Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-4-1 – Cybersecurity requirements for protecting email service must be defined, documented and approved.
Understanding the Requirement
This control requires your organization to create a formal, written policy that defines how email services are protected, documents technical and operational requirements, and records executive approval. Under the Essential Cybersecurity Controls (ECC – 2 : 2024) guidance, an effective policy should cover protection technologies, configuration baselines, responsibilities for shared or public mailboxes, attachment and mailbox size limits, secure email infrastructure design, and must be explicitly approved by executive management.
Technical Implementation
- Write a concise email protection policy: Document the scope, objectives, and required controls (anti-malware, anti-phishing, SPF/DKIM/DMARC, TLS for transport). Include responsibilities for ownership of mailboxes (individual, shared, public), who can approve exceptions, and the change control process for email configuration updates.
- Establish configuration standards: Create a baseline configuration checklist for your email gateway and cloud provider: enforce SPF, DKIM and DMARC; require opportunistic or mandatory TLS between servers; enable attachment scanning, URL rewriting/sandboxing for suspicious links, and inline malware detection. Define acceptable protocols and disable legacy/unsecured services (e.g., SMTP relaying without auth).
- Set mailbox and attachment limits plus retention: Define per-user mailbox size, attachment size limits, and retention/archiving rules that balance business needs and security. Document backup frequency and recovery objectives for email data and ensure the provider’s storage and retention settings meet those requirements.
- Control access and shared account governance: Require formal owner assignment for shared/public accounts, maintain an access roster, enforce MFA for privileged mailboxes, use role-based access provisioning, and require periodic access reviews. For joint accounts, require approved usage agreements and logging of administrative actions.
- Operational monitoring and incident handling: Enable centralized logging and alerting for suspicious inbound/outbound activity (large mail volumes, spikes in failed logins, mass forwarding rules). Define incident response steps specific to email compromises (isolation, password resets, searching mailboxes for indicators, user notification) and assign clear escalation paths.
- Get executive approval and schedule reviews: Present the policy and technical standards to the organization head or deputy for formal sign-off, as required. Build a calendar for quarterly or biannual reviews, and make approval part of your change control for major email infrastructure changes.
Example in a Small or Medium Business
A 50-person marketing agency formalizes an email protection policy to reduce phishing and data loss. The IT manager drafts a one-page policy that lists required protections (SPF/DKIM/DMARC, cloud email provider spam filtering, anti-malware, TLS), mailbox quotas (5 GB per user, 20 MB attachment limit), and rules for shared accounts (each shared inbox must have an assigned owner and MFA). They configure their cloud email service to enforce DKIM and DMARC, enable sandboxing for attachments, and set up outbound DLP rules that block attachments containing customer credit card files. The agency logs email gateway events to a central SIEM for alerting and schedules monthly checks of forwarding rules. The IT manager presents the policy to the CEO and gets formal approval; the CEO's sign-off is stored with the policy document. They also create a simple incident playbook for compromised accounts and run a tabletop exercise with the leadership team every six months to validate processes.
Summary
Defining, documenting, and obtaining executive approval for an email protection policy ensures your SMB has clear, enforceable rules that guide technical controls and operational behaviors. When coupled with tightly defined configuration baselines (SPF/DKIM/DMARC, TLS, anti-phishing and malware controls), access governance for shared accounts, retention and quota settings, and monitoring plus incident procedures, the organization will meet the control’s requirement and reduce risk from email-borne threats.
