Risk quantification
Risk is quantified at different levels and can be customized and assigned according to your needs.
Risk scores are applied, or can be assigned to four different types of risk by customizing policy templates. For more information about risk types, see Types of risk. Risk categorization reflects ranges of risk scores at each level. Risk scores can be in the range of 0-10. The following table illustrates how risk categories are defined by risk score ranges:
| Risk score (R) | Risk category |
|---|---|
| R = 0 | None |
| 0 < R < 4 | Low |
| 4 ≤ R < 7 | Medium |
| 7 ≤ R | High |
You can view quantified risk across resources from the Hybrid Governance, Risk, and Compliance (GRC) dashboard. The Policies tab on the dashboard displays risk across your servers. There are two cards in the Risk across servers section of the dashboard:
- Violation across servers: Shows the distribution of risk among servers.
- Resource groups: Shows the overall resource type risk. You can view the risk that is associated with individual resources by clicking the resource type.
Important: Each client and cloud provider is responsible for ensuring that their cloud environment meets their enterprise security standards and regulatory compliance requirements. Assigned risk scores are intended for guidance purposes. Individual organizations are responsible for determining VM use and configuration standards.
Types of risk
There are four types of risk that can be quantified within the Governance and risk dashboard:
Policy control risk
The term control refers to the rules that are defined in your policy. The following policy control is an example that is defined in the CIS VMPolicy for Red Hat® Enterprise Linux® 7:
- name: 1.7.1.1 Ensure message of the day is configured properly
risk: 2.1
The specific control in this example is name: 1.7.1.1 Ensure message of the day is configured properly. The risk score (2.1) associated with that control is defined by this line in the preceding example: risk: 2.1. Risk
scores for policy control risk are, by default, assigned by using the Common Configuration Scoring System (CCSS) Base Metrics. You can customize these values based on your needs when you create your policy.
Resource risk
For a resource (such as a VM), one or more policies can be applied. For these policies, one or more controls can be noncompliant. A resource's risk score is determined by the score of the highest noncompliant policy control risk violation. At the resource level, the highest noncompliant policy control risk violation represents the risk level for the entire resource.
If a policy fails to run for a resource, or no policy applies to that resource, the risk score for that resource is Not Found.
For VMResourcePolicy type policies, only categorical risk can be assigned at the policy level (such as High, Medium, and Low). For risk quantification, categorical risks are converted into scores
by using mid range values. For example, Medium is converted to a score of 5.5.
Resource group risk
Each resource belongs to one or multiple groups as determined by the tagging that associates that resource. Similar to resource risk, resource group risk is determined by the highest noncompliant policy control risk violation among multiple resources within the group.
If none of the resources within the group has a risk score that is assigned, then the risk score for that resource group is Not Found.
Overall resource type risk
Overall resource type risk (for example for VM type) is calculated as the average score of all of the resource groups.
If none of the resource groups has a risk score that is assigned, then the risk score for that resource type is Not Found.