Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-1-3 – Acceptable use policy of information and technology assets must be defined, documented and approved.
Understanding the Requirement
This control requires your organization to create a formal acceptable use policy (AUP) that defines how information and technology assets may be used, documents those rules, and secures executive approval before enforcement. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework, the policy should include specific regulations for access and use, clear examples of unacceptable behaviors, defined consequences for breaches, and the methods you will use to monitor compliance. The policy must then be communicated to all employees and stakeholders and backed by the organization’s leadership.
Technical Implementation
- Draft a focused AUP document: Begin with a short, clearly worded policy that states scope (devices, systems, cloud services), who it applies to (employees, contractors, third parties), and primary objectives (confidentiality, integrity, availability). Use plain language and include definitions of key terms to avoid ambiguity.
- List permitted and prohibited actions with examples: Provide concrete examples of acceptable use (e.g., work email for client communication, approved SaaS tools) and unacceptable use (e.g., installing unauthorized file-sharing apps, using corporate accounts for personal finance). Real examples reduce disputes and make enforcement straightforward.
- Define consequences and escalation: Specify disciplinary steps for violations (warnings, retraining, suspension of access, termination) and tie enforcement to HR and legal processes. Include a clear process for reporting suspected violations and how incidents will be investigated.
- Document monitoring and privacy boundaries: Describe what monitoring will occur (device logs, web filtering, data loss prevention alerts), who can access monitoring data, and how you will protect employee privacy. Ensure monitoring methods are technically implementable (SIEM alerts, endpoint logging) and legally compliant.
- Secure formal approval and ownership: Obtain sign-off from Executive Management (CEO or deputy) to show leadership support, and assign an owner (IT manager or security lead) responsible for maintaining and enforcing the AUP.
- Communicate and enforce with technical controls: Publish the AUP via official email and the company intranet/website, require signed acknowledgment during onboarding and annually, and enforce rules using MDM, access controls, DLP, web filtering, and group policy to reduce reliance on manual enforcement.
Example in a Small or Medium Business
A regional marketing agency with 45 employees created an AUP to reduce data leaks and limit use of personal cloud storage. The IT manager drafted a two-page policy that defined company devices, approved collaboration tools, and gave three clear examples of unacceptable use — installing consumer file-sharing apps, exposing client data in personal emails, and using weak public Wi‑Fi without a company VPN. The draft named the HR director and IT manager as enforcement points and described monitoring via endpoint logs and DLP alerts. The agency head reviewed and approved the policy, then the HR team emailed the policy and posted it to the company intranet. New hires must sign an acknowledgment during onboarding and all staff complete a short training module that highlights the most common violations and consequences. IT applied MDM to company phones, blocked unauthorized cloud storage in network controls, and configured alerts for large outbound transfers. The agency reviews the policy annually and after any incident to keep rules aligned with tools and client expectations.
Summary
A compact, approved acceptable use policy plus practical technical measures satisfy ECC 2-1-3 by clearly defining allowed and forbidden behaviors, establishing enforcement and monitoring, and demonstrating executive support. For SMBs this means writing a short, readable AUP, obtaining leadership sign-off, communicating and getting employee acknowledgment, and pairing the policy with low-cost technical controls (MDM, DLP, access controls, logging). Together these steps make expectations transparent, enable consistent enforcement, and reduce the risk that information and technology assets will be used in ways that harm the business.
