Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-10-3 – The cybersecurity requirements for technical vulnerabilities management must include at least the following:
Understanding the Requirement
This control is part of the Essential Cybersecurity Controls (ECC – 2 : 2024) framework. At a high level, it requires an organized technical vulnerability management program composed of the five sub-elements listed as 2-10-3-1 through 2-10-3-5. Together these items define a lifecycle approach: discovering or tracking vulnerabilities, assessing their impact, prioritizing actions, applying mitigations or fixes, and verifying that remediation is effective (including handling accepted exceptions). For an SMB this means formalizing simple, repeatable steps so vulnerabilities are identified, risk-rated, remediated, and documented on an ongoing basis.
Technical Implementation
- Create and maintain an asset inventory tied to vulnerability scans. Use an up-to-date list of servers, workstations, network devices, and cloud resources. Schedule automated authenticated scans (weekly or at least monthly) for internet-facing and critical internal assets; add lightweight agents or scheduled scans for endpoints that cannot be agentized.
- Implement a risk-based prioritization process. Map scan results to a simple risk matrix that considers CVSS score, asset criticality (business function, data sensitivity), and exposure (public internet vs internal). Prioritize remediation for high-severity findings on critical or internet-facing assets within defined SLAs (e.g., 7 days for critical, 30 days for high).
- Define and execute remediation actions and compensating controls. For each prioritized finding, assign an owner, choose a remediation method (patch, configuration change, removal), or apply a compensating control (network segmentation, host firewall rule) if immediate patching isn’t possible. Track progress in a ticketing system and set escalation for overdue items.
- Test and verify remediation. After applying patches or controls, re-scan the affected assets to confirm the vulnerability is resolved. Keep evidence (scan reports, change tickets, screenshots of configuration) logged for audit and future trend analysis.
- Establish exception handling and reporting. Define how and when exceptions are approved, time-limited, and reviewed (e.g., exceptions must have business justification, compensating controls, and a review cadence of 30–90 days). Produce a monthly dashboard for leadership showing open vulnerabilities, average time-to-remediate, and exceptions.
Example in a Small or Medium Business
AcmeCo is a 75-person professional services firm that hosts client data on a small cloud environment and uses a mix of Windows laptops and Linux servers. They implement control 2-10-3 by first putting together a simple asset register in a spreadsheet and tagging each asset as critical, important, or general. They run authenticated vulnerability scans on servers every week and a lighter scan on employee laptops every two weeks. Scan results populate a ticketing queue where the IT lead triages based on severity and criticality: critical public-facing issues get a 7-day SLA and are patched within an emergency change window; high-severity internal findings are scheduled into the next maintenance cycle. When a patch cannot be applied immediately to a production server, the team applies a temporary firewall rule and documents the compensating control and an exception approval that expires in 30 days. After remediation, the team re-scans the host to verify the fix and attaches the report to the ticket. Each month the CTO reviews a concise dashboard showing open vulnerabilities, SLA compliance, and any active exceptions to ensure ongoing visibility and continuous improvement.
Summary
Implementing control 2-10-3 means establishing a repeatable vulnerability management lifecycle: inventory and scanning, risk-based prioritization, assigned remediation with compensating controls, verification of fixes, and documented exception handling. For SMBs, the practical path is to automate scanning where possible, use simple risk matrices and SLAs to focus scarce resources, track work in an existing ticketing tool, and maintain evidence of remediation. These combined policy and technical measures ensure vulnerabilities are identified, acted on, and validated in a way that meets the control’s expectations while remaining achievable for small teams.
