Risk Score Configuration in security incident

Aswathy2
Tera Expert

Hi All,

Can anyone let me know how the risk scores are calculated for security incidents?

is it only depends on Business impact and priority?

What are the different types in risk score configuration? How do we calculate Users business impact,vulnerable item business impact,configuration item business impact?

Regards,

Aswathy M M

1 ACCEPTED SOLUTION

Sandeep Kumar6
Giga Guru

Hi Aswathy,

The risk score is calculated as an arithmetic mean that represents the risk based on the priority of a security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator.

Following business rules trigger automatic calculation of risk scores:

  • Calculate Severity
  • Update risk score
  • Update SI risk score

 

Note: The risk score is calculated using weights defined in Risk score configuration

Security Incident -> Setup -> Risk Score Configuration

https://<instsance_name>.service-now.com/sn_sec_cmn_risk_score_weight_list.do?sysparm_userpref_modul...

 

 Example

 If a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:

Security Incident Business Impact with a value of 2 = a weight of 60.

Security Incident Priority with a value of 3 = a weight of 40.

60 + 40/2 = a risk score of 50.

 

  • The work notes are updated when the following fields are changed (causing the risk score to be updated):
    • Business impacton the Security Incident form
    • Priorityon the Security Incident form
    • Severityon the Security Incident form (hidden by default)
    • Business impacton the Affected Users related list
    • Business impacton the Affected Services related list
    • Business impacton vulnerabilities on the Vulnerable items related list

 

Risk score override (CheckBox)

Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes

You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated

View solution in original post

7 REPLIES 7

Sandeep Kumar6
Giga Guru

Hi Aswathy,

The risk score is calculated as an arithmetic mean that represents the risk based on the priority of a security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator.

Following business rules trigger automatic calculation of risk scores:

  • Calculate Severity
  • Update risk score
  • Update SI risk score

 

Note: The risk score is calculated using weights defined in Risk score configuration

Security Incident -> Setup -> Risk Score Configuration

https://<instsance_name>.service-now.com/sn_sec_cmn_risk_score_weight_list.do?sysparm_userpref_modul...

 

 Example

 If a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:

Security Incident Business Impact with a value of 2 = a weight of 60.

Security Incident Priority with a value of 3 = a weight of 40.

60 + 40/2 = a risk score of 50.

 

  • The work notes are updated when the following fields are changed (causing the risk score to be updated):
    • Business impacton the Security Incident form
    • Priorityon the Security Incident form
    • Severityon the Security Incident form (hidden by default)
    • Business impacton the Affected Users related list
    • Business impacton the Affected Services related list
    • Business impacton vulnerabilities on the Vulnerable items related list

 

Risk score override (CheckBox)

Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes

You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated

Could you please help me with below:

What are the different types in risk score configuration? How do we calculate Users business impact,vulnerable item business impact,configuration item business impact?

 

 

Hi Aswathy,

As I told in my previous reply there is one table inside ServiceNow called "Risk Score Configuration" where we are defining the weight of everything which affect in risk score calculation.

Security Incident -> Setup -> Risk Score Configuration

This you can update according to your need if you want (Not comprehended ) 

For Example:

 

 

There are few Script include and business rule which calculate Risk Score.

Check my previous reply.

 

Please mark correct if this gave  your answer

Regards

Sandeep

Is there any possibility that we can add new Type in the Risk Score Config?