Recalculation of Remediation Target Date when a Risk Rating Changes

GOAL: To reevaluate and reset the Remediation Target Date for a Vulnerable Item if the Risk Rating changes due to the Source Risk Score changing.

DETAILS:

• Qualys Integration with Vulnerability Response
• We use QDS score from Qualys to set the Risk Score in ServiceNow
• QDS contains Threat Intelligence information about whether it is actively being exploited, is a Proof of Concept, etc.
• Some scores initially come in lower, which corresponds to a lower risk rating (Medium, for example)
• Weeks or Months later, new Threat Intelligence comes to light that the vulnerability is now actively being exploited, thus changing the source risk score and ServiceNow Risk Score and Risk Ratings (ex. originally a 45 risk score is now 100 (out of 100)).
• Let’s say the original remediation target for a Medium is set at 200 days from creation date, but 40 days after first creation date the new Risk Rating changes to a critical and thus the Remediation Target gets reset to 30 days from creation date
• This makes the Remediation Target instantly overdue.  It originally wasn’t due for another 160 days but is now updated to be due 10 days ago
• Vulnerability Remediation Teams then get penalized for not completing their work by the Remediation Target date.

QUESTION:

• Are there any options for determining when a Risk Rating changes, thus resetting the Remediation Target date from the date of the change (if Risk Rating goes from lower rating to higher rating), instead of from the Created date?
• NOTE:  This won’t fix every scenario.  For example: If we have a vulnerable item with Risk Rating = High and a Remediation Target of 60 after Created date, and if the Risk Rating changes to Critical (30 days) at day 59, we would NOT want to give them 30 more days (until day 89) to remediate the vulnerability.