MIL OSI – Headline: New York CIS case study lauds New Zealand security system
SAM for Compliance launches to international support
Auckland, New Zealand, 17 July 2017 – SAM for Compliance, a New Zealand developed security assessment and compliance system has got off to a great start, with a favourable case study review by the prestigious Albany, New York-based Center for Internet Security (CIS).
Launched in April, SAM for Compliance provides a cloud-based service that assists organisations to self-assess and manage compliance to meet the CIS Controls and other security standards. The service includes integrated activity and task management functions for users to keep track of the actions required for reducing information-related risk. SAM for Compliance includes a dashboard, trend graphs and management reports to keep organisations informed about their compliance status and progress.
Tony Krzyzewski, co-founder and director of SAM for Compliance, says the impetus to develop SAM was as a cure for his own frustration.
“I became increasingly frustrated as to why people were not implementing security changes based on internal and external assessments, so decided to do something about it. SAM for Compliance is the result.”
“As I investigated why companies weren’t implementing security policies and processes to meet best practice guidelines and established standards, I discovered that for many companies it has become almost too hard. It’s not that companies don’t want to implement good security practices, it’s just that at first glance there are so many different standards and guidelines that it has become increasingly difficult for them to keep track,” says Krzyzewski.
Krzyzewski says that SAM for Compliance system is unique in the market because it is not just a set of technical answers.
“Unlike purely technical solutions, SAM’s self-assessment is designed to help improve the technical, process and governance factors necessary for a successful implementation of the CIS Controls.”
“Each CIS Control requirement in the system has associated notes, actions, and tasks so that improvements can be managed and tracked. An exception marker and associated register is also implemented within the system. The system incorporates online workbooks covering all of the requirements within CIS Controls, with an assessment against each requirement being performed on a graded scale as to how well the organisation is implementing the Control requirements,” says Krzyzewski.
According to Krzyzewski, information from the individual workbooks collate into categories that show at a glance how well an organisation is performing, and clearly shows where further action is required. The categories then collate into a dashboard view and are also trend tracked over time with associated graphs and reports.
“I see CIS Controls as being an extremely important tool in assisting organisations to protect their information assets. The Controls provide a pragmatic and achievable set of requirements that are shown to reduce the level of information security related risk,” says Krzyzewski.
SAM for Compliance is available in a range of configurations, aimed at providing optimum information security processes and policies for government departments, public companies, small to medium businesses, and not-for-profit organisations. The range includes SAM-CIS Controls in foundational and advanced versions and SAM-Security, which offers a system-based approach to managing compliance with CIS Controls, in combination with the NIST Cyber Security Framework, for improving critical infrastructure cybersecurity.
With SAM-Security the emphasis is on achieving a prescribed level of compliance and assessing current capabilities, by offering a choice of three information security frameworks tailored to suit particular sizes of organisations, where resources may be limited but there is still a desire to improve information security capability.
SAM-PCI provides an assessment, management and reporting system for organisations requiring compliance with the Payment Card Industry Data Security Standard and helps manage the processes associated with protecting card data.
“Information security is not a one-size fits all situation, but needs to be tailored to an organisation’s requirements and obligations, while being realistically balanced against available resources. Setting unrealistic goals just discourages everybody involved,” says Krzyzewski.
Of particular interest to New Zealand government departments is SAM-NZISM, which is designed to make it easier to implement the controls contained in the New Zealand Information Security Manual.
“The SAM-NZISM system incorporates every requirement of NZISM broken down into easy-to-manage work plans with action and task management available for every NZISM control. Information within the work plans is collated and displayed, making it easy for government departments to access, manage, improve, track, and report on NZISM compliance over time,” says Krzyzewski.
Krzyzewski says SAM for Compliance can also provide training and external assessment services for initial and ongoing risk reviews, as well as remediation related professional services, for organisations that need short term external support because they do not have the required internal resources.
“Globally, SAM provides training for other professional services wishing to use SAM as a tool for managing and reducing risk within their client’s business,” says Krzyzewski.
About SAM for Compliance
SAM for Compliance is a New Zealand-based company that develops and supports a range of cloud-based security assessment and compliance assessment systems. SAM for Compliance systems are designed to enable organisations of all sizes to easily and efficiently ensure that their information systems are secure and meet current best practices for their government or industry sector.
CIS is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organisations against cyber threats. The CIS Controls and CIS Benchmarks are the global standard and recognised best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities.