SAM helps companies comply with CIS Security Controls

A New Zealand developed cloud service enables organisations to assess and manage their compliance with CIS Controls, a set of best practice guidelines for computer security published by the US-based Center for Internet Security (CIS).

The service, SAM for Compliance, debuted in April and has been featured in the CIS’s latest case study.

CIS says: “SAM has integrated activity and task management functions to keep track of actions required for improvement and reduction in information related risk including a dashboard, trend graphs and management reports to keep organisations informed about compliance.”

It explains that, unlike purely technical solutions, SAM for Compliance’s self-assessment process is designed to help improve the technical, process and governance factors necessary for a successful implementation of the CIS Controls.

Tony Krzyzewski, co-founder and director of SAM for Compliance, said the impetus to develop the service had been his own frustration. “I became increasingly frustrated as to why people were not implementing security changes based on internal and external assessments, so decided to do something about it.”

Krzyzewski said implementing security policies and processes to meet best practice guidelines and established standards was too hard for many companies. “It’s not that companies don’t want to implement good security practices, it’s just that at first glance there are so many different standards and guidelines that it has become increasingly difficult for them to keep track,” he said.

Krzyzewski claims the SAM for Compliance system is unique because it is more than a set of technical answers. “Unlike purely technical solutions, SAM’s self-assessment is designed to help improve the technical, process and governance factors necessary for a successful implementation of the CIS Controls.

“Each CIS Control requirement in the system has associated notes, actions, and tasks so that improvements can be managed and tracked. An exception marker and associated register is also implemented within the system.

“The system incorporates online workbooks covering all of the requirements within CIS Controls, with an assessment against each requirement being performed on a graded scale as to how well the organisation is implementing the Control requirements.”

Krzyzewski said SAM for Compliance could also provide training and external assessment services for initial and ongoing risk reviews, as well as remediation related professional services, for organisations that need short term external support because they do not have the required internal resources.

The case study on the CIS web site describes Krzyzewski, as“a well-known information security practitioner in the New Zealand and Australia region and is considered by many to be a pioneer in the area of cyber security.”

It adds that he is a member of the New Zealand IT Security Standards advisory group that oversees the country’s contribution to the ISO/IEC 27000 series security standards.