Information Security Multiprofile Maturity Model (ISM3)

The paper examines a Multiple Profile Model of Information Security Maturity (ISM3), uncomplicated and clear, aimed at generating particular (Individual) Information Security Profiles (PISI). ISM3 is based on currently known best practices for information security / regulatory frameworks, e.g. OISM3: 2017, NIST SP 800-53 rev.5 (2020), NIST 800-207 Zero Trust Architecture (2020), ISO / IEC 27001: 2013, PCI-DSS 3.2.1 (2018), COBIT 5: 2012, COBIT: 2019, ISO / IEC 20000-1: 2018, ITIL v4: 2019 etc. The ISM3 flexibility allows the addition, deletion, modification of new structured knowledge concerning the existing threats and risks, controls and metrics expected for the assessment of InfoSec maturity level. ISM3 is accompanied by a software tool application, which allows the generation of individual security profiles for specific information of certain industries (PMSITI), e.g. education, banking, medicine; at a concrete entity level, e.g. State University of Moldova, commercial bank, private hospital; at some InfoSec subdivision or area levels/spheres, of an entity, e.g. the commercial payments department of the Commercial Bank or the information systems security area with specific requirements for the internal/external context, with target values of the evaluation criteria and specific metrics for criteria measurement. Furthermore, PISI can be used for measurement and assessment of InfoSec maturity either in internal self-assessment missions or in external conformity assessment missions and / or advisory missions and / or to compare the maturity of some typical organizations belonging to a certain industry. The PISI assessment report reflects the scope and current status of the InfoSec, the specific risks and threats, and suggests recommended targets for improvement.