Configuration Compliance calculator groups
Summarize
Summary of Configuration Compliance calculator groups
Configuration Compliance calculators in ServiceNow update record values when specific conditions are met, helping customers manage risk and compliance effectively. These calculators are organized into groups based on criteria for updating records, enabling vulnerability managers to adjust and experiment with risk prioritization schemes on-demand during deployment.
Show less
Starting with version 14.9, terminology has been updated for clarity:
- Test Result Group is now Remediation Task Group
- Rules are now Remediation Task Rules
- Policy Test group is now Configuration Compliance calculator groups
Key Features
- Risk Calculators: Formerly called Risk Score calculator group, these calculators assign risk scores based on the business context and test severity.
- Risk Score Rollup Calculators: Two types roll up risk scores to provide overall scores:
- Configuration Test Risk Roll Up Calculators: Aggregate risk scores of all Test Results under the same Configuration Test.
- Remediation Task Risk Score Rollup Calculators: Aggregate risk scores of all Test Results within a Remediation Task.
- Test Result: The outcome of a configuration test on a CI and technology; failed, error, or unknown states indicate non-compliance.
- Remediation Task: Groups test results during data import per remediation task rules, similar to vulnerability groups for bulk analysis and remediation planning.
- Risk Score in Test Results: Calculated using asset business criticality and test severity, displayed as a 0-100 color-coded score for quick severity assessment.
- Risk Score in Remediation Tasks and Configuration Tests: Rolled-up risk scores that dynamically update as associated test results are remediated.
- Risk Ratings: Numeric scale (1-5) translating risk scores into categories from Critical (1) to None (5) for clear risk communication.
- Historical Risk Score: Shows remediated risk after a test group is closed and risk score reaches zero, providing insight into risk reduction over time (requires Service Mapping plugin).
Practical Benefits for ServiceNow Customers
- Enables dynamic risk prioritization and remediation planning through customizable calculators and on-demand application to test results and collections.
- Improves visibility into compliance status with intuitive risk scoring and rating, helping identify critical issues quickly.
- Supports bulk analysis and remediation by grouping test results into remediation tasks, facilitating efficient management of compliance efforts.
- Provides aggregated risk insights at both the Configuration Test and Remediation Task levels, aiding in tracking risk trends and remediation progress.
- Requires Service Mapping for full functionality of historical risk score tracking, highlighting the importance of integrated asset and service context.
Configuration Compliance calculators are used to update record values when pre-defined conditions are met. The calculators are grouped based on the criteria used to determine how the records are updated.
| Terminology prior to v14.9 | Terminology v14.9 onwards |
|---|---|
| Test Result Group | Remediation Task |
| Group Rules | Remediation Task Rules |
| Policy | Test group |
Configuration Compliance calculator groups
From the Default Risk Calculator record, calculator rules can be applied to all affected test results and collections on-demand. Vulnerability managers may use this feature adjust their risk calculator configuration. They might experiment with several prioritization schemes early in their deployment and apply those changes on-demand to view how they impact import findings.
The Risk Score calculator group has been renamed to Risk Calculators.
- Configuration Test Risk Roll Up
- Calculators that roll up risk scores for all Test Results with the same Configuration Test to provide an overall risk score for the Configuration Test. The rolled-up value is displayed in the Risk Score fields.
- Remediation Task Risk Score Rollup
- These calculators roll up risk scores for all Test Results in a Remediation Task to provide an overall risk score for that remediation task. The rolled-up value is displayed in the Risk Score fields.
Both the Risk Score calculator group and Risk Score Rollup Calculators group are enabled by default.
For more information, review the following key terms for Configuration Compliance calculators:
- Test result
- A test result is the outcome of the configuration test on a configuration item (CI) and the associated technology. Test results in Failed, error, and Unknown states identify hardware, software, and assets that are out of compliance with your policies.
- Remediation task
- Test results are grouped together at the time of data import based on the pre-defined remediation task rules. These remediation tasks are similar to vulnerability groups in Vulnerability Response. Remediation Tasks organize test results into groups for bulk analysis and represent a set of items to remediate.
- Risk score in a test result
A value calculated by risk score calculators that is based on the business context of an asset and the severity of the associated test. It is the average of the business criticality of the affected asset as defined in the CMDB, and the severity of the test as communicated by the scanner.
Each asset can have multiple services associated with it. The business criticality of an asset is determined by the service with the highest criticality.
The calculated value is displayed in the Risk Score fields of test results. The scores display values that range from 0-100. Fields are also color-coded to provide you with the severity at-a-glance.
- Risk score in remediation task
- This score is displayed on the Remediation Task record and is the rolled up value of the risk scores for all the active test results in a Remediation Task. This score changes as test results are remediated in the Remediation Task.
- Risk score in configuration test
- This score is displayed on configuration tests and is the rolled up value of the risk scores for all the active test results with that configuration test. This score changes as the test results associated with this configuration test are remediated.
- Risk rating
- The amount of risk a failed test result poses to your system. It is based on a range of risk scores on a 1-5 numeric scale that rates risks as Critical (1) to None (5). The score is based on a range of risk scores and is displayed in Risk Rating fields.
- Risk score rollup calculators
- There are two types of rollup calculators:
- Configuration Test Risk Roll Up: These calculators roll up risk scores for all Test Results with the same Configuration Test to provide an overall risk score for the Configuration Test. The rolled-up value is displayed in the Risk Score fields. You can edit the script values for weight and score for these calculators.
- Remediation Task Risk Score Rollup: These calculators roll up risk scores for all Test Results in a remediation task to provide an overall risk score for that remediation task. The rolled-up value is displayed in the Risk Score fields. You can edit the script values for weight and score for these calculators. For an example of a Risk score rollup calculator and how it calculates scores, see Risk rollup calculation example for Configuration Compliance (prior to v15.0).
- Historical risk score
- The inherent risk score across all the passed test results in a remediation task. This field displays the amount of risk that was remediated by a test group and is only displayed after a test group is in the ‘Closed’ state and the risk score is zero.
Scores are calculated whenever the risk score changes or when test results are added or removed from a remediation task.