Security Incident Management Premium dashboard

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Incident Management Premium dashboard

    The Security Incident Management Premium dashboard leverages advanced Platform Analytics visualizations to enable security managers to monitor and track security incidents from detection through to containment, eradication, and recovery. It requires a licensed version of Performance Analytics for full functionality.

    Show full answer Show less

    This dashboard provides comprehensive insights into the volume, performance, and lifecycle progress of security incidents, enhancing visibility and control over security response activities.

    End Users and Roles

    • Security Response Manager (role: snsi.manager): Gains clear visibility into overall security incident states and volumes, with the ability to modify assignment group members to improve response.
    • Security Response Administrator (role: snsi.admin): Quickly identifies critical areas, manages all Security Incident Response data, and adjusts risk calculation parameters to prioritize relevant vulnerabilities.
    • Security Response Analysts (role: snsi.analyst): Focus on prioritizing vulnerabilities based on organizational criticality; Tier 1 and 2 analysts can create and update incidents, requests, tasks, and related problems or outages.

    Key Indicators and Metrics

    The dashboard contains multiple tabs with interactive widgets and indicators designed to measure and improve incident management efficiency:

    • Process by State and Process by Age Tabs: Include indicators such as Average Age of open incidents (in days), Average Reassignment Times, Average Age of Last Update, and the percentage of incidents not updated in the last 5 days.
    • Data Quality Tab: Features interactive filters for incident Category, Risk, Priority, and Severity levels, applied simultaneously to indicators including:
      • Security Incidents Open > 30 Days by Assignment Group and State
      • Open Incidents with inactive or no assignee
      • Incidents not updated in the last 30 days
    • KPI Tab: Displays critical performance indicators such as:
      • Percentage of new critical security incidents
      • Average Age and Close Time of open incidents
      • Percentage of incidents reassigned, closed on first assignment, closed via self-service
      • Percentage of incidents not solved
      • Average close time of incident tasks

    Breakdowns

    Indicators can be broken down by the following attributes to provide detailed insights:

    • Security Group
    • Security Incident Age
    • Security Incident Category
    • Security Incident Priority
    • Security Incident State

    Practical Benefits

    ServiceNow customers can expect to achieve improved visibility into the security incident lifecycle, enabling faster prioritization, better resource allocation, and enhanced risk management. The dashboard supports proactive decision-making by identifying stale or poorly managed incidents and ensuring critical vulnerabilities receive timely attention.

    This dashboard uses advanced Platform Analytics visualizations to aid security managers to track the volume, performance and progress of security incidents from initial analysis/detection to containment, eradication, and recovery. The licensed version of Performance Analytics is therefore required.

    Figure 1. Security incident response by state
    The Process by State tab of the Security Incident Management Premium dashboard
    Figure 2. Security incident response by age
    Workbench widget showing key security incident indicators broken down by age

    End users and roles

    End user and goal Required role Benefits
    Security Response Manager: Needs clear visibility into the overall state and volume of security incidents associated with applications and services. sn_si.manager Can review the overall security posture with the ability to adjust the members of assignment groups.
    Security Response Administrator: Needs to pinpoint areas of concern quickly and have full control over all Security Incident Response data while administering territories and skills, as needed. sn_si.admin Can adjust risk calculation parameters to ensure vulnerable items that are most pertinent to the organization are being addressed first.
    Security Response Analysts: Need to quickly prioritize which vulnerabilities to focus on based upon criticality to the organization. sn_si.analyst Tier 1 and 2 security analysts work on security incidents. They can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents.

    Security Incident Management Premium indicators

    The Process by State and Process by Age tabs contain workbench widgets with the following indicators:
    Average age
    The Average age of open security incidents indicator uses the formula [[Summed age of open security incidents]] / [[Number of open security incidents]] / 24 to give a result in days.
    Average reassignment times
    The Average re-assignment of open security incidents indicator uses the formula Summed re-assignment of open security incidents / Number of open security incidents.
    Average age of last update
    The Average age of last update of open security incidents indicator uses the formula Summed age of last update of open security incidents / Number of open security incidents / 24 to give a result in days.
    % not updated in 5 days
    The % of open security incidents not updated in last 5 days indicator uses the formula ( [[Number of open security incidents not updated in the last 5 days]] / [[Number of open security incidents]] ) * 100.
    The Data Quality tab has interactive filters for the Category of the security incident and the levels of Risk, Priority, and Severity. These filters are applied simultaneously to the following indicators:
    Security Incidents Open for More Than 30 Days by Assignment Group and State
    The Number of open security incidents filtered for an age of 30 days and broken down by Assignment group and State.

    Heatmap widget of security incidents open more than 30 days with the Assignment Group and State level 1 and 2 breakdowns

    Security Incidents With Assignee That is not Active
    The Number of open security incidents with no assignee or an assignee who is not active.
    Security Incidents Open for More Than 30 Days by Assignment Group and State
    The Number of open security incidents not updated in the last 30 days indicator broken down by Assignment group and State.
    The KPI tab has the following additional indicators:
    • % of new critical security incidents
    • Average Age of Open Security Incidents
    • Average Close Time of Security Incidents
    • % Of Security Incidents that have been reassigned
    • % of Security Incidents closed on first assignment
    • % of security incidents closed by self-service
    • % of security incidents not solved
    • Average Close time of security incident tasks

    Breakdowns

    The following breakdowns apply to the indicators on the dashboard:
    • Security Group
    • Security Incident Age
    • Security Incident Category
    • Security Incident Priority
    • Security Incident State