Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-3-2 – The cybersecurity requirements for protecting information systems and information processing facilities must be implemented.
Understanding the Requirement
This control requires organizations to implement a set of practical protections for information systems and processing facilities, covering technical controls, policies and regular reviews. It emphasizes deploying modern protection mechanisms, defining and periodically reviewing the scope of devices to be protected, restricting and securing the use of external storage media, maintaining consistent patch management across devices and applications, and ensuring reliable central clock synchronization. This guidance is drawn from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework and is intended to be actionable for SMB teams.
Technical Implementation
- Build and maintain an asset inventory: Create a living inventory of servers, desktops, laptops, mobile devices, virtual machines and network equipment. Update it monthly and flag any unknown or unmanaged devices for immediate remediation.
- Deploy layered endpoint and network protections: Use modern endpoint detection & response (EDR) or advanced antivirus, a managed firewall, and network segmentation for critical systems (finance, HR). Ensure these protections are centrally managed and monitored.
- Control external storage media: Implement a written removable media policy, enable device-control tools to restrict USB and external drive use by default, allow exceptions via an approval workflow, and scan authorized media for malware before use.
- Implement an automated patch management process: Define patch windows (e.g., weekly for critical, monthly for routine), test patches in a small pilot group, then deploy broadly using an MDM/patch-management tool. Track compliance and remediate failed updates within defined SLAs.
- Centralize time synchronization: Configure all servers, network devices, and security appliances to use a reliable internal NTP service synchronized to trusted external sources. Log timestamps consistently to support forensics and audit trails.
- Document policies and assign responsibilities: Publish clear policies for device protection, patching and media use; assign owners for asset inventory, patching, and monitoring; and require periodic (quarterly) reviews and management sign-off.
Example in a Small or Medium Business
A 60-person marketing firm created a simple security program to meet this control. IT built an inventory spreadsheet then moved it into a lightweight asset-management tool that automatically discovers new endpoints on the network. They deployed an EDR solution on all endpoints and segmented the finance systems on a separate VLAN. The firm prohibited unsanctioned USB drives by default and implemented an approval workflow for any exceptions, with all approved media scanned by IT before use. The IT manager set up an automated patching schedule: critical patches applied within 48 hours, routine updates on the second Tuesday of each month, and any failed installations routed to a remediation queue. All servers and security appliances were pointed to an internal NTP server that syncs to two external, reliable time sources. Each quarter the IT lead reviews the asset list and patch compliance, reports findings to leadership, and tracks corrective actions until closed.
Summary
By combining clear policy with practical technical controls—an accurate asset inventory, modern endpoint and network protections, strict removable-media controls, disciplined automated patching, and centralized time synchronization—SMBs can meet the ECC 2-3-2 requirement. Assigning owners, documenting processes, and scheduling periodic reviews turns these measures from one-off tasks into repeatable, auditable practices that reduce risk and improve incident response readiness.
