How Risk score is calculated? When the below are changed?

Sathiz
Kilo Explorer

How Risk score is calculated? When the below are changed?

  • Business impact on the Affected Users related list
  • Business impact on the Affected Services related list
  • Business impact on vulnerabilities on the Vulnerable items related list
2 REPLIES 2

Alex Cox
ServiceNow Employee
ServiceNow Employee

Hi Sathiz,

There is a business rule on Security Incident called "Update risk score". I believe this is what you're looking for?

It runs when Severity, Priority, Business Impact or Risk Score Override changes  - state is not "Closed" - and Risk Score Override is "False".

In order to change how this risk score is updated, see the following nav menu item:  Security Incident > Setup > Risk Score Configuration

Basically this is a list of scenarios that add to a risk score - up to a max score of 100.

Best regards,

Alex

andy_ojha
ServiceNow Employee
ServiceNow Employee

Sathiz,

It appears you are looking for more details on the Risk Score feature, within Vulnerability Response?

This is controlled by a 'Vulnerability Calculator Group" found by navigating to:

  • Vulnerability | Administration | Vulnerability Calculator Group | Risk Score | Basic Risk Score

Within this Calculator Group - the Risk Score calculations are controlled by a scripted logic.

The context of how script operates is best reviewed from the current documentation for your version (Kingston versus London).

Here is a reference to the Kingston docs on this topic:

The Vulnerability Response base system includes two Vulnerability Calculator Groups: Risk Score and Vulnerability Impact. The result is included as a field on the Vulnerable item form.

The vulnerability calculator called Basic Risk Score is contained in the Risk Score calculator group. Its purpose is to calculate the risk score of a vulnerable item. As written, it is based on business criticality and severity of the vulnerable item.

Note:
To work properly, this calculator requires the Service Mapping plugin. (Service Mapping is available as a separate subscription and requires activation by ServiceNow personnel.)
You can modify it to calculate a score based on whatever risk factors you want. For example, you may have CI data indicating that it is external-facing, posing a greater risk to your environment than internal-facing. That situation can be used as a factor.


When the computation is complete, the updated criticality is displayed in the Risk Score field of the Vulnerable Item screen.


find_real_file.png