Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-3-3 – The cybersecurity requirements for protecting information systems and information processing facilities must include at least the following:
Understanding the Requirement
This control requires organizations to define and implement a minimum set of protections for both information systems and the physical facilities that house them. Although the JSON explanation is blank, the listed objectives (2-3-3-1 through 2-3-3-4) indicate there are multiple sub-requirements covering things like identification and classification of assets, access restrictions, environmental and physical protections, and ongoing oversight or verification. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework, SMBs should treat this control as a combined policy-and-technical mandate: document what needs protection, apply appropriate physical and logical controls, and verify those controls remain effective over time.
Technical Implementation
- Inventory and classification: Create a concise asset register that lists all servers, network devices, storage, and information processing spaces (e.g., server room, telecom closet, edge racks). Classify assets by criticality (e.g., high, medium, low) so protections can be prioritized to meet objectives 2-3-3-1 and 2-3-3-2.
- Physical access controls: Secure processing facilities with a layered approach: locked doors with badge access or coded locks, visitor sign-in and escort policies for non-staff, and clear zone separation (public, staff, secure). Maintain access logs and review them monthly for anomalies to satisfy physical protection expectations.
- Environmental and power protections: Install basic environmental controls such as smoke/heat detectors, temperature monitoring, and a UPS for critical racks. For SMBs, a single rack-level UPS and a simple temperature sensor with alerts is an affordable way to reduce risk and meet facility protection requirements.
- Network and endpoint protections: Apply network segmentation so systems in protected facilities are on a restricted VLAN with firewall rules, strict administrative access via MFA, and host-based controls (patching, EDR/antivirus). Limit remote administrative access to jump hosts or a VPN with conditional access.
- Operational policies and change control: Document policies for facility access, maintenance, equipment disposal, and vendor/third-party entry. Implement a lightweight change-control checklist that requires approval and a rollback plan before any physical or system change in secure facilities.
- Monitoring and periodic verification: Enable logging for door access, environmental alerts, and system access; retain logs for an agreed period (e.g., 90 days). Schedule quarterly reviews and an annual tabletop test to validate that controls described in objectives 2-3-3-3 and 2-3-3-4 remain effective.
Example in a Small or Medium Business
Greenfield Marketing is a 45-person SMB that hosts its core file server and VOIP gateway in an on-premises server room. Following Control 2-3-3, they created a short asset register listing the server, network switch, UPS, and rack-based NAS, and marked the file server as "high criticality." The IT manager installed a badge-controlled door and a camera pointed at the rack entrance, and required visitors to be signed in and escorted. They also added a rack-mounted UPS and a temperature sensor that sends email alerts if temperatures exceed safe ranges. Network-wise, the server room devices were placed on a separate VLAN with firewall rules restricting access to IT admin workstations; administrative logins require MFA. The company adopted a change-control form for any physical access or equipment changes and assigned quarterly reviews to check access logs and environmental alerts. When a third-party vendor needed to replace a failed switch, the vendor was pre-approved, escorted, and the work was scheduled during a maintenance window with pre- and post-change verification recorded in the change log.
Summary
Meeting Control 2-3-3 means combining clear policy (asset inventory, access and vendor rules, change control) with practical technical and physical measures (badge access, environmental sensors, UPS, VLANs, MFA and logging). For SMBs, prioritize protections for high-criticality assets, keep procedures lightweight and repeatable, and verify effectiveness through regular log reviews and periodic testing. Together, these steps satisfy the control’s intent to protect both information systems and the facilities that house them while remaining affordable and manageable for small organizations.
