Impact of the compensating controls on risk score and expiration date

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Impact of the Compensating Controls on Risk Score and Expiration Date

    The recent update in version 20.0 of Vulnerability Response allows Remediation Owners to request risk reductions for vulnerable items or remediation tasks, with the capability for approvers to approve these requests. This functionality helps manage and mitigate risks associated with vulnerabilities more effectively.

    Show full answer Show less

    Key Features

    • Risk Reduction Requests: Remediation Owners can submit requests to lower risk scores for identified vulnerabilities.
    • Approval Process: Approvers can either approve or reject risk reduction requests, impacting the risk score accordingly.
    • Risk Score Adjustment: Upon approval, the risk score is adjusted based on the Desired value stated in the state change approval record.
    • Compensating Controls: These are applied to vulnerable items, influencing their risk scores and maintaining the Until date for risk reduction unless a new compensating control is applied.

    Key Outcomes

    When a risk reduction request is approved:

    • The risk score is updated to reflect the new value, while the original risk score is recorded for reference.
    • For vulnerable items with existing compensating controls, the risk score may remain unchanged or be updated based on calculated scores during ingestion.
    • Changes to Configuration Items (CIs) for vulnerable items will either maintain the compensating control if the system property is true or create a new vulnerable item if false, preserving the original risk metrics.
    • When a vulnerable item is reopened, existing compensating controls are reapplied, ensuring continuity in risk management.

    Starting from v20.0 of Vulnerability Response, as a Remediation Owner, you can request risk reduction for a host vulnerable item or remediation task and approvers can approve the risk reduction requests.

    For more information on how to request risk reduction and approve risk reduction approval, see Request risk change in the IT Remediation Workspace and Approve or reject requests in the Vulnerability Manager Workspace respectively.

    When a risk reduction request is approved, the risk score is reduced according to the Desired value (risk rating) in the state change approval (VCA#) record. The highest risk score of the desired risk rating is assigned to the record when your risk reduction request is approved. The following example shows how the Risk score and Original risk score are updated when compensating controls are applied. The default highest risk scores of the risk ratings are used in the following example.

    Table 1. Impact of compensating controls on risk score and original risk score
    Scenario Risk rating Risk score Original risk score (Calculated risk score)
    Data prior to v20.0 2 - High 80 The field is not available prior to v20.0.
    After upgrading to v20.0 2 - High 80 Null
    Calculated risk score changes to 90 during ingestion 1 - Critical 90 Null
    When you apply compensating controls 3 - Medium 69 90
    Calculated risk score changes to 70 during ingestion 3 - Medium 69 70
    Calculated risk score changes to 50 during ingestion 3 - Medium 50 50
    Calculated risk score changes to 80 during ingestion 3 - Medium 50 80
    When compensating controls expire on Until date for risk reduction 2 - High 80 Null

    Impact of compensating controls on a remediation task

    When your request for risk reduction is approved for a remediation task, the impact of compensating controls on its vulnerable items is as follows:

    • The compensating controls applied on the remediation task are applied on its vulnerable items (other than those in Closed state) that have risk score greater than the risk score corresponding to the Desired value in the state change approval of a remediation task. And the risk score of these vulnerable items is reduced according to the Desired value.
    • The Until date for risk reduction remains unchanged for the vulnerable items on which a compensating control is already applied. It is not updated with the Until date for risk reduction of the Remediation Task.
    • The Until date for risk reduction is rolled down to the vulnerable items only when a compensatory control is not applied on any vulnerable item previously. If you apply the compensatory controls on the remediation task again, the Until date for risk reduction is not rolled down to the vulnerable items as the existing Until date for risk reduction of the vulnerable items is given priority.
    • When a new vulnerable item is added to a remediation task on which compensatory controls are already applied, the risk is not rolled down to the vulnerable item.

    Impact of a compensating control on a vulnerable item

    When your request for risk reduction is approved for a vulnerable item:

    • Its new risk score displays in the Risk score field and the old risk score (calculated risk score) moves to the Original risk score field. This change holds till the date specified in the Until date for risk reduction field.
    • When a vulnerable item has compensating controls already applied, during ingestion:
      • If the calculated risk score is greater than the risk score then risk score remains same and original risk score is updated with the calculated risk score.
      • If the calculated risk score is less than the risk score then both risk score and original risk score are updated with the calculated risk score.
    • If a Configuration Item (CI) is changed for a vulnerable item on which a compensating control is already applied:
      • The CI is updated for a vulnerable item by default as the sn_sec_cmn.update_on_ci_change system property is set to true.

        The compensating control is still applicable for the vulnerable item.

      • The vulnerable item is closed and a new vulnerable item is created if the sn_sec_cmn.update_on_ci_change system property is set to false.

        The compensating control applied to the old vulnerable item is applied to the new vulnerable item and the Until date for risk reduction, Original risk score and Risk score remain the same.

    • When a vulnerable item is reopened by the scanner and compensating control is already applied on it, the same compensating control is applied after it is reopened.