Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-14-3 – The cybersecurity requirements for physical protection of information and technology assets must include at least the following:
Understanding the Requirement
This control in the Essential Cybersecurity Controls (ECC – 2 : 2024) requires organizations to establish and maintain physical protections for information and technology assets. Practically, it breaks down into five sub-objectives (2-14-3-1 through 2-14-3-5) that cover identification of assets and locations, controlled physical access, environmental and power protections, secure storage and handling of removable media and devices, and processes for visitor control and physical disposal. For an SMB this means documenting where sensitive data and systems reside, limiting who can reach them, protecting them from environmental threats and theft, and ensuring proper handling and destruction when devices or media leave service.
Technical Implementation
- Asset inventory and zoning: Create and maintain a simple asset register that lists servers, switches, backup media, and laptops with their physical locations. Map assets to zones (public, restricted, secure) and label rooms and racks so staff know what areas require elevated controls.
- Access control for sensitive spaces: Implement controlled entry for server/telecom closets and storage areas using keyed locks, electronic card readers, or push-button codes. Keep a short list of authorized personnel and require sign-in/out logs or badge audits monthly.
- Physical anti-theft and securing endpoints: Use cable locks for workstations and secure anchor points for portable devices. Install rack locks, cabinet doors, and tamper-evident seals for servers and network gear. For laptops, require full-disk encryption and device tracking so physical loss doesn't equal immediate data loss.
- Environmental and power protections: Equip server spaces with smoke detection, temperature/humidity monitoring, and an uninterruptible power supply (UPS) for critical devices. Configure alerting to on-call staff (SMS/email) and schedule quarterly checks of environmental sensors and UPS battery health.
- Visitor handling and media controls: Enforce a visitor policy: visitors must sign in, be escorted in restricted areas, and wear temporary badges. Maintain procedures for removable media (USB drives): restrict use, require scanning/encryption, and store backups and archival tapes in a locked, fireproof container or offsite vault.
- Secure disposal and evidence of compliance: Adopt clear disposal steps: sanitize drives using approved methods (crypto-erase or Degauss for magnetic media; physical destruction when required), document the process, and retain disposal records. Perform periodic spot checks and include physical control checks in internal audits.
Example in a Small or Medium Business
A regional accounting firm with 35 employees performs a simple physical risk assessment and identifies their file server, backup NAS, and a shelf of archival USB drives in a shared utility closet as high-risk items. They move the server and NAS into a lockable telecom cabinet in a small, dedicated room and add an electronic door strike tied to employee badges so only IT and two senior partners can access it. They install a temperature/humidity sensor and a UPS for the cabinet and configure alerts to the IT manager's phone. Portable devices are fitted with security cable locks in the office and full-disk encryption is mandated for all laptops. Visitors must sign the reception log and are escorted to conference rooms; contractors who need temporary access are logged and issued time-limited visitor credentials. For end-of-life drives and media, the firm contracts a certified destruction service and keeps receipts and a destruction log for compliance records. Quarterly audits of the access log and a yearly tabletop exercise ensure the team knows the processes and that physical controls remain effective.
Summary
Combining straightforward policies (asset registers, visitor rules, disposal procedures) with inexpensive technical and physical controls (locks, badge readers, environmental sensors, encryption, and destruction services) satisfies the core requirements of Control 2-14-3. For SMBs these measures are practical, scalable, and provide a documented trail of protection — reducing theft, environmental loss, and unauthorized access while keeping compliance and auditing simple and repeatable.
