In this article:
BYOM - Template
The BYOM template file has five sheets that need to be populated for customized model ingestion into Axio360.
- Model
- Practice Level
- Model Info
- Model Scoring
- Model Terms
Model - First Sheet
The data entered in row 2 on the Model sheet specifies the model name and version via sheet columnsModel Sheet Columns:
| Column | Required? | Default Value | Description |
|---|---|---|---|
| title | yes | none | The data entered in the Title column becomes the model name available when creating a new assessment in Axio360. |
| version | no | 1.0 | Version is a number reference specifying the model version/iteration. Version is an optional value but recommended for tracking. Used as a metadata field. |
Figure 1: Showing the Model sheet using CRI v1.2 Tier 1 (CMMI) example title and version data.
Practice Level - Second Sheet
The data entered on the Practice Level sheet requires more details:
- Name
- Description
- Value
- Credit
- Dimension Name
Figure 2: Showing the Practice Level sheet using CIS example data, including defined dimensions.
Figure 3: Showing the Practice Level sheet using CRI v1.2 Tier 1 (CMMI) example data.
| Column | Required? | Default Value | Description |
|---|---|---|---|
| Name | yes | none | Plain text name of the response level a user selects when providing assessment responses. |
| Description | no | none | A description is not required but might clarify to the user what response to select. |
| Is N/A | no | none | Input “TRUE” or “YES” to set the practice level as a non-applicable level. |
| Credit | yes | none | The credit to be associated with a response level. This number is used in scoring. |
| Dimension Name | no | none | Plain text describing the dimension. For models with a single dimension, this field can be left empty. |
Figure 4 shows how a defined practice level might look in Axio360 and how the practice level values map, as indicated by the red numbers (this value mapping is not visible in the UI):
Figure 5 shows how dimensions are visualized in Axio360, as indicated by the red boxes:
Model Info - Third Sheet
The Model Info sheet contains the building blocks of the model that determine the visual representation of the assessment in Axio360. The template supports one or two levels of organizational depths before the user question and response action workflow. The Model Info sheet columns are as follows:
- Domain Name
- Domain FQN
- Domain Description
- Objective Name
- Objective FQN
- Objective Description
- Practice Name
- Practice FQN
- Practice Text
- Practice Dimension
- Practice Weight
Figure 6: Showing the Model Info sheet using CRI v1.2 Tier 1 (CMMI) example data.
Objectives are an optional level of model hierarchy. If your model does not have objectives leave the Objective Name, FQN, and Description columns blank for ALL rows. Mixing Domains with objectives and without is not currently supported. Models that utilize numeric values for the Domain Name column only and do not utilize objectives have limited informative elements in the model’s left-navigation TOC or above the practices fields. Although certain columns are optional on the template, if not used, areas on the assessment view will be empty or repeat information provided on a higher-level column in the template. As a best practice recommendation, use short, descriptive title-like strings for “Name” columns and utilize the “Description” columns to provide details.
| Columns | Required? | Default Value | Description | Examples based on NIST CSF |
|---|---|---|---|---|
| Domain Name | yes | none | Plain text title for top-level domain. No character or length restrictions. Users should think about the readability of long names. Refer to reference 1 in the image below the table. | IDENTIFY |
| Domain FQN | yes | none | Plain text abbreviation of the Domain Name. Refer to reference 2 in the image below the table. | ID |
| Domain Description | no | none | Description for the Domain. No character or length restrictions. Refer to reference 3 in the image below the table. | The Identify Function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities. |
| Objective Name | no | none | Plain text title of the Objective, also called Category. Objectives are optional. No character or length restrictions. Users should think about the readability of long names. Refer to reference 4 in the image below the table. | Asset Management |
| Objective FQN | yes, if Objective Name is specified | none | Combination string of Domain FQN and Objective Name abbreviation. Optional as long as no Objective Name is specified. Refer to reference 5 in the image below the table. | ID.AM |
| Objective Description | no | none | Plain text description covering the purpose of the specific objective. No character or length restrictions. The description opens in a modal when users click on the question mark icon next to the Objective name. Refer to reference 6 in the image below the table. | The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization`s risk strategy. |
| Practice Name | yes | none | Usually a single-digit identifier for the Practice. It can be numeric, alphabetic, or a combination of both. Use a short string that suits your model best. Refer to reference 7 in the image below. | 1 |
| Practice FQN | no | {Objective FQN}-{Practice Name} | Combination string of Objective FQN and Practice Name. Refer to reference 8 in the image below the table. It can be set manually, as for CIS Controls | ID.AM-1 |
| Practice Text | no | none | Compliance statement for the user to respond to by selecting one of the responses populated based on the specified Name options on the Practice Level sheet. Refer to reference 9 in the image below the table. | Physical devices and systems within the organization are inventoried. |
| Practice Dimension | no | none | A case-sensitive, comma-delimited list of Dimension Names (matching the column of the same name in the Practice Levels sheet). These will represent the dimensions applicable to this practice. If empty, defaults to the entire list of dimensions defined in the Practice Levels sheet. | Policy Defined / Policy Enforced |
| Practice Weight | no | 1 | The statement’s weight relative to the other statements when the model is scored. Not visible to the user responding to the assessment. Can be left blank to use the default value of 1. | 9.25925925925926 |
Figure 7 shows the reference numbers for the different column visualizations in the Axio360 UI:
Model Scoring
The Model Scoring sheet defines how the model is scored and how that score is displayed in Axio360. The Model Scoring Sheet Columns are:
- Aggregation Method
- Decimal Places
- Bottom of Scale
- Top of Scale
- Use Scaling
Figure 8: Showing the Model Scoring sheet using CIS 18 example data.
| Column | Required? | Default Value | Description | Example (CIS Controls) |
|---|---|---|---|---|
| Aggregation Method | no | Average | The common assessment scoring method is sum. Choices are: Average, Max, Min, Sum | Sum |
| Decimal Places | no | 0 | Specifies the number of decimal places to show in the assessment score widget. If undefined, there will be no decimal places | n/a |
| Bottom of Scale | no | 0 | The lowest possible score | 0 |
| Top of Scale | no | 1000 | The highest possible score | 1000 |
| Use Scaling | no | TRUE | If TRUE or YES, the assessment score will be converted into a number between the bottom and top of the scale based on the percentage of credit earned from the maximum score possible. | TRUE |
Model Terms
The Model Terms sheet defines the terms a model displays to users. Internally, the terms used are Domain > Objective > Practice > Dimension, but these can be set to whatever is needed for any given model.
Figure 9: Showing the Model Terms sheet using CIS 18 example data.
Figure 10: Showing the Model Terms sheet using CRI v1.2 Tier 1 (CMMI) example data.
| Column | Required? | Default Value | Example (CIS Controls) |
|---|---|---|---|
| Singular Domain Term | no | Domain | Control |
| Singular Objective Term | no | Objective | Control |
| Singular Practice Term | no | Practice | Sub-Control |
| Singular Dimension Term | no | Dimension | Dimension |
| Plural Domain Term | no | Domains | Controls |
| Plural Objective Term | no | Objectives | Controls |
| Plural Practice Term | no | Practices | Sub-Controls |
| Plural Dimension Term | no | Dimensions | Dimensions |