Here's what I've figured out, just in case anyone else is struggling when first setting up Sec Ops
Risk Score Calculations
Basic configuration:
|
Field
|
Value
|
Weight
|
|
Business Impact
|
1 – Critical
|
80
|
|
|
2 – High
|
60
|
|
|
3 – Medium
|
40
|
|
Priority
|
1 – Critical
|
90
|
|
|
2 – High
|
60
|
|
|
3 – Medium
|
40
|
|
|
4 – Low
|
25
|
|
|
5
|
10
|
|
Severity
|
1
|
95
|
|
|
2
|
55
|
|
|
3
|
25
|
|
|
|
|
Business Impact is set manually.
Priority is set manually. The risk score is set up for 5 values, but we only have 4 (how it was set up out of the box)
Severity – this field is hidden, but could be added. It is set to 2 as a default
Risk score is calculated by taking the value for each of the fields, and getting an average.
For example, Business Impact = 2 -> 60
Priority = 0 -> 0
Severity = 2 -> 55
(60 + 0 + 55) / 3 = 58 Risk Score 58
Change priority to 3 -> 40
(60 + 40 + 55) / 3 = 52 Risk Score 52
*** I have noticed that the affected user is also brought in to the equation. But, we don't have any user rules set up, so the weight for affected user is always set to 10 oob.
Additional Configuration:
Examples from ServiceNow
- Set priority to critical when business impact of affected service (based on CI) is critical and category is Denial of Service or Spear Phishing or Malicious code activity
- Set values based on the criticality of the affected business service.
- If the business criticality of the service is 1 – most critical, then impact = 1, risk = 2, priority = 1, severity = 1.
- If the business criticality of the service is 2 – somewhat critical, then impact = 2, risk = 3, priority = 3, severity =2
- Etc
- Set the severity = 1 if attack vector contains web and email and impersonation
- Set the severity = 1 for given business units (so, in this case, add the business unit to the form, either set it manually or from the affected person)
- Set risk, impact, priority, severity to 1 if the affected service is 1 – most critical
- Can set up a calculator to change the business impact based on user values
