Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-12-1 – Cybersecurity requirements for event logs and monitoring management must be defined, documented and approved.
Understanding the Requirement
This control requires your organization to create a clear, documented policy for event logging and continuous monitoring, then get it formally approved by executive management. The policy must define which information assets require logs, ensure logging is activated on critical assets and for privileged and remote-access events, specify technologies used to collect logs, mandate continuous monitoring, and set a minimum log retention period of 12 months. This implementation guidance follows the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is focused on practical steps an SMB can take to meet those requirements.
Technical Implementation
- Write the policy and get formal approval: Draft a short policy (1–2 pages) that lists the scope, responsibilities, retention (>= 12 months), monitoring expectations, and escalation procedures. Present it to the organization head or their deputy and obtain written approval to satisfy the executive-management support requirement.
- Identify and scope critical assets: Create a concise inventory of critical systems (e.g., domain controllers, mail servers, VPN concentrators, financial systems, cloud admin consoles) and privileged accounts. Document which of these require event logging and the types of events to capture (logon/logoff, privilege elevation, configuration changes, remote access sessions, failed authentication).
- Activate and standardize logging: Enable native logging on servers, endpoints, network devices, VPNs, and cloud services. Standardize log formats where possible (syslog, Windows Event Forwarding) and ensure logs capture timestamps, user IDs, source/destination addresses, and event type. For privileged accounts and remote-access events, increase logging verbosity to include session start/stop and command execution where possible.
- Centralize collection and enforce retention: Implement a centralized log collection solution — a lightweight on-prem collector, cloud log service, or managed SIEM — to aggregate logs. Apply secure transmission (TLS) and store logs with access controls and immutability where feasible. Configure retention policies to keep logs for at least 12 months and ensure backups or export procedures for long-term preservation.
- Continuous monitoring and alerting: Define and implement continuous monitoring rules: baseline activity, detect anomalous logins, repeated failed authentications, privilege escalations, and remote-access from unusual locations. Configure prioritized alerts (email/SMS/incident ticket) and assign clear on-call responsibilities. Schedule automated daily health checks of the logging pipeline to detect missing log sources or storage issues.
Example in a Small or Medium Business
A 60-person accounting firm decides to comply with Control 2-12-1. The IT manager drafts a one-page event-logging policy that lists the firm’s critical assets (file server, bookkeeping application, VPN gateway, and admin cloud console), the types of events to capture, the 12-month retention requirement, and the roles responsible for monitoring and incident escalation. The policy is reviewed and signed off by the CEO. The firm enables Windows Event Logging and SSH auditing on servers, configures the VPN to log connection events, and adjusts the bookkeeping application to emit audit records for user access and record changes. Logs are forwarded over TLS to a hosted log collector that provides simple search and retention controls; the collector is configured to retain logs for 14 months. The IT manager creates a small set of continuous-monitoring rules (failed login spikes, new admin account creations, remote access outside business hours) and ties alerts into the helpdesk queue so a technician is notified immediately. Monthly reviews of logs and the monitoring rules are scheduled, and the CEO receives a quarterly summary to maintain executive visibility and continued approval.
Summary
Meeting Control 2-12-1 requires a short, approved policy plus concrete technical measures: identify critical assets, enable and standardize logging (including privileged and remote-access events), centralize collection, retain logs for at least 12 months, and put continuous monitoring and alerting in place. For SMBs, focusing on a targeted inventory, lightweight centralization, clear responsibilities, and executive sign-off delivers the required governance and operational controls without large overhead.
