Prioritizing Best Practices for the Level 1 maturity#

No one wants to suffer a cybersecurity incident. The intent to protect networks is universal, but resource limitations leave many organizations facing perhaps the most difficult question in all of cybersecurity: What do I do next?

This section prioritizes best practices by mapping each maturity level to the priority best practices that should be implemented by an election office at that maturity level.

Level 1 Maturity#

If you are at the Level 1 maturity, your first goal should be to commit to incrementally improving your maturity. This is about setting simple goals. For example, complete one simple task a week, implement one best practice a month, and set aside a minimum set of resources dedicated to cybersecurity every quarter. Whatever helps you make progress.

Graphic showing simple goals for improving maturity: one simple task a week, one best practices a month, a minimum set of resources every quarter.

Level 1 Maturity Baseline Priorities#

If you are at the Level 1 maturity, we recommend starting with these to establish a baseline of cyber hygiene. This is the starting point to building yourself up to a defense-in-depth posture.

Actions

  1. Download and complete the worksheets for the Level 1 maturity baseline. There are ten worksheets, all in one downloadable file.

    • Together, these fulfill all of the Level 1 baseline priorities.

    • The left column in the table is the name of a Level 1 maturity worksheet described here. On that page you can download one file with all ten worksheets.

    • The right column gives the relevant best practice actions fulfilled by the worksheet(s).

Worksheet

Actions Fullfilled by the Worksheet

  • Hardware Inventory

  • Software Inventory

  • Data Inventory

  • Service Provider Inventory

  • Account Inventory

Action 1 of Asset Management

Asset Protection Asset Protection

Account Security

All actions under User Recommendations of User Management

Backup & Recovery

Action 1 of Backups

Incident Response

Actions 1 and 4 of Incident Response

Cyber Education

Actions 2 and 3 of Building and Managing Staff

While effort for each worksheet can vary greatly depending on the size of your office and number of assets (computers, software, etc.), each worksheet is built to take no more than four hours the first time around and as little as 15 minutes each subsequent time. A suggestion: set aside time to do one a week until you’ve got them all done; then they’re easy to repeat.

Level 1 Maturity Election Priorities#

In addition to the above, you should be implementing some measures specific to elections:

  1. Join the EI-ISAC.

  2. Protect your website with simple and free tools.

  3. Implement an endpoint protection program through a commercial provider or for free through the EI-ISAC.

  4. Implement the malicious domain blocking and reporting tool for free through the EI-ISAC.

  5. Manage your removable media.

If you complete these, you have implemented all of the priority best practices for the Level 1 maturity! Keep working on other in scope best practices and work your way up to the Level 2 maturity!