Governance Factsheet to track compliance / assessments
Following on from the Customer Success Office Hours presentation by LeanIX yesterday, a few people were interested in the way we track Governance (Framework / Assessment & Policy compliance)
Here are some extracts from one of our documented Process pages:
On the Application / IT Component Factsheet:
We have several use cases for this compliance. One being to track the Generative AI compliance. Another use case is indicating to Procurement that they can go ahead and engage with a provider to acquire software (EA assessment approved etc). We also use it to track what applications have undergone DPIA and Security reviews for Confidential data etc.
For those interested in creating this new Factsheet - we have a fully documented instructions on how to do this (we document all production changes in detail), and I can provide a PDF of those instructions (The post does not allow me to include attachments)
I hope the community find this useful and adapts it for their individual needs.
Page 1 / 1
Hi, interesting post. Please share the PDF :-)
Wanted to give a special thanks to @Jacques for publishing this. This is a great approach and reinforces the idea that customers “own their meta model”. Each organization is different and can require different processes/strategies.
Thank you Jacques! Great information here!
@Jacques , thanks for posting! Interesting approach with the Governance Factsheet. On the surface, this feels like it has a bit of overlap with Governance, Risk and Compliance (GRC) tooling that most enterprises have...Do you have a GRC system as well? (Or do you handle those sorts of aspects in LeanIX?) If you have a GRC system, I”m guessing you integrate some of the data between the two?
@kkratochvil - As usual, a complicated answer.
Yes, we have a GRC ‘tool’. We also use some SaaS platforms for assessments.
The issue we have is Governance from an EA perspective. On the one hand, we need to identify Applications (we call them Products), and IT Components that need to undergo assessments, or compliance to a policy (because of some criteria we search for in Lean. i.e. All SSO applications need Security Policy W etc. We also using it to identify what Applications needs to undergo a Gen AI assessment (So high usage of AI for the EU AI act)
Once the assessments are completed it would not really work to integrate those tools to this, it’s a slow moving item, and creating a step to update LeanIX in the assessment process works. After the assessments, it normally complies with some sort of Policy, which gets loaded against the assessed Application.
The idea is to create resource links out to information about the policies, assessments etc in their systems, so LeanIX is just the conduit to the information.
There is always a small overlap with external systems (ServiceNow, GRC tools etc)
The benefits of having this tiny bit of info in LeanIX, is that we can see gaps in Policy compliance and the see the effects from a Business Context and Capability perspective.
For GenAI and related to the EU AI Act, it is very useful.
@Jacques please share PDF. We are managing governance in a less elegant way and very interested in your configuration and process.
Thanks
~Michael Bogart
Thanks for the additional background on the governance pieces @Jacques, very helpful towards a better understanding of your context!
That looks very exciting. I would be interested in the PDF to find out more about it. Could you please share it?
Thanks for the additional background on the governance pieces @Jacques, very helpful towards a better understanding of your context!
No problem.
The original scope for the Governance sub types was:
Framework
Assessment
Policy
Guideline
Standard
Process
(We removed the last three. Guideline is better placed in a wiki style space, standards are better placed in a ‘Building Block’ fact sheet or managing in the Tech Category Fact Sheet and Process is covered in the Business Context Fact Sheet)
For those who want the PDF, please message me, and I will give you my email address. The Post does not allow me to attach the PDF.
This is a great approach to solving for the governance “problem”. We have taken a different approach:
We utilize fact sheets for policy, standards, and frameworks (we have logical and physical reference models). These are related to Application and IT Component fact sheets with descriptions.
We have extended the Application, IT Component, Project, and Provider FS with assessment fields and dates for our various teams (mostly security). As soon as a new fact sheet is created or certain field values are selected it kicks off the assessment process. Via the integration, the assessment progress is tracked in the fact sheet and the final assessment is linked as a resource. Depending on the integration this is either an attached PDF (BCIC) or a link to the specific review in question (OneTrust).
For assessments of any type we integrate with our various other IT tooling using a service bus framework so we can get to a “Source of Truth”. This includes our business continuity and disaster recovery system (BCIC), security audit system (OneTrust), and project management system (Planview Portfolios).
We also leverage the ServiceNow integration for IT Service Management / CMDB detail.
Thank you. I am interested in received the PDF.
Hi - I would also like the PDF please - thank you in advance.
Hi @Jacques,
could you please share the PDF? We are interested in implementing this within our organization, so any guidance would be useful. Many thanks in advance!
Hello @Jacques ,
Thank you for sharing. It is interesting.
We have similar use case : GDPR, SOX, saas assessment…
I would be interested in the PDF to find out more about it. Could you please share it?
Thank you in advance
Thank you for this. Great info. I’ve just brought LeanIX into our enterpirse and this is also a critical need we have Thank you for sharing.
We have similar use case : GDPR, SOX, AI, Saas assessments…