Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-7-3 – The cybersecurity requirements for protecting and handling data and information must include at least the applicable requirements in Data Cybersecurity Controls published by NCA.
Understanding the Requirement
This control requires organizations to adopt and implement the data protection and handling measures defined in the NCA Data Cybersecurity Controls. For an SMB that means formally identifying what data you hold, applying the specific handling rules (classification, access, retention, and disposal) that apply to each data type, and ensuring technical and administrative controls enforce those rules consistently across systems and suppliers. In short, you must map applicable NCA data-control requirements to your environment and operationalize them through policies, configuration, and monitoring.
Technical Implementation
-
Perform a data inventory and classification: discover and catalog data stores (databases, file servers, cloud storage, backup repositories). Label data by sensitivity (e.g., public, internal, confidential, regulated/PII). Use automated scanning tools where possible (file scanners, database connectors) and keep an owner and retention rule for each dataset.
-
Translate NCA data rules into concrete policies and access controls: define who may view, modify, and export each classification. Implement role-based access control (RBAC) and enforce least privilege. Integrate with your identity provider (SSO) and require multi-factor authentication for privileged access.
-
Apply technical protections: encrypt sensitive data at rest and in transit (use established ciphers such as AES-256 for storage and TLS 1.2+/TLS 1.3 for transport). Ensure encryption keys are managed securely (use a KMS or cloud-managed key service) and limit key access to authorized administrators only.
-
Prevent data loss and misuse: deploy Data Loss Prevention (DLP) controls — at endpoints, mail gateways, and cloud apps — to detect and block unauthorized exfiltration of regulated or confidential data. Combine DLP rules with content classification and automated quarantine or alerting workflows.
-
Contractual and supplier controls: require vendors and cloud providers to meet the same applicable data handling requirements. Include security and data processing clauses in agreements, ask for SOC reports or equivalent evidence, and restrict subcontractor access to only required data.
-
Monitoring, logging, and retention: enable detailed access and event logging for systems that store or process sensitive data. Retain logs as required by policy, review them regularly (automated alerts for anomalous access), and perform periodic audits to confirm controls are effective.
Example in a Small or Medium Business
A regional healthcare billing company identified customer records, invoices, and employee HR files as their primary sensitive datasets. They performed a short data discovery project to locate copies of these files across on-prem servers and cloud storage, then labeled them as "confidential" in a simple catalog with assigned owners and retention periods. The company updated its access policies: billing staff kept read/write access to invoice systems, while HR documents were restricted to HR personnel via RBAC integrated with their SSO provider and mandatory MFA. They enabled AES-256 encryption for cloud storage and enforced TLS for all application traffic. To prevent accidental leaks, the IT team deployed a lightweight DLP policy that blocks attachment of files classified as confidential to external email and flags uploads to personal cloud accounts. Contracts with their cloud provider and outsourced collection agency were revised to require equivalent data-handling practices and incident notification timelines. Finally, IT configured logging for file access and set up weekly reports for unusual downloads; the practice of quarterly audits and refresher training helped keep staff aware of correct handling procedures.
Summary
Meeting Control 2-7-3 means converting the NCA Data Cybersecurity Controls into day-to-day policies and technical safeguards: classify your data, restrict and monitor access, encrypt sensitive information, apply DLP protections, and ensure suppliers follow the same rules. For SMBs this is achievable with a phased approach—inventory and classification first, then focused technical controls and contractual guarantees—backed by monitoring and periodic review to demonstrate ongoing compliance and reduce the risk of data loss or misuse.
