Index of Best Practices#

The following table lists the best practices and indicated if they have actions associated with them for each maturity level and if they are a priority action (“Priority”) for each maturity level.

“Priority” means you should focus on that best practice before other best practices.
“In Scope” means you should complete that best practice.
“Out of Scope” means the best practice doesn’t apply to you.

For more details on maturities in this Guide, see the maturities descriptions.

To learn how to determine the maturity at which your organization operates, see the maturity determination guide.

CIS’s Community Defense Model drives the ordering of these best practices. We encourage you to follow this order, but every organization is different, so make adjustments as necessary.

For a better understanding of how these priorities were determined and for a better understanding of how to start implementing these best practices, see the prioritized best practices for the Level 1 maturity and Level 2 and Level 3 maturities.

You can use this table as a checklist to help track your progress.

✓	Best Practice	Maturity Priorities
✓	Best Practice	Level 1	Level 2	Level 3
	Addressing Physical Threats	Priority	Priority	Priority
	Join the EI-ISAC	Priority	Priority	Priority
	Asset Management	Priority	Priority	Priority
	Encrypt Data at Rest	Priority	Priority	Priority
	Encrypt Data in Transit	Priority	Priority	Priority
	Managing Infrastructure with Secure Configurations	Priority	Priority	Priority
	User Management	Priority	Priority	Priority
	Backups	Priority	Priority	Priority
	Incident Response	Priority	Priority	Priority
	Building & Managing Staff	Priority	Priority	Priority
	Patching & Vulnerability Management	In scope	In scope	In scope
	Remediate Penetration Testing Findings	Out of Scope	Out of Scope	In scope
	Internal Penetration Testing	Out of Scope	Out of Scope	In scope
	Network Segmentation Based on Sensitivity	In scope	Priority	Priority
	Managing Remote Connections	In scope	Priority	Priority
	Firewalls & Port Restrictions	In scope	Priority	Priority
	Endpoint Protection	In scope	In scope	In scope
	Malicious Domain Blocking & Reporting	In scope	In scope	In scope
	Network Monitoring & Intrusion Detection	Out of Scope	In scope	In scope
	Managing Wireless Networks	In scope	In scope	In scope
	Public Facing Network Scanning	In scope	In scope	In scope
	Website Security	In scope	In scope	In scope
	Managing Removable Media	In scope	In scope	In scope
	Exercising Plans	In scope	In scope	In scope
	Formal Cybersecurity Assessments	In scope	In scope	In scope
	Implementing the CIS Controls	In scope	In scope	In scope
	Managing Mis-, Dis-, & Malinformation	In scope	In scope	In scope
	Managing Vendors	In scope	In scope	In scope
	Defense in Depth	In scope	In scope	In scope
	Artificial Intelligence in Elections	In scope	In scope	In scope