Configuring risk settings

Configure your risk settings by assigning appropriate weight to various risk factors for computing the risk score of the assets. You can customize the settings based on how important a particular risk factor is for your organization.

1. On the home page, click the Menu icon.
2. In the Application settings section, click Risk Manager > Risk configuration.
3. On the Risk Configuration page, click your risk profile to edit the configuration settings.
4. In the configuration window, update the configuration by assigning the appropriate weights to the factors of various vectors.

   Option	Description
   General settings	You can update the profile title and description to suit your needs. Set the threshold for how long the threat and vulnerability data is retained in the repository. Under Review period, specify the time interval in days to evaluate the risk for the detected threats and vulnerabilities.
   Asset criticality	Asset criticality determines the importance of an asset to the business, whether it is a database, application server, or network device. Asset criticality is assessed based on how the data of an organization is classified. The data classification process helps you to categorize the data based on sensitivity levels and the business impact for understanding the risks associated with various types of data. The following factors drive the asset criticality. Select an appropriate option from the list to set the overall importance for each factor. If you select the option Not applicable, the weight of that specific factor is not considered for risk score calculation. Expand the section for each factor to assign a relative weight to the factor values on a scale of 1 - 10. You can also define your factor values based on your needs. For more information, see Managing tags. Availability Maintaining availability of data ensures timely and reliable access to data for authorized users. Classification Classification of data helps your organization to safeguard the critical data with appropriate level of protection. Compliance Organizations must follow security compliance standards to ensure security of sensitive data. Confidentiality Confidentiality refers to protection of critical data from unauthorized access. Crown jewel Crown jewel is a term that represents the most valuable data asset within an organization and can cause major business impact when compromised. You can set the weight based on whether the asset contains crown jewel information. Type of environment Set the weight based on the environment type where the assets are hosted and operate. Integrity Maintaining integrity ensures that the asset data is complete, intact, and undamaged.
   Enforcement risk	Enforcement of security controls on the assets, such as activity monitoring, data encryption, and vulnerability assessment, helps your organization to mitigate risks. The enforcement risk is assessed based on the weight that is assigned to the following enforcement risk factors. Select an appropriate option from the list to set the overall importance for each factor. If you select the option Not applicable, the weight of that specific factor is not considered for risk score calculation. Expand the section for each factor to assign a relative weight to the factor values on a scale of 1 - 10. Encrypted Organizations can implement encryption control by using various tools to protect sensitive information. Monitored Implementing a monitoring control helps to protect critical data by detecting suspicious activities on endpoints. Vulnerability runs in (last 6 months) Periodic vulnerability scanning helps to detect vulnerabilities that might allow access to sensitive information, for example, missing security fixes.
   Threat distribution risk	A threat is an event or incident that is detected on an asset over a specific time period. Threats can be of many types based on the nature of the assets under attack. For example, data access violations, suspicious data access, data ex-filtration, and other threats. The threat distribution risk is assessed based on the weight that is assigned to the following threat factors. Open threats Open threats are the threats that are not under any remediation plans. To set the weight, complete the following steps. Select an appropriate option from the list to set the overall importance. If you select the option Not applicable, the factor weight is not considered for risk score calculation. Expand the section. Set the minimum number of threat occurrences for each severity category such as Critical, High, Medium, and Low within the global review period that you specified under General settings. To calculate the risk score, you can consider only the severity categories that you need. Set Active to off to disable a severity category. Assign appropriate threat severity levels from various source products to different categories of severity. For example, from IBM® Security Guardium® or IBM Security QRadar®. Select a severity category and then click the Edit icon. Select a threat severity from the Available list. You can select multiple severity levels. You can also assign a severity that is already used in a different category. Click Assign severity sources. Indicators of compromise (IOC) Assign appropriate IOC severity levels from source products to different categories of severity. For example, from TruSTAR. To set the weight, use the steps as described for the Open threats factor.
   Vulnerability distribution risk	Vulnerabilities are the weaknesses that allow a threat or threat actor to affect the asset; for example, vulnerabilities on control enforcements in terms of how the assets are protected, monitored, or vulnerability scanning. The vulnerability distribution risk is assessed based on the weight that is assigned to the open vulnerability factor. Open vulnerability Open vulnerabilities are the vulnerabilities that are not under any remediation plans. To set the weight for evaluating the vulnerability distribution risk, complete the following steps. Select an appropriate option from the list to set the overall importance. If you select the option Not applicable, the factor weight is not considered for risk score calculation. Expand the section. Set the minimum number of vulnerability occurrences for each severity category such as Critical, High, Medium, and Low within the global review period that you specified under General settings. To calculate the risk score, you can consider only the severity categories that you need. Set Active to off to disable a severity category. Assign appropriate vulnerability severity levels from various source products for different categories of severity. For example, from IBM Security Guardium or IBM Security QRadar. You can also assign severity levels according to the enrichment threat score for the vulnerabilities that is provided by IBM X-Force® Red Vulnerability Management Services (VMS). Select a severity category and then click the Edit icon. Select a vulnerability severity level from the Available list. You can select multiple severity levels. You can also assign a severity that is already used in a different category. Click Assign severity sources.

5. Click Save profile.
6. To run the risk engine for evaluating the asset risk score based on your configuration settings, complete the following steps.
   1. On the Risk Configuration page, click the Activate profile option on your risk profile.
   2. In the Confirmation window, click Continue.
      The risk engine runs to evaluate the score based on your risk configuration settings.