 48 hours. This change impacts Maturity Level One through Maturity Level Three.”
The changes also address adoption of “weaker forms of MFA that used biometrics, security questions or ‘Trusted Signals’, none of which are recognised as valid authentication factors within standards.”
Previously, Maturity Level One did not specify the types of authentication factors that could be used for multi-factor authentication (MFA).
A new minimum standard impacting Maturity Level One requires “‘something users have’, in addition to ‘something users know’”. This change
ASD has also responded to “ongoing attacks against citizens that continue to rely on just passwords for online customer services”, by introducing a requirement for organisations to “enforce the use of MFA for protecting web portals that store sensitive customer data (e.g. personal, health or identity-related data)”.
This change “amends the existing requirement that allowed customers to easily opt-out of using MFA and instead use very weak password-based authentication.”
The option of phishing-resistant MFA for customers at lower maturity levels has also been adopted.
The updated Essential Eight also takes into account data governance processes. “Due to the absence of governance processes for granting, controlling and rescinding privileged access to data repositories, requirements have been added to ensure consistency with governance processes for granting, controlling and rescinding privileged access to systems and applications,” the change summary notes. This change impacts Maturity Level One through Maturity Level Three.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
