Prioritizing Best Practices#
No one wants to suffer a cybersecurity incident. The intent to protect networks is universal, but resource limitations leave many organizations facing perhaps the most difficult question in all of cybersecurity: What do I do next?
This section prioritizes best practices by mapping each maturity level to the priority best practices that should be implemented by an election office at that maturity level.
Level 1 Maturity#
If you are at the Level 1 maturity, your first goal should be to commit to incrementally improving your maturity. This is about setting simple goals: complete one simple task a week, implement one best practice a month, and set aside a minimum set of resources dedicated to cybersecurity every quarter. Whatever helps you make progress.
Level 1 Maturity Baseline Priorities#
The following is the list of priority actions at the Level 1 maturity. If you are at the Level 1 maturity, we recommend starting with these to establish a baseline of cyber hygiene.
Actions
Download and complete the worksheets for Level 1 maturity baseline. There are ten worksheets, all in one downloadable file.
Together, these fulfill all of the Level 1 baseline priorities. In the table below, the left column is the name of a Level 1 maturity worksheet described here. On that page you can download one file with all ten worksheets. The middle column gives the relevant best practice in this Guide for the worksheet tab, and the right columns lists the actions within that best practice that are fulfilled by completing the worksheet tab.
Worksheet |
Best Practice (Actions from the Best Practice Adressed by the Worksheet) |
|---|---|
|
Asset Management (Action #1) |
Asset Protection |
|
Account Security |
User Management (All Actions under User Recommendations) |
Backup & Recovery |
Backups (Action #1) |
Incident Response |
Incident Response (Actions #1 and #4) |
Cyber Education |
Building and Managing Staff (Actions #2 and #3) |
While the needed effort can vary greatly depending on the size of your office and number of assets (computers, software, etc.), each worksheet is built to take no more than four hours the first time around and as little as 15 minutes each subsequent time. A suggestion: set aside time to do one a week until you’ve got them all done; then they’re easy to repeat.
Level 1 Maturity Election Priorities#
In addition to the above, you should be implementing some measures of particular importance to the election community:
Join the EI-ISAC.
Protect your website with simple and free tools.
Implement an endpoint protection program through a commercial provider or for free through the EI-ISAC.
Implement the malicious domain blocking and reporting tool for free through the EI-ISAC.
Manage your removable media.
Level 2 and Level 3 Maturities#
More mature organizations should take a more sophisticated approach to prioritizing best practice implementation.
The CIS Community Defense Model#
To help organizations determine where to invest their next dollar in cybersecurity, CIS developed the Community Defense Model (CDM). The CDM was created to help answer that and other questions about the value of the CIS Controls based on currently available threat data from industry reports. Ready more about the CIS Controls in the CIS Controls best practice.
Using authoritative data sources like the Verizon Data Breach Investigations Report, CIS identified the top attack types that enterprises should defend against.
For CDM 2.0, the top five attack types are:
Malware
Ransomware
Web Application Hacking
Insider and Privilege Misuse
Targeted Intrusions
Certain techniques are used to execute each of these types of attacks. The CDM uses the MITRE ATT&CK framework to cateogize these techniques and sub-techniques. These are mapped to mitigations, such as the Safeguards contained with the CIS Controls and the actions within this Guide’s best practices, that protect against one or more sub-technique.
Using real world data, the CDM determines which Safeguards are the most efficient–the Safeguards that mitigate the most sub-techniques and thus, when implemented, are most likely to stop any given attack.
In the table below, we map the highest efficiency Safeguards from the CIS Controls to the best practices in this Guide to establish the priority best practices. For more details on the efficiency rankings, see Figure 13 of the CDM 2.0.
Rank |
Safeguard |
Safeguard Title |
Essential Guide Best Practice |
|---|---|---|---|
1 |
4.1 |
Establish and Maintain a Secure Configuration Process |
|
2 |
4.7 |
Manage Default Accounts on Enterprise Assets and Software |
|
3 |
5.3 |
Disable Dormant Accounts |
|
4 |
6.1 |
Establish an Access Granting Process |
|
5 |
6.2 |
Establish an Access Revoking Process |
|
6 |
5.4 |
Restrict Administrator Privileges to Dedicated Administrator Accounts |
|
7 |
18.3 |
Remediate Penetration Test Findings |
[Coming in 2022Q3 update] |
8 |
18.5 |
Perform Periodic Internal Penetration Tests |
[Coming in 2022Q3 update] |
9 |
6.8 |
Define and Maintain Role-Based Access Control |
|
10 |
4.8 |
Uninstall or Disable Unnecessary Services on Enterprise Assets and Software |
|
11 |
3.12 |
Segment Data Processing and Storage Based on Sensitivity |
[Coming in 2022Q3 update] |
12 |
5.2 |
Use Unique Passwords |
|
13 |
6.4 |
Require MFA for Remote Network Access |
|
14 |
6.5 |
Require MFA for Administrative Access |
|
15 |
12.8 |
Maintain Dedicated Computing Resources for All Administrative Work |
|
16 |
2.3 |
Address Unauthorized Software |
|
17 |
2.5 |
Allowlist Authorized Software |
|
18 |
4.2 |
Maintain a Secure Configuration Process for Network Infrastructure |
|
19 |
4.4 |
Implement and Manage a Firewall on Servers |
|
20 |
6.3 |
Require MFA for Externally-Exposed Applications |
The best practices in the right column are listed as priority actions in the best practice index and should be implemented first for the Level 2 and Level 3 maturities.