Impact of the compensating controls on risk score and expiration date
As a Remediation Owner, you can request risk reduction for a host vulnerable item or remediation task. And the Vulnerability Manager or Analyst can approve these risk reduction requests.
For more information on how to request risk reduction and approve risk reduction approval, see Request risk reduction for a vulnerable item or remediation task and Approve or reject requests in the Vulnerability Manager Workspace respectively.
When a risk reduction request is approved, the risk score is reduced according to the Desired value (risk rating) in the state change approval (VCA#) record. The highest risk score of the desired risk rating is assigned to the record when your risk reduction request is approved. The following example shows how the Risk score and Original risk score are updated when compensating controls are applied. The default highest risk scores of the risk ratings are used in the following example.
| Scenario | Risk rating | Risk score | Original risk score (Calculated risk score) |
|---|---|---|---|
| Data prior to v20.0 | 2 - High | 80 | The field is not available prior to v20.0. |
| After upgrading to v20.0 | 2 - High | 80 | Null |
| Calculated risk score changes to 90 during ingestion | 1 - Critical | 90 | Null |
| When you apply compensating controls | 3 - Medium | 69 | 90 |
| Calculated risk score changes to 70 during ingestion | 3 - Medium | 69 | 70 |
| Calculated risk score changes to 50 during ingestion | 3 - Medium | 50 | 50 |
| Calculated risk score changes to 80 during ingestion | 3 - Medium | 50 | 80 |
| When compensating controls expire on Until date for risk reduction | 2 - High | 80 | Null |
Impact of compensating controls on a remediation task
When your request for risk reduction is approved for a remediation task, the impact of compensating controls on its vulnerable items is as follows:
- The compensating controls applied on the remediation task are applied on its vulnerable items (other than those in Closed state) that have risk score greater than the risk score corresponding to the Desired value in the state change approval of a remediation task. And the risk score of these vulnerable items is reduced according to the Desired value.
- The Until date for risk reduction remains unchanged for the vulnerable items on which a compensating control is already applied. It is not updated with the Until date for risk reduction of the Remediation Task.
- The Until date for risk reduction is rolled down to the vulnerable items only when a compensatory control is not applied on any vulnerable item previously. If you apply the compensatory controls on the remediation task again, the Until date for risk reduction is not rolled down to the vulnerable items as the existing Until date for risk reduction of the vulnerable items is given priority.
- When a new vulnerable item is added to a remediation task on which compensatory controls are already applied, the risk is not rolled down to the vulnerable item.
Impact of a compensating control on a vulnerable item
When your request for risk reduction is approved for a vulnerable item:
- Its new risk score displays in the Risk score field and the old risk score (calculated risk score) moves to the Original risk score field. This change holds till the date specified in the Until date for risk reduction field.
- When a vulnerable item has compensating controls already applied, during ingestion:
- If the calculated risk score is greater than the risk score then risk score remains same and original risk score is updated with the calculated risk score.
- If the calculated risk score is less than the risk score then both risk score and original risk score are updated with the calculated risk score.
- If a Configuration Item (CI) is changed for a vulnerable item on which a compensating control is already applied:
- The CI is updated for a vulnerable item by default as the sn_sec_cmn.update_on_ci_change system property is set to true.
The compensating control is still applicable for the vulnerable item.
- The vulnerable item is closed and a new vulnerable item is created if the sn_sec_cmn.update_on_ci_change system property is set to false.
The compensating control applied to the old vulnerable item is applied to the new vulnerable item and the Until date for risk reduction, Original risk score and Risk score remain the same.
- The CI is updated for a vulnerable item by default as the sn_sec_cmn.update_on_ci_change system property is set to true.
- When a vulnerable item is reopened by the scanner and compensating control is already applied on it, the same compensating control is applied after it is reopened.