- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2020 12:30 PM
While implementing VR we have come across GRC Indicators as an option, but don't have good examples of what to setup or what is normal to setup. Does anyone have good example implementations for GRC Indicators in relation to Vulnerability Response? I'll also mention that FedRamp Certification is a goal of the project as well. Thanks!
Solved! Go to Solution.
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2020 10:40 AM
Neil,
You'll first need to understand the client's requirements. Are they looking to validate controls are in place or have the VR data impact risks? Also, you will need to understand how this is mapped in the CMDB? This goes to how the data will be aggregated.
Does the indicator look at the server, the O/S, the application, the Business Service? Also keep in mind how these items will map to the Entities in IRM(GRC).
- Control indicators could look to see how long it is taking to remediate the Vulnerability.
- Risk indicators could look at Vulnerability counts or severity.
Hope that helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-31-2020 05:06 PM
Possibly focusing on the SLAs associated with remediation.
Having a vulnerability is almost inevitable, but doing something about it in a structured manner should allow you to prove that you are mitigating risks effectively.
Be aware of potential for new Entity Types, Risk Statements and Indicator Templates in a recent update to Risk Management if you already have VR installed. More details to follow separately.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2020 10:40 AM
Neil,
You'll first need to understand the client's requirements. Are they looking to validate controls are in place or have the VR data impact risks? Also, you will need to understand how this is mapped in the CMDB? This goes to how the data will be aggregated.
Does the indicator look at the server, the O/S, the application, the Business Service? Also keep in mind how these items will map to the Entities in IRM(GRC).
- Control indicators could look to see how long it is taking to remediate the Vulnerability.
- Risk indicators could look at Vulnerability counts or severity.
Hope that helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-12-2020 09:48 AM
I appreciate all the feedback! We decided to setup a total of 4 indicators:
Vulnerability Scanner #1 / #2 / #3 - Vulnerability Scans have run/completed successfully last month = Indicator Pass
Vulnerable Items created more than 31 days ago / High Priority / State not changed from Open to something else = Indicator Fail
We had only planned on two indicators, but the first one had to be setup individually for each Vulnerability Scanner integrated with ServiceNow which resulted in 3 indicators for that one objective. We initially liked the SLA suggestion from Phil, but decided that the build was going to be too complicated and went with the focus on High Priority items instead. Thanks again to everyone for the assist!
