Risk score configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-12-2018 12:39 PM
Hi, I'm just getting started with Security incident response, and I'm lost on how the risk score gets calculated out of the box. I'm trying to go through the RiskScoreUtil script include, but just wondering if someone else has already done this, and has an easy explanation of how it works? Or, maybe there's some documentation that I've missed?
Thanks!
- Labels:
-
Security Incident Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-12-2018 02:28 PM
Security incident risk score calculators
The Set priority with category and services and Set priority with observables calculators are used to calculate a risk score for a security incident.
below is the screen shot of the risk calculator record for " Set priority with category and services "
url = https://<instance_name>.service-now.com/sn_si_calculator.do?sys_id=f49fd1ccc36222002757dccdf3d3aeb7&sysparm_record_target=sn_si_calculator&sysparm_record_row=1&sysparm_record_rows=8&sysparm_record_list=ORDERBYorder
Thanks
Anil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-21-2018 06:36 AM
Here's what I've figured out, just in case anyone else is struggling when first setting up Sec Ops
Risk Score Calculations
Basic configuration:
Field |
Value |
Weight |
Business Impact |
1 – Critical |
80 |
|
2 – High |
60 |
|
3 – Medium |
40 |
Priority |
1 – Critical |
90 |
|
2 – High |
60 |
|
3 – Medium |
40 |
|
4 – Low |
25 |
|
5 |
10 |
Severity |
1 |
95 |
|
2 |
55 |
|
3 |
25 |
|
|
|
Business Impact is set manually.
Priority is set manually. The risk score is set up for 5 values, but we only have 4 (how it was set up out of the box)
Severity – this field is hidden, but could be added. It is set to 2 as a default
Risk score is calculated by taking the value for each of the fields, and getting an average.
For example, Business Impact = 2 -> 60
Priority = 0 -> 0
Severity = 2 -> 55
(60 + 0 + 55) / 3 = 58 Risk Score 58
Change priority to 3 -> 40
(60 + 40 + 55) / 3 = 52 Risk Score 52
*** I have noticed that the affected user is also brought in to the equation. But, we don't have any user rules set up, so the weight for affected user is always set to 10 oob.
Additional Configuration:
Examples from ServiceNow
- Set priority to critical when business impact of affected service (based on CI) is critical and category is Denial of Service or Spear Phishing or Malicious code activity
- Set values based on the criticality of the affected business service.
- If the business criticality of the service is 1 – most critical, then impact = 1, risk = 2, priority = 1, severity = 1.
- If the business criticality of the service is 2 – somewhat critical, then impact = 2, risk = 3, priority = 3, severity =2
- Etc
- Set the severity = 1 if attack vector contains web and email and impersonation
- Set the severity = 1 for given business units (so, in this case, add the business unit to the form, either set it manually or from the affected person)
- Set risk, impact, priority, severity to 1 if the affected service is 1 – most critical
- Can set up a calculator to change the business impact based on user values
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-22-2018 09:31 PM
Check Security Incident > Setup > Risk Score Configuration to see how the weightings work.