Leveling Up: How to Improve Your ACSC Recommended Maturity Model

The Australian Cyber Security Center (ACSC), under the direction of the Australian Signals Directorate (ASD), offers security advice to protect national infrastructure. DevSecOps practitioners in the private sector, as well as state and territory governments, are encouraged to quantify their current cyber security maturity status and consider plans that transform their organizations to higher levels. 

“Now is a good time for businesses to be more aggressive in blocking potentially malicious emails and websites from their network gateway. Now more than ever, it is critical that businesses have their software patched and up to date,” says ACSC acting Head, Karl Henmore.

The ACSC suggested three maturity model levels. Every level has specific remediation strategies, each designed to reinforce and strengthen one another. The most effective of these mitigation strategy benchmarks is known as the Essential Eight.

All maturity models include recommendations to patch or update applications as seen here. Note how Level One recommendations remediate vulnerabilities within one month, while more advanced, Level Three organizations make fixes within 48 hours. Is there a better way? In a word: yes.

ACSC Mitigation Strategy: Patch or Update Applications

Here are ACSC’s three maturity levels, with emphasis added. 

Maturity Level One

Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within one month of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

Applications that are no longer supported by vendors with patches or updates for security vulnerabilities are updated or replaced with vendor-supported versions.

Maturity Level Two

Security vulnerabilities in applications and drivers assessed as extreme risk are patched, updated or mitigated within two weeks of the security vulnerabilities being identified by vendors, independent third parties, system managers or users.

Applications that are no longer supported by vendors with (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Cameron Townshend. Read the original post at: https://blog.sonatype.com/improve-acsc-recommended-maturity-model