Our client, a large Australian broadband provider.


As a provider of critical infrastructure, the client must maintain a strong array of security controls and detection capabilities that deliver a high level of resilience to attack. The role of Security for the client is to protect their people and assets from personnel, physical, and cyber security threats, and to build trust and confidence in their ability to deliver a reliable and fast broadband network.

In 2017 the Australian Signals Directorate (ASD) updated Strategies to mitigate Cyber Security Incidents which is a priority list of practical actions entities can take to secure their IT environment. The ASD also released the Essential Eight Maturity Model, to assist entities in assessing the level of implementation of the Essential Eight mitigation strategies.


nbn AUS safe fig1.jpg

Of these eight strategies, four are mandatory - application whitelisting, patching applications, patching operating systems, and restricting admin privileges.

The Australian National Audit Office (ANAO) conducts performance audits of government entities every few years to assess their cyber resilience against the Protective Security Policy Framework (PSPF) and the Essential Eight, in particular the four mandatory strategies (Application whitelisting, Patching Applications, Restrict administrative privileges and Patching operating systems).

The maturity levels each of the eight Security Controls are rated against are in the table below.

nbn AUS safe fig2.jpg

The minimum maturity level required for a pass mark in an audit is Level 3 - Fully aligned with the intent of the mitigation strategy. Under special circumstances some organisations will require a minimum of Level 4. Since 2013, many non-corporate commonwealth entities have been audited returning high rates of non-compliance. More detailed information for each Security Control’s Maturity Level requirement can be found on the Australian Signals Directorate website.

In 2018 the client created a project focusing on identifying current maturity level (not implemented, partly implemented, mostly implemented, fully implemented) of these Essential Eight mitigation strategies within the company to identify any gaps and to prioritise gap closure activities with the expected result being an increase to the clients Security Control maturity level and a pass audit by the ANAO i.e., Level 3 maturity achievement.



The client performed an internal audit on their own systems to assess where they believe their maturity level to be for each of the mitigation strategies. For each of the 8 Security Controls a maturity level is assigned as of the date of audit, from the maturity levels above (Figure 2). Each Control was assessed, and activities planned to improve this rating to Level 2 then Level 3 (if not already Level 3). A timeline was then created for each Control, with planned dates for each of the remediation activities and expected Maturity Level Increase.

FinXL supported the client by providing Consultants to work as part of their team delivering Risk and Remediation, Security Compliance, Security Network Architecture, and Supplier Security. Specifically, FinXL Consultants:

  • Reviewed current security practices,

  • Conducted risk assessments,

  • Recommended implementation strategies based off the Essential Eight, and

  • Created roadmaps to improve maturity, rolling out and monitoring security solutions.

Globally, the cyber threat environment has increased, with COVID-19 themed phishing and ransomware more prevalent. Physical attacks against telecommunications infrastructure attributed to COVID-19 conspiracy theories linked to 5G technology have also taken place. The security uplift project was completed in late 2020, successfully achieving Level 3 maturity for all eight of the mitigation strategies.