Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-12-3 – The cybersecurity requirements for event logs and monitoring management must include at least the following:
Understanding the Requirement
This control (objectives 2-12-3-1 through 2-12-3-5) requires an organized approach to collecting, protecting, retaining and reviewing event logs and monitoring outputs so that suspicious activity is detectable, traceable and actionable. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework, it expects clearly defined logging scope and ownership, centralized or reliably aggregated logs, integrity and access controls for log storage, timely alerting and review processes, and retention and archival that support investigations and compliance. For an SMB that means turning logging from an ad-hoc output into a managed capability with documented policy, simple technical controls, and routine human review.
Technical Implementation
-
Define a logging policy and owner: create a one-page policy that lists required log sources (firewalls, edge routers, domain controllers, mail gateway, endpoint EDR, cloud admin activity), required retention (e.g., 90 days as a default), who owns logs, and escalation thresholds. Assign a single responsible person or role to manage logging tasks and periodic reviews.
-
Centralize collection and retention: forward logs to a central log collector or managed SIEM (cloud or on-prem). For small shops, a hosted log management service or lightweight open-source syslog server with daily archiving is acceptable. Ensure automated rotation and backups and plan storage capacity to meet retention targets.
-
Protect integrity and restrict access: enable write-once or append-only storage where possible, restrict admin access via role-based controls, and encrypt logs at rest and in transit (TLS for forwarding). Maintain an audit trail of who accessed or exported logs and require multi-factor authentication for log-management accounts.
-
Time synchronization and standardized formats: configure NTP on all devices to ensure consistent timestamps and normalize log formats (CEF, JSON, or syslog) so correlation and searching work reliably during an investigation.
-
Alerting and triage playbooks: configure alerts for high-priority events (multiple failed logins, privilege escalations, unusual outbound traffic) with clear severity levels. Document a simple triage playbook: who investigates, how to enrich data, when to escalate to management or an external responder.
-
Regular review and testing: schedule weekly automated rule reviews, monthly sample log inspections, and quarterly tabletop exercises that use real logs to validate detection and response. Periodically purge or archive logs beyond retention in line with policy and legal needs.
Example in a Small or Medium Business
A 60-person managed services SMB adopts Control 2-12-3 by first drafting a one-page Logging & Monitoring Policy that names the IT manager as the owner and lists required sources: firewall, VPN, domain controller, primary file server, cloud admin console, and endpoint protection logs. They deploy a low-cost, cloud-hosted log collector that aggregates syslog and API-based logs from cloud providers and retains 90 days online with year-long archival compressed storage. The IT manager configures TLS forwarding, enforces MFA for the log portal, and restricts access to two senior admins. They enable NTP on all devices for consistent timestamps and create normalization rules to make failed-login and privilege-change events searchable. The team creates three alert types (critical, high, medium) and a two-step triage playbook: an on-call technician reviews critical alerts immediately and escalates unresolved incidents to management and the external incident responder. Every quarter they run a simulated phishing incident and verify that related alerts appear in the collector and that the playbook timelines are met; gaps lead to revised detection rules and a short retraining session for staff.
Summary
Meeting Control 2-12-3 is practical for SMBs when treated as a combined policy and engineering task: define what to log and who owns it; centralize and protect logs with simple technical controls; keep clocks consistent and formats normalized; create focused alerts and a short triage playbook; and enforce routine review and testing. These measures ensure logs are complete, trustworthy, and actionable so that when an incident occurs your small team can detect, investigate, and respond quickly without overcomplicating operations or budget.
