Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-3-1 – Cybersecurity requirements for protecting information systems and information processing facilities must be defined, documented and approved.
Understanding the Requirement
This control requires an organization to create a formal, approved policy that defines how information systems and processing facilities are protected, and to ensure that the policy is documented and supported by executive management. The policy should cover technical protections (malware defense, patching, secure OS images, time synchronization), operational scope (which devices and systems are covered), and controls on external media and services; it should also mandate procedures for regular scanning and maintenance. This guidance aligns with the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is aimed at ensuring consistent, auditable protection across the environment.
Technical Implementation
- Create and publish a written protection policy: Draft a concise policy that states objectives, scope (workstations, servers, critical systems, network devices), roles and responsibilities, approval date, review cadence, and escalation paths. Have the head of the organization or their deputy formally sign and date the policy to meet the approval requirement.
- Standardize secure system images: Build hardened OS images for desktops and servers that include only required services, baseline security configurations, pre-installed and configured endpoint protection, and automated hardening checks. Store images in a controlled repository and version them; require deployment from these images for any new or rebuilt device.
- Deploy and configure malware protection: Implement enterprise-grade anti-malware/endpoint protection across the scoped devices, with centralized management, standardized configuration baselines, real-time protection enabled, and automated signature/behavior updates. Maintain a configuration checklist to verify settings and periodic audits to ensure no device is unmanaged.
- Implement continuous scanning and patch management: Schedule regular malware scans (full weekly, quick daily) and integrate vulnerability scanning into monthly operations. Maintain a documented patch management process that prioritizes critical updates, tracks deployment status, and enforces timelines for security patches on systems and applications.
- Control external storage and peripheral media: Define an approved list of removable media types and use device control tools to block or allow based on policy. Require encryption and malware scanning for any permitted external media, and document procedures for approval, logging, and incident handling of lost or suspicious devices.
- Define reliable time sources and synchronize systems: Configure all servers, network devices, and critical endpoints to use internal NTP servers that themselves sync to trusted external time sources. Document the chosen sources and monitoring process to ensure logs and time-based security controls remain reliable for forensics and correlation.
Example in a Small or Medium Business
Greenfield Consulting, a 60-person SMB, drafts a single-page "Information Systems and Facilities Protection" policy that names the IT manager as owner, lists covered assets (40 desktops, 8 servers, and 12 network devices), and requires executive sign-off. The IT manager builds hardened Windows and Linux images with unnecessary services disabled, preinstalled endpoint protection, and a baseline registry/security configuration; these images are stored on the company image server and used for all new builds. They deploy a centrally managed antivirus solution with standardized configuration pushed by group policy and require weekly full scans and daily quick scans. A simple patch calendar prioritizes critical security updates within 72 hours, while less critical patches are scheduled monthly; the IT manager reviews patch reports weekly. USB access is blocked by default; approved encrypted USBs must be registered with IT and scanned before use. Finally, all servers and network devices are configured to synchronize to the company NTP server, which is itself tied to two external, reliable time sources. The CEO reviews and signs the policy, and the team holds quarterly reviews to confirm compliance and update the policy as systems change.
Summary
By documenting a clear, executive-approved protection policy and implementing practical technical controls—hardened images, centralized malware protection, regular scanning and patching, media controls, and reliable time synchronization—SMBs create a repeatable, auditable approach to safeguarding systems and processing facilities. The policy provides governance and accountability while the technical measures deliver consistent protection across devices, meeting the control’s requirement for defined, documented, and approved cybersecurity requirements.
