Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-5-1 – Cybersecurity requirements for network security management must be defined, documented and approved.
Understanding the Requirement
This control requires an organization to create a formal, written network security policy that defines how the network is protected and who may access it, and to gain executive approval and ongoing support for that policy. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework, the policy should cover network access rules, third-party access, technical protection measures, and physical/environmental safeguards for network devices; it must also be backed by documented standards for device configuration and an identified executive sponsor to approve and enforce the policy.
Technical Implementation
- Draft a concise network security policy document — Create a one- to two-page policy that includes: Network Access Requirements (who can connect and by what methods), Third‑Party Access Requirements (contracts, scopes, remote connection methods), Network Protection Requirements (segmentation, firewall rules, encryption standards), and Physical & Environmental Requirements (locked racks/rooms, temperature/humidity control, cable management). Keep language practical and assign an owner and review cadence (e.g., annual).
- Define and approve device baseline configurations — Produce a short "security technology standard" for each device class (routers, switches, firewalls, wireless APs). Include required firmware levels, default-password removal, SSH/TLS only management, logging enabled, and a baseline ACL or zone rule-set. Store these baselines in version control (simple shared drive or IT ticketing config template) and require sign-off by IT manager and the executive sponsor.
- Implement access controls and segmentation — Enforce least-privilege network access using VLANs or software-defined segmentation, role-based firewall rules, and authentication (RADIUS, TACACS+ or cloud IAM). For SMBs without complex infrastructure, use guest vs corporate SSIDs, a management VLAN for devices, and separate VLANs for contractors and IoT.
- Third-party access processes — Require documented authorization for any vendor access: time-limited VPN accounts, just-in-time privileged access, MFA, and a logging/audit requirement. Include contractual clauses that require vendors to follow the organization’s network access policy and to notify the organization of any security incidents.
- Physical and environmental controls — Secure network devices in locked cabinets or server rooms with access logs, use tamper-evident seals if needed, and add basic environmental monitoring (temperature, humidity, UPS power). For very small offices, a lockable cabinet and a UPS with monitoring is often sufficient.
- Executive approval and ongoing governance — Present the policy and device standards to the organization head (or deputy) for formal approval. Maintain a short approval record (signed PDF or email approval) and schedule periodic reviews and testable controls (e.g., quarterly audits of inventory vs. baseline).
Example in a Small or Medium Business
Acme Creative, a 30-person marketing agency, created a one-page Network Security Policy that lists who can connect to the corporate network, how contractors are granted temporary VPN accounts, and what protections are applied to Wi-Fi and wired ports. The IT lead produced baseline configuration templates for the office firewall and managed switches that require SSH, disable unused services, and push a standard ACL. Network devices were placed in a locked cabinet in a server closet with a UPS and a simple temperature monitor. Third-party vendors must request access through the helpdesk, receive a time-limited VPN account with MFA, and are only placed on a contractor VLAN that cannot reach internal file servers. The IT lead presented the policy and baselines to the CEO, who signed an approval email that is stored with the policy documents. Every quarter the IT lead runs a quick checklist to confirm devices match the baselines, verifies vendor accounts are closed when contracts end, and reports the results to the executive sponsor.
Summary
Defining, documenting, and approving network security requirements combines a clear policy (what is allowed and who is responsible), device standards (how technology must be configured), and executive support (formal sign-off and governance). For SMBs this means creating concise, actionable documents; implementing practical technical controls like segmentation, MFA, and locked device storage; and keeping a simple audit trail of approvals and reviews so the organization can demonstrate compliance and react quickly when change is needed.
