Nowadays, protecting your data has never been more crucial than it is now. During the financial year 2022-2023, there were over 94,000 cybercrimes were reported, an increase of 23% compared to the last financial year. Isn’t this the bad news for Australian businesses? This number hasn’t been depleted or begun to drop off, rather, it has continued to rise.
The Government of Australia, along with the Australian Cyber Security Centre (ACSC), the Australian Signals Directorate (ASD), and many others, has created certain cybersecurity frameworks to thwart and abolish cybercrime to help businesses fight against cybercrime. However, choosing the right cybersecurity framework for your business can be confusing.
This blog outlines the top Australian cybersecurity framework and helps you choose the best framework for your business.
Top 6 Australian Cybersecurity Framework for your business
ACSC Essential Eight
Australian Cyber Security Control (ACSC) introduced the Essential Eight in 2017 to help Australian businesses prevent cyber threats by mitigating them. It has three objectives and eight mitigation strategies. Organisations should identify the target maturity level suitable for their business environment and implement each until the target has been achieved.
The three objectives of Essential Eight are:
Objective 1: Prevent cyberattacks
The initial strategy aims to protect internal systems from malicious software, such as malware, ransomware and other cyber threats. This objective includes the following models:
- Patch application vulnerabilities
- Application control
- User application hardening
- Configuring MS Office Macro settings
Objective 2: Limit the extent of cyberattacks
This strategy aims to limit the depth of penetration of the attack and is achieved by remediating all security vulnerabilities so hackers cannot exploit them. This objective includes the following models:
- Restrict Administration Privileges
- Patch Operating Systems
- MFA or Multifactor Authentication
Objective 3: Data recovery and system availability
The final strategy aims to cover the final stage of cyber threats. Sensitive data must be continuously backed up to support the system’s availability through immediate back recovery. This objective only includes one model:
- Daily backups
For each mitigation strategy, ASD recommends the Essential Eight framework to be implemented on a maturity scale.
- Level zero: Not aligned with a mitigation strategy
- Level one: Partially aligned with a mitigation strategy
- Level two: Mostly aligned with a mitigation strategy
- Level three: Fully aligned with a mitigation strategy
Which industries does the Eight Essential Model apply?
The Australian Signals Directorate recommends all Australian government entities and businesses implement the Essential Eight framework for best cybersecurity practice.
Is the Essential Eight mandatory for Australian Businesses?
The Australian Federal government will mandate the Essential Eight framework for all 98 non-corporate commonwealth entities. Compliance with this framework is expected for both corporate and non-corporate commercial entities (NCCEs). To evaluate compliance, these entities will undergo a comprehensive audit every 5 years beginning in June 2022.
Before this, government entities were expected to comply with only the top four Essential Eight strategies. However, after an audit revealed abysmal cyber resilience across multiple government departments, compliance expectations have expanded to all eight strategies with the inclusion of NCCEs.
Since 2018, it has become mandatory for all businesses with an annual turnover of at least $3 million to report data breaches to the OAIC– whether or not they’ve embraced the Essential Eight framework.
Australian Energy Sector Cyber Security Framework (AESCSF)
The Australian Energy Sector Cyber Security Framework (AESCSF) is a framework developed for the Australian energy sector to enable participants to assess, evaluate, prioritise and improve their cyber security capabilities and maturity. It is more specifically used to help address increasing cyber risks and is tailored to the energy sector of Australia, aligning with the policies and guidelines of Australia. Since its creation and application have extended out from just the energy sector to other parts of critical infrastructure such as liquid fuels. Its use in organisations enhances, uplifts and supports consistency across the market and non-Australian energy markets.
The AESCSF was developed in 2018 through collaboration with industry and government stakeholders, including:
- Australian Energy Market Operator (AEMO)
- Australian Cyber Security Centre (ACSC)
- Cyber and Infrastructure Security Centre (CISC)
- Representatives from Australian energy organisations
To apply the highest level of cyber threat protection to Australian energy infrastructure, the AESCSF combines aspects of recognised security frameworks with a risk management approach such as:
- The US Department of Energy’s Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)
- National Institute of Standards and Technology Cyber Security Framework (NIST CSF)
- ISO/IEC 27001
- NIST SP 800-53
- COBIT
- ACSC Essential 8 Strategies to Mitigate Cyber Security Incidents
- Australian Privacy Principles (APPs)
- Notifiable Data Breaches (NDB)
Is the AESCSF mandatory for Australian Businesses?
The AESCSF is not a mandatory security framework for the Australian Energy Sector. However, because critical infrastructures are currently being targeted by cybercriminals, this framework is recommended for its clear maturity pathway programs.
