Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-5-3 – The cybersecurity requirements for network security management must include at least the following:
Understanding the Requirement
This control, from the Essential Cybersecurity Controls (ECC – 2 : 2024), requires a formal network security management program that covers the nine objectives numbered 2-5-3-1 through 2-5-3-9. In practice that means an SMB must identify and inventory network assets, apply secure configurations and segmentation, enforce perimeter and internal access controls, secure remote access and encryption, implement monitoring and logging, maintain change-control and configuration backups, and perform periodic reviews and testing. The goal is to make the network resilient, auditable, and controlled so that risks are reduced and incidents can be detected and contained quickly.
Technical Implementation
- Inventory and network map: Maintain an up-to-date asset inventory and network diagram (physical and logical). Record IP ranges, VLANs, firewall/edge device models, and services. For SMBs, use a simple CMDB or spreadsheet tied to discovery scans (e.g., periodic Nmap or managed scanning) and update on every change.
- Segmentation and least privilege: Implement VLANs or subnet separation for critical systems (servers, finance, HR), user workstations, and guest Wi‑Fi. Apply ACLs or firewall rules between zones so only required ports and protocols are allowed; block lateral movement by default.
- Harden and standardize device configurations: Establish secure baselines for routers, switches, firewalls, and wireless controllers. Use vendor-recommended hardening guides, disable unused services, enforce strong administrative passwords (or certificates), and store encrypted backups of configs off-device.
- Perimeter and internal controls: Deploy a stateful firewall or UTM with documented rule sets, and maintain a change-log for every rule change. Where possible, enable intrusion prevention/IDS and web filtering. Regularly review and retire unused rules (quarterly)
- Secure remote access: Require MFA for VPN and remote management, limit management-plane access to a jump server or management VLAN, and use modern protocols (IKEv2, OpenVPN, or cloud-managed zero-trust access) with strong cipher suites and session logging.
- Monitoring, logging and change control: Forward network device logs to a centralized syslog or lightweight SIEM (cloud options are cost-effective for SMBs). Retain logs for an agreed period (e.g., 90 days) and configure alerting for suspicious events. Implement a documented change control process (tickets, approvals, rollback plan) for network changes and test restores of device configs quarterly.
Example in a Small or Medium Business
BrightLine Accounting is a 40-person firm that needs to protect client financial data while supporting remote staff. They began by running a discovery scan and producing a network map that identified two critical server subnets, employee workstations, and a separate guest Wi‑Fi VLAN. The IT lead implemented VLAN segmentation so client data servers only communicate with application servers and the backup appliance; employee workstations cannot access the server management interfaces. They standardized configurations on the edge firewall and switches using a baseline template and backed up configuration files to an encrypted cloud storage bucket. Remote users connect through a VPN that requires company SSO plus MFA, and administrative access to devices is restricted to a management VLAN and a bastion host. Logs from firewalls and the VPN concentrator are forwarded to a managed log service with alerts for repeated failed logins and unusual port scans. Every network change is submitted and approved via their ticketing system, and they conduct a quarterly review of firewall rules and a tabletop exercise to validate detection and response actions.
Summary
Implementing this control is a mix of clear policy and practical technical steps: a documented inventory and network map, segmentation and hardened baselines, strict perimeter and remote access controls, centralized logging, and a formal change-control process. For SMBs these measures are achievable with modest tooling (managed services, cloud logging, and standard firewall features) and regular operational discipline—quarterly reviews, rule cleanups, and configuration backups ensure the network remains secure, auditable, and resilient to incidents while meeting the objectives set out in the control.
