A New Zealand security assessment and compliance system has received recognition from the US-based Center for Internet Security (CIS).
SAM For Compliance provides a cloud-based service for organisations that wish to self-assess and manage compliance to meet CIS controls and other security standards.
Launched in April this year, SAM For Compliance was born from a common problem – a cure for the maker’s own frustration.
Tony Krzyzewski, the company’s founder and CEO, says it was a combination of his own frustration and what he was finding in workplaces across the country.
“I became increasingly frustrated as to why people were not implementing security changes based on internal and external assessments, so decided to do something about it,” he says.
As he investigated why, he found that organisations were putting security policies and best practice guidelines in the ‘too hard’ basket.
“It’s not that companies don’t want to implement good security practices, it’s just that at first glance there are so many different standards and guidelines that it has become increasingly difficult for them to keep track,” he adds.
One of the system’s key parts is to help improve the factors necessary for CIS control implementation.
Krzyzewski explains that the controls are important for helping organisations to protect their information assets, and that they are both pragmatic and achievable.
The CIS controls are a list of 20 controls that can help protect an organisation against cyber threats.
The top five controls include areas such as authorised and unauthorised devices and software; secure configurations for hardware and software; continuous vulnerability assessment and remediation; and controlled use of administrative privileges.
The other 15 includes topics such as malware defences, data protection, data recovery, application software security, wireless access control and penetration tests.
Kwzyzewski says the SAM For Compliance system leverages SAM-NZISM, a common interest for New Zealand government departments. He also says the system is designed to simplify controls in the New Zealand Information Security Manual.
“The SAM-NZISM system incorporates every requirement of NZISM broken down into easy-to-manage work plans with action and task management available for every NZISM control. Information within the work plans is collated and displayed, making it easy for government departments to access, manage, improve, track, and report on NZISM compliance over time,” he says.