Victorian Protective Data Security Standard 17 (ICT Lifecycle) supports ASD TOP 4 and Essential Eight

The VPDSS control reference for Standard 17 (ICT Lifecycle) states that “an organisation should align its ICT security controls with the Information Security Manual (ISM) published by the Australian Signals Directorate (ASD)”.

To help organisations prioritise the application of risk-based ICT controls, CPDP encourages agencies and bodies to consider the ASD strategies to mitigate targeted cyber intrusions. These 35 strategies set out key technical measures designed to prevent targeted cyber intrusion based on intrusion observations from the ASD Cyber Security Operations Centre (CSOC).

ASD Top 4

The ASD CSOC estimates that at least 85% of the cyber intrusion techniques could be prevented by implementing the Top 4 mitigation strategies. As a package, the Top 4 mitigation strategies are highly effective in helping achieve a stronger ICT system.

These four mitigation strategies are more commonly referred to as the ASD TOP 4:

(1) Application whitelisting to ensure that only software that is specified and authorised can run on a system;

(2) Patching third party applications;

(3) Patching operating systems; and

(4) Restricting administrative privileges.

Implementing the top four strategies helps to secure an ICT system by preventing cyber intrusions and making your network more resilient.

Organisations should continue to conduct risk assessments and implement other mitigation strategies as required to protect their ICT systems.

The evidence to date clearly indicates the ‘Catch, Patch, Match’ approach is the best way to mitigate against cyber intrusions, protect your most valuable information and enhance the resilience of your networks. To help explain this approach, ASD has produced a short video, which can be accessed here: http://www.asd.gov.au/videos/catch-patch-match.htm

Catch malware by application whitelisting;
Patch software and operating systems; and
Match administrator rights to the right people.

Essential Eight

In February 2017, ASD published the Essential Eight. Incorporating the Top 4, the eight mitigation strategies with an 'essential' effectiveness rating are so effective at mitigating targeted cyber intrusions and ransomware that ASD considers them to be the cyber security baseline for all organisations. More information can be found here:

https://www.asd.gov.au/publications/protect/essential-eight-explained.htm

Implementation guidance

ASD recommends before implementing the strategies, organisations need to identify their assets and perform a risk assessment to identify the level of protection required from cyber threats which complements the VPDSF 5 step action plan. ASD recommends organisations:

a .Identify which assets require protection

b. Identify which adversaries are most likely to compromise their information

c. Identify what level of protection is required – use the Essential Eight strategies as a baseline and then select other relevant strategies based on the risks to their business.

Additional supporting material

ASD have also produced a range of supporting material to help organisations implement the strategies to mitigate targeted cyber intrusions.

This material can be accessed here - http://www.asd.gov.au/infosec/mitigationstrategies.htm