Impact of the compensating controls on risk score and expiration date
Summarize
Summary of Impact of the compensating controls on risk score and expiration date
This content explains how compensating controls affect the risk score and expiration dates of vulnerable items and remediation tasks within ServiceNow Vulnerability Response. Remediation Owners can request risk reduction, which Vulnerability Managers or Analysts approve, leading to adjusted risk scores based on approved compensating controls.
Show less
Impact on Risk Scores and Expiration Dates
- When a risk reduction request is approved, the risk score is reduced to the Desired value from the state change approval record (VCA#).
- The Original risk score preserves the scanner-calculated risk score, while the Risk score reflects the reduced score due to compensating controls.
- Compensating controls apply until the specified Until date for risk reduction, after which risk scores revert to original values.
- On upgrades (e.g., to version 20.0), fields to track Original risk scores become available, improving visibility into risk changes.
Effect on Remediation Tasks and Vulnerable Items
- Approved compensating controls on a remediation task automatically reduce risk scores for associated vulnerable items that are not closed and have higher risk scores than the Desired value.
- New vulnerable items added to remediation tasks with existing approved compensating controls inherit the reduced risk rating and associated SLA calculations.
- The Until date for risk reduction on remediation tasks does not override existing dates on vulnerable items unless no prior compensating controls were applied.
- Risk score adjustments follow rules during ingestion, comparing calculated risk scores to existing risk scores to determine if updates are necessary.
- If a Configuration Item (CI) changes on a vulnerable item with compensating controls, the control remains applicable or is transferred to a new item depending on system property settings.
- When a vulnerable item is reopened by the scanner, previously applied compensating controls continue to apply.
Practical Benefits for ServiceNow Customers
- Enables precise management of risk reduction through approved compensating controls, improving risk visibility and prioritization.
- Automatically maintains consistent risk scores and SLAs for vulnerable items linked to remediation tasks with compensating controls, reducing manual effort.
- Provides clear auditing of original vs. adjusted risk scores, aiding compliance and reporting.
- Ensures compensating controls are preserved through configuration changes and scanner updates.
As a Remediation Owner, you can request risk reduction for a host vulnerable item or remediation task. And the Vulnerability Manager or Analyst can approve these risk reduction requests.
For more information on how to request risk reduction and approve risk reduction approval, see Request risk reduction for a vulnerable item or remediation task and Approve or reject requests in the Vulnerability Manager Workspace respectively.
When a risk reduction request is approved, the risk score is reduced according to the Desired value (risk rating) in the state change approval (VCA#) record. The highest risk score of the desired risk rating is assigned to the record when your risk reduction request is approved. The following example shows how the Risk score and Original risk score are updated when compensating controls are applied. The default highest risk scores of the risk ratings are used in the following example.
| Scenario | Risk rating | Risk score | Original risk score (Calculated risk score) |
|---|---|---|---|
| Data prior to v20.0 | 2 - High | 80 | The field is not available prior to v20.0. |
| After upgrading to v20.0 | 2 - High | 80 | Null |
| Calculated risk score changes to 90 during ingestion | 1 - Critical | 90 | Null |
| When you apply compensating controls | 3 - Medium | 69 | 90 |
| Calculated risk score changes to 70 during ingestion | 3 - Medium | 69 | 70 |
| Calculated risk score changes to 50 during ingestion | 3 - Medium | 50 | 50 |
| Calculated risk score changes to 80 during ingestion | 3 - Medium | 50 | 80 |
| When compensating controls expire on Until date for risk reduction | 2 - High | 80 | Null |
Impact of compensating controls on a remediation task
When your request for risk reduction is approved for a remediation task, the impact of compensating controls on its vulnerable items is as follows:
- The compensating controls applied on the remediation task are applied on its vulnerable items (other than those in Closed state) that have risk score greater than the risk score corresponding to the Desired value in the state change approval of a remediation task. And the risk score of these vulnerable items is reduced according to the Desired value.
- When new vulnerable items are ingested and associated with a remediation task that already has an approved compensating control, the reduced risk rating is automatically inherited by the new vulnerable items. The risk score of the new vulnerable items is set to match the Desired value from the approved state change approval record, and the Original risk score field reflects the scanner-calculated value. This applies to all finding types across Vulnerability Response, Application Vulnerability Response, and Container Vulnerability Response.
- The SLA for newly ingested vulnerable items that inherit a compensating control from the remediation task is calculated based on the reduced risk level, not the original scanner-severity level.
- The Until date for risk reduction remains unchanged for the vulnerable items on which a compensating control is already applied. It is not updated with the Until date for risk reduction of the Remediation Task.
- The Until date for risk reduction is rolled down to the vulnerable items only when a compensatory control is not applied on any vulnerable item previously. If you apply the compensatory controls on the remediation task again, the Until date for risk reduction is not rolled down to the vulnerable items as the existing Until date for risk reduction of the vulnerable items is given priority.
- When a new vulnerable item is added to a remediation task on which compensatory controls are already applied, the compensating control is automatically applied to the new vulnerable item, and its risk score is reduced to match the Desired value from the approved state change approval record.
Impact of a compensating control on a vulnerable item
When your request for risk reduction is approved for a vulnerable item:
- Its new risk score displays in the Risk score field and the old risk score (calculated risk score) moves to the Original risk score field. This change holds till the date specified in the Until date for risk reduction field.
- When a vulnerable item has compensating controls already applied, during ingestion:
- If the calculated risk score is greater than the risk score then risk score remains same and original risk score is updated with the calculated risk score.
- If the calculated risk score is less than the risk score then both risk score and original risk score are updated with the calculated risk score.
- If a Configuration Item (CI) is changed for a vulnerable item on which a compensating control is already applied:
- The CI is updated for a vulnerable item by default as the sn_sec_cmn.update_on_ci_change system property is set to true.
The compensating control is still applicable for the vulnerable item.
- The vulnerable item is closed and a new vulnerable item is created if the sn_sec_cmn.update_on_ci_change system property is set to false.
The compensating control applied to the old vulnerable item is applied to the new vulnerable item and the Until date for risk reduction, Original risk score and Risk score remain the same.
- The CI is updated for a vulnerable item by default as the sn_sec_cmn.update_on_ci_change system property is set to true.
- When a vulnerable item is reopened by the scanner and compensating control is already applied on it, the same compensating control is applied after it is reopened.