Area | Control | SMB1001 Tier 3 - Gold | SMB1001 Tier 5 - Diamond | Cybersecurity Small Business Guide | CyberWardens Action Plan / Toolkit / Reflections | ID Care Resilience Plan Questionnaire | Essential Eight Maturity Level 1 |
|---|
Technology Management | Technical Support Specialist | 
| plus add a SLA with MSP | (mentioned) | | Specifies MSP | |
|---|
| Firewall |
|
| | | | |
|---|
| Anti Virus Software |
|
| (scans) |
| Specifies phones also (which is not a thing). | |
|---|
| Malware Detection | | | | | | |
|---|
| Devices Patched |
|
|
|
|
| Auto Vuln Scanner |
|---|
| TLS / SSL Certificate on Website |
|
| | | | |
|---|
| Protect Domain Names | | |
| | | |
|---|
| Servers Patched |
|
| | Automatic Updates | | Includes online services and vendor mitigations. Includes internal Office Suites |
|---|
| Scan Websites for Vulnerabilities | |
| (mentioned) | | | Vuln Scanner on internal and External Assets, inc Email, Browsers, Office Suites etc |
|---|
| Data Encrypted At Rest | |
| | | does not mention at rest specifically | |
|---|
| Application Control | |
| | | only certain applications to be downloaded (what about installed by other methods) | Including on Workstations. Restricts Access to Excecutables etc |
|---|
| Disable Microsoft Office Macros | | can be disabled with notification | | | | Except where demonstrated business Environment. With AV Scanning |
|---|
| Lock Devices | | | (Good!) plus secure mobile phones | Physical Security of devices. Good! | | |
|---|
| Conduct Penetration, Vulnerability and Social Engineering Testing | | | | | | |
|---|
| Remove Online Services No Longer In Use | | | |
| |
|
|---|
| Remove OS that are no longer supported by Vendors | | | | | |
|
|---|
| Browser Hardening | | | | | Internet Browser Protections | No IE11, No Java, No Web Ads, no changes by users. |
|---|
Education and Training | Cybersecurity Training |
| more involved |
| The Cyber Wardens program Soft Skills for Cyber Wardens. Good! | Understand latest scams and threats | |
|---|
| Understand consequences of an incident | | | | Good! | | |
|---|
| Review regularly | | | | Good! | | |
|---|
Access Management | Change Passwords Routinely |
|
| (strong passwords) | | | |
|---|
| No Admin Access |
|
| RBAC, Remove users (Good!) | | Changes to IT Environment by one person or role | Validate Requests for Access. Separate Account solely for Admin Usage. Privileged Users Internet Access Restricted. Separate Operating Environments |
|---|
| Individual User Accounts |
|
| (limit) | | | |
|---|
| Password Manager |
|
|
| strong push for passphrases | | |
|---|
| MFA on Email |
| no text, email or voice |
|
|
| All Organisation Online Services |
|---|
| MFA on Business Applications and Social Media |
| no text, email or voice |
| | | All Third Party Online Services |
|---|
| RDP over VPN |
|
| | | | |
|---|
| Remote Access Cloud Credentials Management | | including setting up SSO and IAM | | | | |
|---|
| MFA for Digital Data | | all important digital data no text, email or voice | | | | |
|---|
| MFA on VPNs | | no text, email or voice | | | | |
|---|
| MFA on RDP | | no text, email or voice | | | | |
|---|
| Wifi Passwords | | | | Separate Guest networks. Good! | | |
|---|
| Website | | | | Update your Website! Good! | | |
|---|
Backup and Recovery | Backup and Recovery |
| more involved, including testing |
| Includes testing Recovery! Good! | Weekly | more involved including no access to backups of other data by unprivileged users. |
|---|
| Business Cyber Insurance | |
| | | | |
|---|
Policies, Processes and Plans | Digital Asset Register |
| more details | (understand your data, consolidate your data! Good!) | Where is your data hiding. Good! Device Audit. Good! | Very privacy focused. Good! | Automated Asset Discovery |
|---|
| Confidentiality Agreement for Employees |
|
| | | | |
|---|
| Invoice Fraud Policy |
|
| | BEC scams |
| |
|---|
| Privacy Policy | | | | |
| |
|---|
| Visitor Register |
|
| | | | |
|---|
| Cybersecurity Policy |
|
| | | | |
|---|
| Incident Response Plan |
| including testing and more details |
| | Data Breach Response Plan | (in higher maturity levels) |
|---|
| Secure Physical Document Destruction |
|
| | | | |
|---|
| Secure Device Disposal |
|
|
| | | |
|---|
| Digital Trust Program for Suppliers | | | | Encourage suppliers to do Cyber Wardens also | | |
|---|
| Police Vetting for Employees with Admin Access | |
| | | | |
|---|