Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-8-2 – The cybersecurity requirements for cryptography must be implemented.
Understanding the Requirement
This control from the Essential Cybersecurity Controls (ECC – 2 : 2024) framework requires your organization to implement and enforce approved cryptography practices across systems and data flows. At a practical level that means documenting cryptography procedures, selecting approved algorithms and hashes, protecting keys through their full lifecycle, encrypting data at rest and in transit based on classification and regulation, and ensuring public-facing services use trusted TLS certificates.
Technical Implementation
-
Create and publish an approved cryptography procedure that maps to business needs and applicable regulations. Define allowed algorithms (e.g., AES-256 for symmetric, RSA/ECC with acceptable key lengths for asymmetric, and approved hash functions) and state any restrictions (legacy protocols, prohibited ciphers).
-
Inventory cryptographic uses and assets. Identify where encryption is required: databases, backups, file shares, mobile devices, APIs, and third-party integrations. Record the cryptographic method, key owner, and where keys are stored.
-
Use a central key management approach. For SMBs, leverage cloud Key Management Services (KMS) or an on-premise HSM for high-value keys. Implement policies for key generation, storage, rotation, archival, and secure destruction. Enforce role-based access to keys and log all key operations.
-
Encrypt data in transit and at rest according to classification and legal requirements. Enforce TLS 1.2+ (preferably 1.3) for web and API traffic, use database encryption (TDE or application-layer encryption) for sensitive records, and ensure backups are encrypted before leaving the environment.
-
Manage certificates proactively. Use certificates issued by trusted Certificate Authorities for public-facing services, automate issuance and renewal where possible (managed CA or enterprise PKI), and monitor certificate expiration to avoid outages and weak configurations.
-
Validate and test cryptography controls. Periodically run configuration scans (cipher suites, protocol support), perform penetration tests that include crypto validation, and schedule audits to confirm compliance with the cryptography procedures.
Example in a Small or Medium Business
Riverbend Accounting is a 40-person SMB that handles client financial records and offers a client portal. Leadership adopted a cryptography procedure that lists approved algorithms, key lifecycles, and responsibilities for system owners. They scanned their environment to create an inventory: web servers, database servers, backups, and several third-party integrations. For keys and certificates they use the cloud provider's KMS for symmetric keys and a managed Certificate Authority for TLS certificates, with automated renewal to prevent expiry. Databases were configured with transparent data encryption and application-layer encryption for highly sensitive fields (SSNs and bank details). Backups are encrypted on creation and stored with restricted access, and keys are rotated annually with emergency rotation procedures in place. The IT team runs quarterly checks on TLS configurations and scheduled audits to ensure hash functions and ciphers remain within the approved list, and staff receive a short briefing on handling keys when provisioning or decommissioning services.
Summary
Implementing this control combines policy and technical controls: a clear cryptography procedure sets allowed algorithms, key roles, and compliance rules, while inventories, KMS/HSM usage, encryption for transit and storage, managed TLS certificates, and regular testing enforce the policy. For SMBs this approach is practical and cost-effective because it leverages managed services where appropriate, reduces the risk of misconfigured crypto, and creates repeatable processes for protecting sensitive data throughout its lifecycle.
