Index of Best Practices#

The following table lists the best practices and indicated if they have actions associated with them for each maturity level and if they are a priority action (“Priority”) for each maturity level.

  • “Priority” means you should focus on that best practice before other best practices.

  • “In Scope” means you should complete that best practice.

  • “Out of Scope” means the best practice doesn’t apply to you.

For more details on maturities in this Guide, see the maturities descriptions.

To learn how to determine the maturity at which your organization operates, see the maturity determination guide.

CIS ‘s Community Defense Model drives the ordering of these best practices. We encourage you to follow this order, but every organization is different, so make adjustments as necessary.

For a better understanding of how these priorities were determined and for a better understanding of how to start implementing these best practices, see the prioritized best practices for the Level 1 maturity and Level 2 and Level 3 maturities.

You can use this table as a checklist to help track your progress.

Index of Best Practices#

#

Best Practice

Maturity Priorities

Level 1

Level 2

Level 3

1

Addressing Physical Threats

Priority

Priority

Priority

2

Join the EI-ISAC

Priority

Priority

Priority

3

Asset Management

Priority

Priority

Priority

4

Encrypt Data at Rest

Priority

Priority

Priority

5

Encrypt Data in Transit

Priority

Priority

Priority

6

Managing Infrastructure with Secure Configurations

Priority

Priority

Priority

7

User Management

Priority

Priority

Priority

8

Backups

Priority

Priority

Priority

9

Incident Response Planning

Priority

Priority

Priority

10

Building and Managing Staff

Priority

Priority

Priority

11

Patching and Vulnerability Management

In scope

In scope

In scope

12

Remediate Penetration Test Findings

Out of scope

Out of scope

In scope

13

Perform Internal Penetration Test

Out of scope

Out of scope

In scope

14

Network Segmentation Based on Sensitivity

In scope

Priority

Priority

15

Managing Remote Connections

In scope

Priority

Priority

16

Firewalls and Port Restrictions

In scope

Priority

Priority

17

Endpoint Protection

In scope

In scope

In scope

18

Malicious Domain Blocking and Reporting

In scope

In scope

In scope

19

Network Monitoring and Intrusion Detection

Out of scope

In scope

In scope

20

Managing Wireless Networks

In scope

In scope

In scope

21

Public-Facing Network Scanning

In scope

In scope

In scope

22

Website Security

In scope

In scope

In scope

23

Managing Removable Media

In scope

In scope

In scope

24

Exercising Plans

In scope

In scope

In scope

25

Formal Cybersecurity Assessments

In scope

In scope

In scope

26

Implementing the CIS Controls

In scope

In scope

In scope

27

Managing Inaccurate Election Information

In scope

In scope

In scope

28

Managing Vendors

In scope

In scope

In scope

29

Defense-in-Depth

In scope

In scope

In scope

30

Artificial Intelligence in Elections

In scope

In scope

In scope