Asset Crticality field given in my reports extraction after scan. How this asset crticality is defined do we need to define it or it is calculated
Asset Criticality is a Tag that you can apply, they are predefined tags.
The Criticality Tag will adjust the risk score of the asset.
e.g. a vulnerability on a Domain Controller or Externally facing server will be a higher Risk than the same vulnerability on an internal member server
You can use Tag filtering or Asset Groups to apply these Tags
A couple of things to note.
- Criticality tags can be assigned either via a Site or Asset Group but NOT by another tag (discovered this a painful and hard way).
- One can, set he precise amount that a given rating influences the risk score. Default values take the risk score of a device and then multiply it by the following ratings.
Very High - 2x
High - 1.5x
Medium - 1
Low - .75
Very Low - .5
- Settings are located under Administrations → Risk Score Settings → Risk Score Adjustment. (Note: depending on the size of your environment it may take sometime to recalculate).
- Using Criticality must be optionally enabled by selecting “Adjust asset risk scores based on criticality” on the page listed previously.