State Library of New South Wales accelerates Essential Eight compliance

The State Library of New South Wales is a large reference and research library open to the public. It is the oldest library in Australia, but the Library’s approach to technology is modern.  

Challenge 

The IT team’s remit includes works to improve existing ICT services, develop new services, respond to incidents, action service requests and rebuild devices. The team manage a vast array of devices, including around 500 staff devices, 100 public-use devices, print and scan devices, bespoke devices for exhibitions and school groups, network infrastructure, projectors, displays and conferencing devices.  

As a NSW Government agency, the Library complies with the NSW Government Cyber Security Policy. Amongst other requirements, the Library also has a priority in complying with ACSC Essential Eight controls. 

What is the Essential Eight?

The Essential Eight is a security framework developed by the Australian Signals Directorate (ASD). Like other frameworks, such as CIS Controls or NIST CSF, it aims to mitigate risk from common threats with a comprehensive approach to multiple security controls, including network security, endpoint security, and incident response. The Essential Eight complements other industry standards and frameworks and provides actionable recommendations. 

The mitigation strategies cover the following: 

• patch applications 

• patch operating systems 

• multi-factor authentication 

• restrict administrative privileges 

• application control 

• restrict Microsoft Office macros 

• user application hardening 

• regular backups. 

When implementing the Essential Eight framework, organisations should determine which maturity levels align with their specific environment. Typically, Maturity Level One is appropriate for small to medium enterprises, Maturity Level two for large enterprises, and Maturity Level three for critical infrastructure providers and organisations operating in high-threat environments.  

The Library identified Maturity Level Two as the appropriate approach.  

A rush to comply with Essential Eight controls 

When mandatory guidelines changed, the Library’s IT team was at capacity. Simon Handfield, the Desktop and Infrastructure Leader, realised the Library would either fail to meet the deadline for compliance with Essential Eight controls or have to hire new team members, which was not a feasible option.  

Inconsistent application updates  

With 300 - 400 applications in use on employee and public devices, the IT team were only able to roll out patches when there was a new feature or a major release.  

“Even when a major new version of an application with new features was released, it took considerable time for us to fit into our schedule, delaying when staff could make use of the new features.” 

Manual operating system patching  

Another headache for the team was controlling operating system updates. The team was managing operating system updates through its SCCM, which involved time-consuming manual interventions that inconvenienced employees while their devices were remediated.  

Rapid shift to remote work 

When the Library was forced to rapidly adopt a remote work model during the COVID-19 pandemic, their SCCM presented additional roadblocks in their ability to meet Essential Eight controls —specifically in their ability to maintain consistent updates across their now hyper-distributed fleet.  

At the time, the Library had already embraced some Cloud infrastructure and was able to support remote access, however, employee devices were not originally configured to operate offsite for prolonged periods.  

Along with having issues enforcing policies, the SCCM could not apply patches consistently, so the team couldn’t rely on it. This meant devices could drift out of compliance over time, which required considerable effort to identify and rectify.  

Solution 

The team determined an external solution or service was the best option for helping the Library implement controls to comply with Essential Eight controls. After consideration, they selected a product solution, Devicie to automate traditionally manual IT workflows on Intune and enhance reporting.  

“The Devicie team has worked closely with us to achieve our goals, collaborating on the selection of security policies appropriate for our staff’s business and productivity requirements and the Library’s risk appetite.”

Consistent, automated application updates 

After onboarding Devicie, manually updating applications became something for the history books. All application updates are now automatically actioned in accordance with the Library's Intune tenant policies. This allowed the Library to meet Essential Eight controls relating to application updates.  

“Keeping devices and their applications updated and compliant reduces the Library’s risk of compromise. New vulnerabilities are promptly mitigated with updated application versions and OS security updates.” 

Automating application updates affords the team more time to improve their services and support colleagues while knowing applications are kept up to date and protected against new vulnerabilities.  

Regular automated operating system patching 

By configuring policies and deploying operating system updates automatically through Intune in conjunction with Devicie, devices are patched regularly, irrespective of location, by design, without needing internal resources or manual intervention.   

“We wouldn't have been able to meet what we needed to meet for patching if we didn't have Devicie.”

Enhanced visibility and reporting 

The team now have complete visibility and control over the Library's fleet via the Devicie dashboard. They can see which applications are running on each device, which operating system versions are installed and patch and update statuses.   

This level of visibility is not only crucial in today's modern and remote workplace but also a requirement of Essential Eight controls.   

An instant security uplift  

Devicie supports defence in depth, including automating over 300 security controls in line with Essential Eight controls and CIS benchmarks.  

Whilst onboarding Devicie, the IT team was able to select and tailor the controls and policies to best suit their needs and environment. The security controls and policies were automatically applied, giving the Library an instant security uplift. 

“We have had a penetration test of our SOE, developed in conjunction with Devicie and the report is very positive.”

Automation for enhanced productivity and security 

Replacing time-consuming and error-prone manual tasks with automated processes allowed the Library to implement defence rapidly and easily in depth across their fleet in line with the Essential Eight.   

And, by reducing the time and resources required to maintain a secure environment, the Library can now focus their efforts on developing or improving services and assisting staff rather than packaging applications and updates.  

“The challenge for us was keeping devices healthy and up to date; not because we don't have the skills, but because we don't have the time. It would have taken us at least 12 months to do ourselves what Devicie did in less than one.”