Index of Best Practices#

The following table lists the best practices and indicated if they have actions associated with them for each maturity level and if they are a priority action (“Priority”) for each maturity level.

“Priority” means you should focus on that best practice before other best practices.
“In Scope” means you should complete that best practice.
“Out of Scope” means the best practice doesn’t apply to you.

For more details on maturities in this Guide, see the maturities descriptions.

To learn how to determine the maturity at which your organization operates, see the maturity determination guide.

CIS ‘s Community Defense Model drives the ordering of these best practices. We encourage you to follow this order, but every organization is different, so make adjustments as necessary.

For a better understanding of how these priorities were determined and for a better understanding of how to start implementing these best practices, see the prioritized best practices for the Level 1 maturity and Level 2 and Level 3 maturities.

You can use this table as a checklist to help track your progress.

Index of Best Practices#
✓	#	Best Practice	Maturity Priorities
✓	#	Best Practice	Level 1	Level 2	Level 3
	1	Addressing Physical Threats	Priority	Priority	Priority
	2	Join the EI-ISAC	Priority	Priority	Priority
	3	Asset Management	Priority	Priority	Priority
	4	Encrypt Data at Rest	Priority	Priority	Priority
	5	Encrypt Data in Transit	Priority	Priority	Priority
	6	Managing Infrastructure with Secure Configurations	Priority	Priority	Priority
	7	User Management	Priority	Priority	Priority
	8	Backups	Priority	Priority	Priority
	9	Incident Response Planning	Priority	Priority	Priority
	10	Building and Managing Staff	Priority	Priority	Priority
	11	Patching and Vulnerability Management	In scope	In scope	In scope
	12	Remediate Penetration Test Findings	Out of scope	Out of scope	In scope
	13	Perform Internal Penetration Test	Out of scope	Out of scope	In scope
	14	Network Segmentation Based on Sensitivity	In scope	Priority	Priority
	15	Managing Remote Connections	In scope	Priority	Priority
	16	Firewalls and Port Restrictions	In scope	Priority	Priority
	17	Endpoint Protection	In scope	In scope	In scope
	18	Malicious Domain Blocking and Reporting	In scope	In scope	In scope
	19	Network Monitoring and Intrusion Detection	Out of scope	In scope	In scope
	20	Managing Wireless Networks	In scope	In scope	In scope
	21	Public-Facing Network Scanning	In scope	In scope	In scope
	22	Website Security	In scope	In scope	In scope
	23	Managing Removable Media	In scope	In scope	In scope
	24	Exercising Plans	In scope	In scope	In scope
	25	Formal Cybersecurity Assessments	In scope	In scope	In scope
	26	Implementing the CIS Controls	In scope	In scope	In scope
	27	Managing Inaccurate Election Information	In scope	In scope	In scope
	28	Managing Vendors	In scope	In scope	In scope
	29	Defense-in-Depth	In scope	In scope	In scope
	30	Artificial Intelligence in Elections	In scope	In scope	In scope
	30	Preparing for Election Day Disruptions	In scope	In scope	In scope