Associate compensating controls with CVEs or TPEs for risk change requests

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • As a Vulnerability Manager or Analyst, you can associate relevant compensating controls with a Common Vulnerability Entry (CVE) or Third-party Entry (TPE) in the Vulnerability Manager Workspace, which can be applied for the risk change requests.

    Before you begin

    Role required: sn_vul.vulnerability_analyst, or sn_vul.vulnerability_admin

    About this task

    • If you don’t associate compensating controls to a CVE or TPE, all the active controls appear in the Select Compensating Controls field of the Request Exception form.
    • If you associate a compensating control to a CVE, this compensating control is automatically associated with the TPE, which is mapped to the CVE.
    Note:
    The compensating controls feature is available for host vulnerabilities only.

    Procedure

    1. Navigate to Workspaces > Vulnerability Manager Workspace.
    2. On the Lists page, under Libraries, open one of the following for which you want to associate the controls:
      • CVE from the CVEs list.
      • TPE from the TPEs list.
    3. Select Associate controls.
      Note:
      The Associate controls button appears only when the risk change is enabled for a CVE or TPE. In other words, you can associate compensating controls only when risk change is enabled for a CVE or TPE. If the Associate controls button isn’t visible, select Enable risk change.
    4. On the Associate controls modal, select the compensating controls that can be applied to vulnerabilities associated with the CVE or TPE for risk change.
    5. Select Submit.
      • The associated compensating controls appear in the Applicable compensating controls tab in the record view of the CVE and TPE.
      • While a remediation owner requests risk change, these associated compensating controls appear in the Select Compensating Controls field on the Request Exception modal.