Australian Government Protective Security Policy Framework (PSPF)
The Protective Security Policy Framework (PSPF) assist the Australian Government entities in protecting their people’s information and assets.
Its main goal is to cultivate a positive security culture across all entities. This protection is valid on Australian soil as well as overseas.
The PSPF aims to implement the following policies. Each policy has associated to core requirements guidelines:
- Security governance
- Information security
- Personnel security
- Physical security
PSPF outlines five principles that represent desired security outcomes:
- Security is everyone’s responsibility – Developing and fostering a positive security culture is critical to security outcomes.
- Security enables the business of government – It supports the efficient and effective delivery of services.
- Security measures protect entities, people, information and assets in line with their assessed risks.
- Accountable authorities own the security risks of their entity and the entity’s impact on shared risk.
- A cycle of action, evaluation and learning is evident in response to security incidents.
Is the PSPF mandatory for Australian Businesses?
The PSPF must be applied to the Australian government entities and non-corporate government entities following their risk profiles. This framework became a critical requirement for government bodies in 2018 when the Attorney-General established the framework as an Australian Government Policy. PSPF is also considered the best cybersecurity practice for all Australian state and territory agencies.
The Australian Security of Critical Infrastructure Act 2018
The Australian Security of Critical Infrastructure Act 2018 (SOCI Act) seeks to protect Australian Infrastructures from foreign cyberattacks. In this Act, the range of powers, functions, and obligations applies to specific critical infrastructure assets in the electricity, gas, water and ports sectors.
There are three directives of the Australian Security of Critical Infrastructure Act:
- Owners and operators of critical infrastructures must register all relevant assets.
- Owners and operators of critical infrastructures must supply the Department of Home Affairs with all required information that could support the security efforts of the centre.
- Owners and operators of critical infrastructures must comply with all instructions from the Minister of Home Affairs that support the mitigation of natural security risks where all other risk mitigation efforts have been exhausted.
On 10 December 2020, the Australian Government introduced the Security Legislation Amendment Bill to broaden the definition of critical infrastructures in the SOCI Act.
This Act applies to 22 asset classes across 11 sectors, including communications, data storage and processing, defence, financial services and markets, food and grocery, health care and medical, transport, higher education and research, energy, space technology, water and sewerage.
Is the Security of Critical Infrastructure Act 2018 mandatory for Australian Businesses?
At the time of writing this, there are no announcements enforcing compliance with SOCI Act 2018.
South Australian Cyber Security Framework (SACSF)
The South Australian Cyber Security Framework (SACSF) is a cabinet-approved, whole-of-government approach designed to ensure cybersecurity is adequately managed in each South Australian agency that ensures there is adequate flexibility in the way each organisation specifically addresses the policy. SACSF replaced the Information Security Management Framework (ISMF) in December 2019.
The framework contains 21 policy statements that are grouped into four principles:
1. Governance: Manage security risks and support a positive security culture, ensuring clear lines of accountability, strategic planning, assurance and review, and proportionate reporting.
2. Information: Maintain the confidentiality, integrity, and availability of information throughout incident response plans, supporting business resilience plans and controlled access to information.
3. Personnel: Ensures employees and contractors are the right people for the job. This can be achieved through screening, continual education, and awareness of cyber risks.
4. Physical: Provide a safe and secure physical environment for people, information and assets.
Is the SACSF mandatory for Australian Businesses?
The SACSF is mandatory for all South Australian Government public sector agencies, suppliers, and service providers to government agencies.
Information Security Manual (ISM)
The Information Security Manual is developed by the Australian Cyber Security Centre (ACSC), a key department within the Australian Signals Directorate (ASD). The goal of the ISM is to outline a cybersecurity framework that organisations can apply, using their risk management framework, to protect their systems and data from cyber threats.
The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), cybersecurity professionals and Information technology managers.
The principles of ISM provide strategic guidance on how organisations can protect their systems and data from cyber threats and attacks. These principles are divided into four categories, i.e., govern, protect, detect and respond. Thus, to comply with the ISM, organisations must provide proof or demonstrate that they are adhering to these principles.
Is the Information security manual mandatory for Australian Businesses?
If you work or want to work with Australian Government-protected data, implementation and certification, it is mandatory to follow ISM.
Final Thoughts
Choosing the right framework or combination of frameworks depends on your organisation’s specific needs and industry. However, every organisation in Australia should be aware of these crucial frameworks and consider incorporating their principles into their cybersecurity strategy. Remember, a layered approach is key to effective cybersecurity. By combining these frameworks with cybersecurity services and additional measures like employee training, incident response planning, and regular security assessments, you can significantly reduce the risk of cyberattacks and protect your valuable data and assets.
