Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-9-4 – The personnel cybersecurity requirements during employment must include at least the following:
Understanding the Requirement
This control requires that organizations define and enforce clear personnel cybersecurity obligations that apply while staff are employed. At minimum, the policy must address the two sub-items listed in this control (1-9-4-1 and 1-9-4-2), which together ensure employees understand their security responsibilities and that the organization maintains ongoing controls — such as access rules, training, monitoring, and reporting — for the duration of employment.
Technical Implementation
-
Onboarding and role-based access: Create a checklist that ties identity provisioning to job role. Use a simple role matrix to map required systems and privileges per role, and enforce least privilege through group membership and access request approval workflows. For SMBs, use built-in directory groups (e.g., Active Directory, Google Workspace) to automate initial assignments.
-
Mandatory security training and periodic refreshers: Require completion of a short security orientation within the first week and quarterly micro-training modules (phishing awareness, data handling, device security). Track completion centrally (HR or LMS) and tie training completion to access reviews.
-
Authentication and endpoint controls: Enforce multi-factor authentication for all remote and administrative access, implement company-approved device configuration baselines (antivirus, disk encryption, patching), and restrict the ability to install software for non-admin users.
-
Continuous monitoring and periodic reviews: Run monthly access entitlement reviews and simple log monitoring for high-risk accounts (admins, finance). Use lightweight SIEM or centralized logging (or cloud provider logs) to detect anomalies and trigger a documented investigation workflow.
-
Incident reporting and behavior expectations: Publish a one-page acceptable use and incident reporting policy that defines unacceptable actions, mandatory reporting timelines, and who to contact. Combine this with a confidential reporting channel and a clear escalation path for suspected breaches.
-
Offboarding and change controls: Implement a checklist for role changes and exits that revokes access within 24 hours, collects company devices, and archives or transfers data. Tie HR processes to IT ticketing so terminations automatically queue account deactivation and device wipe.
Example in a Small or Medium Business
Acme Office Supplies, a 45-person SMB, updated its personnel cybersecurity requirements to meet Control 1-9-4. HR and IT created a single onboarding packet that includes an account provisioning request and mandatory security orientation; new hires cannot get full access until orientation completion is recorded. The company defined three role profiles (employee, manager, admin) and assigned privileges accordingly, using centralized group management to reduce manual errors. All staff must complete a 20-minute phishing awareness module on hire and short refresher quizzes quarterly; non-compliance generates an HR reminder and temporary access limitation for high-risk systems. IT enforces MFA on all cloud services, uses a managed endpoint agent for patching and antivirus, and runs a monthly admin account entitlement review. A short incident reporting card explains how to report suspected phishing or data loss, with instructions to notify the IT lead within one hour for suspected breaches. When an employee leaves, HR triggers the offboarding checklist that disables accounts, collects devices, and archives shared files within 24 hours, ensuring access isn’t left open after departure.
Summary
By combining concise personnel policies (onboarding, acceptable use, reporting) with practical technical controls (role-based access, MFA, endpoint configuration, training tracking, and prompt offboarding), SMBs can satisfy Control 1-9-4. These policy and technical measures create clear employee expectations, reduce privileged access risk, enable rapid detection of suspicious activity, and ensure access is promptly revoked when roles change — delivering a balanced, achievable approach to protecting people and systems during employment.
