Could implement a set of call policy rules (VCS configuration > Call Policy) on the VCS-E to allow/deny certain incoming calls. The rules will be handled top down, so the very last rule you'd want it to be the deny, and all allows above that.
Example CLP that will deny all incoming traffic, but allow traffic from Cisco.com domains written as an XML file:
You can either write your own set of rules in an XML file, or use the VCS's web interface to write them.
Be sure you do extensive testing using the Locate tool in the VCS to verify the desired results you want, and to make sure you don't block someone you meant to allow access to call in.
I'd suggest you take a look at the VCS admin guide, and on the forums here, both contain plenty of examples that can greatly help.