Introduction
The Australian Cyber Security Centre (ACSC), to assist organizations to protected themselves against various cyber threats, has developed the Essential Eight which is recognized as the most effective mitigation strategy from ACSC’s published Strategies to Mitigate Cyber Security Incidents.
The Essential Eight Maturity Model is developed from ACSC’s experience and lessons learnt from cyber security incidents, cyber threat intelligence and completed penetration tests. It is important to note, Essential Eight will not mitigate all cyber threats and additional mitigation strategies and security controls need to be considered, including those from the Strategies to Mitigate Cyber Security Incidents and the Information Security Manual (ISM).
Assessment
The assessment in assessing the implementation and effectiveness of the Essential Eight controls are detailed in the Essential Eight Maturity Model, however, additional ACSC guidance and tools should be used. These includes:
- Essential Eight Maturity Model FAQ
- Essential Eight Assessment Report Template
- Essential Eight assessment toolkit
The Essential Eight Maturity Model describes three target maturity levels (Maturity Level One through to Maturity Level Three) which are based on mitigating increasing levels of preventative measures. Assessment is dependent on the size and complexity of the systems, and heavily relies on the assessor’s experience and judgement, which will include expertise in determining the effectiveness of any compensating controls in meeting the targeted overall protection level.
ServiceNow Response to Essential Eight
ServiceNow’s self-assessed Essential Eight maturity levels assessment can be made available to ServiceNow customers. If required, please reach out to your ServiceNow account team and request for a copy of ServiceNow’s Essential Eight maturity levels assessment report.
It is important to note ServiceNow’s security framework is based on ISO/IEC 27002:2013. ServiceNow has been an ISO 27001 certified organization since 2012 and is also ISO/IEC 27017:2015 and 27018:2019 certified. Additionally, ServiceNow’s Australian Region Cloud Services provides two distinct cloud services, namely:
- Commercial Cloud, which has been assessed to meet "OFFICIAL" data classification security controls detailed the Information Security Manual (ISM)
- PROTECTED Platform, which has been assessed to meet "PROTECTED" data classification security controls detailed the Information Security Manual (ISM)
ServiceNow’s IRAP assessment reports can be made available to ServiceNow customers. If required, please reach out to your ServiceNow account team and request for a copy of ServiceNow’s IRAP assessment report.
ServiceNow customers should be made aware, the Essential Eight is primarily designed to protect Microsoft Windows-based internet-connected networks. While the Essential Eight may be applied to cloud services and enterprise mobility, or other operating systems, it was not primarily designed for such purposes and alternative mitigation strategies may be more appropriate to mitigate unique cyber threats to these environments such as ServiceNow’s independent IRAP assessments to meet the Australian ISM controls.
In light of the above, ServiceNow prefers and highly recommends ServiceNow customers to use the Essential Eight to ISM Mapping in addition to ServiceNow’s IRAP assessment report to determine how ServiceNow address the relevant requirements defined in Essential Eight.
ServiceNow customer responsibility
ServiceNow provides a cloud-based platform and solutions that deliver digital experiences to automate, predict, digitize, and optimize business processes and tasks across the enterprise. ServiceNow customers gain the benefits of a common, highly standardized cloud infrastructure, while realizing the security benefits of customer‑specific isolation at the application and database layers.
As with all PaaS and SaaS Cloud service providers, the overall security responsibilities are shared between customers, ServiceNow, and the data center provider.
As the data controller, ServiceNow customers are the controller of the data that gets stored in their ServiceNow instance and is responsible for the data life cycle management for all data placed into their instance, such as determining who has access rights to their instance and the data stored in it.
As the data processor, ServiceNow provides its customers with extensive capabilities and tools to configure, secure, manage and audit their instances to meet their own security policies and requirements. In general, from an operational perspective, ServiceNow does not access customer data, but it is sometimes necessary during the course of resolving customer support tickets.
ServiceNow customers have control over the security of their instance and their data within the ServiceNow cloud. ServiceNow customers have the ability to control specific security settings within the instance to harden the application or platform settings to meet their unique security or compliance requirements.
ServiceNow customers, as examples, can choose from several data-at-rest encryption options, manage application-level role-based access controls, tagging and classification of sensitive data and authentication mechanisms. Additional ServiceNow recommendations include, and not restricted to, ServiceNow customers should:
- conduct an annual application-level penetration test.
- Export instance logs for continuous monitoring.
Find out more in ServiceNow's Security Best Practice Guide
Additional helpful information:
