Australia’s Department of Health, Leading the Compliance for Essential 8 Security Policy

The Australian’s Department of Health is a cybersecurity conscious-agency, out of the many executive departments in the land down under. This is through its push for the implementation of privileged access management (PAM) for the entire department, which will cover its compliance with the Australian government’s standard security controls.

This information has been communicated with the department’s Request for Tender. The essential eight is seen as de-facto rules when it comes to Australia’s move to harden its government’s cybersecurity status.

The essential 8 are the following, as quoted from the Request for Tender:

1. Implement application whitelisting, so only selected software applications can run.
2. Make sure all applications are kept patched.
3. Disable untrusted Microsoft Office macros, because they’re increasingly being used to enable the download of malware.
4. Harden users’ applications by blocking web browser access to Adobe Flash player, uninstalling it if possible; web advertisements; and untrusted Java code.
5. Restrict administrative privileges to people who truly need them for managing systems, installing legitimate software, and applying patches.
6. Patch operating systems, and keep them patched.
7. Use multi-factor authentication.
8. Back up important data daily, and store it securely.

“The eight mitigation strategies with an ‘essential’ effectiveness rating are so effective at mitigating targeted cyber intrusions and ransomware, that ASD considers them to be the cybersecurity baseline for all organizations. Any organization that has been compromised despite properly implementing these mitigation strategies is encouraged to notify ASD,” explained the Australian Signals Directorate, ASD for short, the main implementer of the essential 8 projects.

From the rules itself, the Australian government originally has targeted full implementation of the Essential Eight since 2013; compliance is slow but it is surely being implemented at each department’s phase. “Ultimately, the solution will increase the risk posture for the department and safeguarding its people and information from potential threats related to privileged accounts. The solution must have the ability to proxy privileged access to multiple ICT resources (including applications, services, servers, or network appliances), on-premises and in the cloud, in multiple forests, domains, and stand-alone instances,” the RFT document emphasized.

The Department of Health has a sizable computer network operating nationwide, composed of approximately 6,500 workstation-class login accounts, 150 admin-class login credentials using 1,700+ servers. Of those servers: 52% are Windows-based, 29% are running RedHat Enterprise Linux and the remaining 19% are running Unix. The Department also maintains a fleet of 500+ firewalls, switches and out routing equipment. As the Department also requires more computing power than what the budget for hardware provides, it is also a big client of Azure Cloud, Office 365 and Amazon Web Services.

“As a strategic priority, it is crucial that Commonwealth entities be accountable to the Australian Parliament on cybersecurity. In recent years, the non-mandatory survey has only been completed by 30-40 percent of entities. The Committee considers that the ASD survey serves an important role in assisting entities to be cyber-resilient. This is despite the fact that the Top Four mitigation strategies represent the minimum requirement for entities. Given the risks which have been identified as to the likely effects of either organization experiencing loss of data as a consequence of not being cyber resilient, this must be a priority,” explained the Parliamentary Joint Committee on Intelligence and Security.