Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Custom Risk Classification

Use custom risk scores in JSA Vulnerability Manager to classify vulnerabilities that pose the most risk to your organization. Custom risk classification allows you to override a vulnerability's risk with your own risk classification.

Based on your individual requirements, you might want to override a vulnerability's risk with your own risk classification. A vulnerability that is classified as a high CVSS score by JSA Vulnerability Manager may not actually pose a serious risk for numerous mitigating factors. For example, if a CVSS 9.5 IPv6 vulnerability is published, and an enterprise does not have any IPV6 infrastructure, then the high CVSS score is not justified.

Configuring Custom Risk Scores for Vulnerabilities

In JSA Vulnerability Manager, you can add an internal custom risk score to vulnerabilities that reflects the real risk to your organization. Assigned vulnerabilities have an associated remediation ticket with a due date that can be changed by adding a custom risk.

A nightly auto update job runs to update all the custom risk fields. For reporting and saved search purposes, your custom risk changes do not come into effect right away. You can run the auto update manually to populate the custom risk information that is entered. Run the auto update by clicking the Auto Update icon on the Admin tab.

  1. Click the Vulnerabilities tab.

  2. In the navigation pane, click Research > Vulnerabilitiesor Manage > Vulnerabilities.

  3. To assign a custom risk score to a vulnerability, use the following steps:

    1. Select a vulnerability and click Edit/Triage.

    2. Choose a custom risk type from the Custom Risk Assignment window.

      Removing the custom risk for assigned vulnerabilities reverts the vulnerability due date to the PCI severity value.

      Tip:

      If you set the custom risk type to CVSS, the custom risk value is based on the CVSS environmental score.

    3. To reflect the vulnerability assignment, you can add a note by using the RTF text box. For example, you can add a note to explain why you are changing the classification.

    4. Click Save.

    5. When a custom risk is created on any vulnerability, a new column that is called Custom Risk displays in the Research Vulnerabilities or Manage Vulnerabilities screen.

  4. To view the custom risk details and note related to a custom risk assignment, double-click the vulnerability.

  5. To calculate the due date for an assigned vulnerability's remediation ticket, use the Calculate Assigned Vulnerability Due Date setting.

    1. On the Admin tab, click QVM Configuration.

    2. In the QVM Configuration window, set the Calculate Assigned Vulnerability Due Date option to True.

      This setting is enabled by default. When enabled, the assigned vulnerability due date is recalculated when a custom risk is applied, to correspond to the risk value's due days set in Vulnerability Assignment > Remediation Settings.

    The following table outlines sample scenarios where the custom risk might change the due date of a remediation ticket.

    Scenario

    		 Custom Risk

    Existing Due Date

    Updated Due Date

    Custom risk used to increase ticket priority.

    Increased from existing value

    Later than the custom risk due date

    Vulnerability takes the custom risk due date.

    Custom risk used to decrease ticket priority.

    Decreased from existing value

    Earlier than custom risk due date

    Vulnerability takes the custom risk due date.

    Custom risk used to increase ticket priority.

    Increased from existing value

    Earlier than or equal to custom risk due date

    Vulnerability keeps the existing due date.

    JSA Vulnerability Manager adds the following note to the vulnerability details if any of these scenarios occur:

    Vulnerability Details Note: Custom risk set to ___. Due date has been changed from xxxxxx to xxxxxx.
    Tip:

    If you disable Calculate Assigned Vulnerability Due Date, the due date is not recalculated.

  6. To search for vulnerabilities that are not triaged yet, use the following steps:

    1. In the navigation pane, click Research > Vulnerabilities.

    2. Click Search > New Search.

    3. In the Custom Risk Level section, select one of the following parameters to search:

      Table 1: Custom Risk Search Parameters

      Custom Risk Search Type

      Description

      All Vulnerabilities

      Returns all vulnerabilities regardless of whether a custom risk is assigned.

      All triaged vulnerabilities

      Returns all vulnerabilities with a custom risk assigned.

      All not yet triaged vulnerabilities

      Returns all vulnerabilities that do not have an assigned custom risk.

      All vulnerabilities with the specific custom risk level

      Returns vulnerabilities that are filtered on the custom risk type that is selected, for example, critical, high, or medium.

    4. Click Search.

  7. Export a list of vulnerabilities from the Vulnerability List screen for audit or compliance purposes, by using the following steps:

    1. In the navigation pane, click Research > Vulnerabilities.

    2. Select the CSV or XML export option.

Related Documentation