Maturity

There are two formal maturity models for information security, one of which comes from National Institute of Standards and Technology. The Program Review for Information Security Assistance, or PRISMA, is based upon five levels of maturity: Policy, Procedures, Implementation, Test, and Integration. The organization is not using external information to inform its practices nor event management and does not share information externally. Often the organization is not aware of the impact on the cyber security risk of its customers. When the organization enters the repeatable tier, cyber risk management practices are formally expressed as policy, the practices are regularly updated based upon changes to business mission requirements, threat, and technology changes. There is an organizationally wide approach to manage cyber security risk, risk informed processes and procedures are defined, implemented, and reviewed. The budget is based upon risk tolerance, and cyber security risk is managed on an organizational wide basis.