SAM for Compliance and the CIS Controls
SAM for Compliance offers a self-assessment and management system on your desktop for security and compliance.
A New Zealand-based firm, SAM for Compliance (SAM), provides a cloud-based service that assists organizations to self-assess and manage their compliance to the CIS Controls and other standards. SAM has integrated activity and task management functions to keep track of actions required for improvement and reduction in information related risk including a dashboard, trend graphs and management reports to keep organizations informed about compliance. Tony Krzyzewski, Director at SAM for Compliance Ltd, stated, “Over the years, I have become increasingly frustrated as to why people are not implementing security changes based on audit results, so decided to do something about it.” Mr. Krzyzewski has been performing technical security audits against organization networks and systems since 1994 and fellow Director, Mrs. Jackie Krzyzewski, is a former local authority Information Technology Manager. “Our intent of the system is to make it easy for organizations to determine how well they comply with a defined set of requirements and then do something about the areas where they are weak”, commented Mr. Krzyzewski.
Unlike purely technical solutions, SAM-CIS Controls self-assessment is designed to help improve the technical, process and governance factors necessary for a successful implementation of the CIS Controls. Each CIS Control requirement in the system has associated notes, actions, and tasks so that improvements can be managed and tracked. An exception marker and associated register is also implemented within the system. The system incorporates online workbooks covering all of the requirements within CIS Controls, with an assessment against each requirement being performed on a graded scale as to how well the organization is implementing the Control requirements. Information from the individual workbooks collate into categories that show at a glance how well the organization is performing, and clearly, show where further action is required. The categories then collate into a dashboard view and are also trend tracked over time with associated graphs and reports.
“I see CIS Controls as being an extremely important tool in assisting organizations to protect their information assets. The Controls provide a pragmatic and achievable set of requirements that are shown to reduce the level of information security related risk”.
- Tony Krzyzewski, Director
SAM for Compliance Ltd
SAM-CIS Controls is available in two versions to cover the requirements of both Foundational and Advanced CIS categories. SAM-Security expands on the CIS Controls to incorporate the NIST Cyber Security Framework, with each requirement also weighed against current known threats. Three variants of SAM-Security cover organizations based on size and information security maturity; Level 3 is broadly equivalent to CIS Controls advanced, Level 2 is equivalent to foundational, and Level 1 is for organizations that are relatively immature and need to get the basics right first.
Mr. Krzyzewski stated, “Three of our customer alpha/beta sites have already become CIS-Controls converts as a result of using the system. Without exception, SAM for Compliance showed these customers that they had considerable weaknesses beyond technical considerations and they are now embarking on improvement programs. We also have interest from service providers who see the system as a means of managing the improvement program for their clients that will push the CIS Controls into more organizations”.
About SAM for Compliance Products & Services
SAM-CIS Controls offers a system based approach to managing compliance with the CIS Controls by viewing compliance status; identifying and prioritizing activities; setting, allocating and managing tasks; assigning and managing actions; reporting on current compliance status; assessing progress; demonstrating improvement; and generating executive reports. SAM-CIS Controls is available in foundational and advanced versions.
SAM-Security offers a system based approach to managing compliance with CIS Controls in combination with the NIST Cyber Security Framework for improving critical infrastructure cybersecurity. The emphasis is on achieving a prescribed level of compliance and assessing current capabilities by offering a choice of three information security frameworks tailored to suit particular sizes of organizations where resources may be limited but there is still a desire to improve information security capability.
SAM-NZISM is designed to make it easier for New Zealand government departments to implement the controls contained in the New Zealand Information Security Manual. The SAM-NZISM system incorporates every requirement of NZISM broken down into easy-to-manage work plans with action and task management available for every NZISM control. Information within the work plans is collated and displayed making it easy to access, manage, improve, track, and report on NZISM compliance over time.
SAM-PCI provides an assessment, management and reporting system for organizations requiring compliance with the Payment Card Industry Data Security Standard and helps manage the processes associated with protecting card data.
SAM provides training, external assessment services for initial and ongoing risk reviews, as well as remediation related professional services.
Globally, SAM provides training for other professional services wishing to use SAM as a tool for managing and reducing risk within their client’s business.
A New Zealander Advocates for the CIS Controls
Mr. Krzyzewski, “Tony K”, is a well-known information security practitioner in the New Zealand and Australia region and is considered by many to be a pioneer in the area of cyber security. He is a member of the New Zealand IT Security Standards advisory group that oversees the country’s contribution to the ISO/IEC 27000 series security standards.
According to Mr. Krzyzewski, “I see CIS Controls as being an extremely important tool in assisting organizations to protect their information assets. The Controls provide a pragmatic and achievable set of requirements that are shown to reduce the level of information security related risk”.
He goes on to say, “We chose CIS Controls to be a core part of our SAM for Compliance system because each requirement within the Controls is clearly defined, is measurable, and is achievable. We have now established CIS Controls and the NIST Cyber Security Framework at the core of our information system risk review methodology. Coupled with SAM for Compliance as the mechanism for managing assessments, giving clients the ability to easily manage remediation and provide ongoing reporting to the Executive level, we believe we have created a system that is a major contributor to the reduction of information related risk.”
About SAM for Compliance Ltd
SAM for Compliance Ltd is a privately owned New Zealand based company operating since early 2017 and is now the third information security related company founded by the Directors, with other well-established companies operating in the areas of audit and policy. The SAM for Compliance system is a global cloud-based service aimed at assisting organizations to establish compliance with defined standards. Initially focusing on information security, SAM for Compliance based systems covering compliance with health and finance related standards are currently in development. To learn more visit www.samcompliance.co.
About Tony and Jackie Krzyzewski
With forty year’s experience in Information Technology starting in the mainframe era, and close to twenty-five year’s experience in Information Security, Information System Management, and Auditing, Tony and Jackie Krzyzewski are well seasoned IT Professionals. Tony is a past Deputy President of the New Zealand Computer Society while Jackie is a past President of the New Zealand Association of Local Government Information Management. Both are strong advocates of the CIS Controls.
In addition to operating SAM for Compliance and associated information risk management services, they also run the Verano Countrystay on their rural property in the heart of New Zealand’s Hawkes Bay wine country. This property is also home to the Hollywood miniature horse stud. As a gesture of thanks for providing management and coding advice during development, their black cat, Czarny, is now the symbol for the SAM for Compliance system.
About Center for Internet Security
CIS is a forward-thinking, nonprofit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. Our CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continually refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for state, local, tribal and territorial government entities.