Control fact sheet type - any users?

Hi all - i recently had a brief glimpse of a 'semi standard' extension to the data model for Controls (e.g. ISO, CSF, NIST etc) - its not part of the usual 'optional features' - so has no committed roadmap - but is apparently sufficiently common for LeanIX to have created a fact sheet type and some reference data that can be deployed on request.

I've had this added to our sandbox to consider if it would have value for us (we do use these frameworks) and would welcome a conversation with other customers who have adopted it as to how its been operationalised, how much overhead there is, value achieved etc?



  • Avatar
    Frank Emmanuel Official comment

    Dear customer champions, some great discussion points here - thank you Stephen Gates for the offer to share your learnings with others!

    There is a related discussion thread with some more details / example meta-model changes on this topic here: security architecture in LeanIX – LeanIX (zendesk.com)

    Additionally, with the release of the following 2 new features, customers are fully equipped to create and configure new Fact Sheet types:

    1. Product Updates | Manage Fact Sheet types in Meta-Model configuration (leanix.net)
    2. Product Updates | Manage relation types in Meta Model configuration (leanix.net)

    We hope these product updates help to address your needs for security architecture in LeanIX. 

    Should you have more feedback on this topic, please feel free to submit feedback here: 🧭 On roadmap - LeanIX Product Roadmap | Product Roadmap.



  • 0
    Darren Mccoombes

    Hi James, we (not me personally) have also started to look the Control fact sheet. Below is my interpretation of others experience within our company.

    1. Documentation provided is not aligned what was implemented in our Sandbox with respect to the connections/relationship to other fact sheets.
    2. The ability to relate to a Control from a Business Capability, Application, IT Component or Project is not available. Normally you can create a relationship on the fact sheet at either end of the relationship.
    3. We removed mandatory/optional/not relevant tag as it is not a NIST concept. Wondering what thinking was behind this tag.
    4. Looks like we need to add a Control Effectiveness field to the relationship between Tech Category & IT Component to use a Control x Tech Category matrix report over IT Component.
    5. Wondering if there are plans for LeanIX to rollup control effectiveness ratings into Applications. 
    Edited by Darren Mccoombes
  • 0
    James Candy

    Thanks for the insight Darren - my responses below:

    1 - consider yourself lucky to have some documentation :-) - could you share please? I only saw it in use in a demo and subsequently had it added to our sandbox - not seen any documentation on its intended use cases!

    2 - i suspect you may need to edit the config of those sheets to see the other end of the relation; if you look in 'unused fields and relations' you'll probably see the Controls relation in there, you'll need to move it to another section to make it visible. FYI the Controls sheet deployed to our sandbox only had relations to Capabilities and Apps, not ITCs or Projects.

    3 - indeed, as mentioned i didn't see any documentation for it so don't know how LeaniX intended it to be used, including the Tags

    4 - that sounds interesting; so you're planning to use it to so show how effective an ITC is for Control implementation in context of its Tech Category? As mentioned, the Control sheet deployed to us only has relations to Apps and Capabilities so i'm assuming the LeanIX-intended use case is to model the effectiveness of a given App in implementing a Control in context of a Capability - not sure i understand that use case for NIST (hence my question!)

    5 - at the risk of repeating myself :-) the App / Capability relations are the only ones our Control sheet came with so it looks as though their intent was we relate Controls to Capabilities then measure effectiveness of our Apps in implementing those Controls against Capability

  • 0
    Stephen Gates

    Hi James, I work with Darren and am happy to share our plans, progress, and the NIST v1.1 Control data. You can email me at Stephen.Gates@AustralianRetirementTrust.com.au 

  • 0
    Christopher Grothe

    i have read some hints about that control FS. we would like to try it out.

    Where can i find that mentioned Doku? Our CSM was not aware of the FS so how can i get startet?


    Kind Regards

  • 0
    Stephen Gates

    Hi Christopher, I am not aware of LeanIX publishing anything. I believe with the recent meta-model editing feature release you could implement it yourself. Our set up was implemented for us before that feature was available. Send me an email (address above) and I'll send what I have.

  • 0
    Stephen Gates

    We are focussed on what IT Components implement NIST Technical Controls, and how effective they are at implementing the control. This will help inform potential areas for improvement.

    Here’s what we’ve done so far:

    • We uploaded NIST v1.1 Controls from https://www.nist.gov/cyberframework/framework-documents.
    • We added a prefix to the level 1 NIST controls so they appeared in order, 1. Identify, 2. Protect, … 5. Recover.  We were hoping a new feature would avoid the need to add a prefix but this has been delayed.
    • We simplified the level 3 control names which are really long.
    • We added a multiple-value tag to each NIST Control to help filter the report. The tag values are Administrative, Physical, Technical.
    • We added an Effectiveness value (Low, Medium, High) on the relationship between the IT Component and the Control.

    Then we made reports:

    • Control Landscape showing the hierarchy of controls.
    • IT Component Landscape showing which components implement controls tagged “Technical”. This report can have views applied e.g. Lifecycle, Effectiveness

    We have the BTM module so we added a test project that improves the effectiveness of an IT Component in implementing a Control and showed the change overtime in the IT Component Landscape report.

    • Note: Component names have been hidden.
    • The “I’m changing” component is the one improved by the test project.
    • Note the Tag Group: ‘Control Type’ in the Filter panel.

    Currently we are working on a survey to ask questions to derive the effectiveness of an IT Component for a Control and then write the value back into the factsheet.

    We’re hoping the proposed advanced field types in surveys, required answers, and calculated value features will simplify this for us. 

    Edited by Stephen Gates
Please sign in to leave a comment.