Essential Eight Maturity Calculator

Does your organisation restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets on workstations to an approved set?

Are application control rules applied to both workstations and internet-facing servers, with rules validated on an annual or more frequent basis?

Are Microsoft's recommended application blocklist and recommended driver blocklist implemented, and are application control rules validated at least every six months?

Does your organisation's application control cover all user-accessible locations including temporary folders, and are allowed and blocked execution events centrally logged and monitored?

Does your organisation have a process to identify and patch security vulnerabilities in internet-facing services, office productivity suites, web browsers, email clients, PDF viewers, and security products within two weeks of release (or 48 hours for critical exploited vulnerabilities)?

Are patches for all applications (not just internet-facing) applied within two weeks, or within 48 hours for critical exploited vulnerabilities, and is an automated asset discovery process run at least fortnightly?

Are patches for internet-facing services applied within 48 hours of availability when vulnerabilities are assessed as critical, and is automated asset discovery run at least daily?

Does your organisation use a vulnerability scanner at least daily to identify missing patches, and are applications that are no longer supported by vendors removed or isolated?

Are Microsoft Office macros disabled for users who do not have a demonstrated business requirement, and are macros in files originating from the internet blocked?

Are macro security settings configured to block macros from the internet, are only signed macros allowed for users with a business requirement, and are Win32 API calls from macros blocked?

Are only macros running from within a Trusted Location (where write access is limited to personnel responsible for vetting macros) allowed to execute, and are macros digitally signed by a trusted publisher?

Are Microsoft Office macro security settings validated at least annually, and are allowed and blocked macro execution events centrally logged and monitored?

Are web browsers configured to block or disable Flash content, web advertisements, and Java from the internet, and are Internet Explorer 11 and other unsupported browsers disabled?

Are web browsers hardened to block Java, web advertisements, and unnecessary features, and are Office productivity suites configured to block OLE packages and disable unnecessary functionality?

Does your organisation restrict .NET execution to an approved list, and are PowerShell scripts blocked from executing unless they meet application control requirements?

Are user application hardening settings validated at least annually, and are related security events (e.g., blocked content, child process creation) centrally logged and monitored?

Are requests for privileged access to systems validated when first requested, and are privileged accounts restricted from reading email, browsing the web, and accessing internet services?

Are privileged accounts separated into distinct tiers (e.g., workstation admin, server admin, domain admin), and are privileged access events centrally logged?

Is just-in-time administration used for administering servers and network infrastructure, and are privileged accounts (excluding break-glass accounts) prevented from being members of the local administrators group?

Are the number of privileged accounts regularly reviewed and minimised, are credentials for privileged accounts long and unique, and are privileged access activities monitored for anomalous behaviour?

Does your organisation patch security vulnerabilities in operating systems of internet-facing services and workstations within two weeks, or 48 hours for critical exploited vulnerabilities?

Are operating system patches applied to all systems (not just internet-facing) within two weeks, or 48 hours for critical exploited vulnerabilities, and is automated asset discovery run at least fortnightly?

Is a vulnerability scanner used at least daily to identify missing operating system patches, and is automated asset discovery run at least daily?

Are operating systems that are no longer supported by vendors replaced or isolated, and does your organisation have a comprehensive, near-real-time view of its operating system patch status?

Is multi-factor authentication (MFA) used to authenticate users to their organisation's internet-facing services, and to authenticate privileged users of systems?

Is MFA used to authenticate all users to their organisation's internet-facing services and to authenticate privileged users of important data repositories, and does MFA use at least two of: something the user knows, has, or is?

Is phishing-resistant MFA (e.g., FIDO2 security keys, Windows Hello for Business with hardware TPM) used for authenticating users to internet-facing services and privileged users of systems?

Is phishing-resistant MFA enforced for all users accessing important systems and data, and are MFA events centrally logged and monitored for anomalous activity?

Are backups of important information, software, and configuration settings performed and retained in accordance with business continuity requirements?

Are backups stored offline or disconnected from the network, and are backup restoration processes tested at least once when initially implemented and when significant changes occur?

Are unprivileged accounts unable to access, modify, or delete backups, and are privileged accounts (excluding backup administrator accounts) unable to access, modify, or delete backups?

Are backup restoration processes tested at least annually as part of disaster recovery exercises, and are backup storage media protected commensurate with the sensitivity of the data?