Customizing the risk rating formula
The risk rating formula is the most important attribute that you use to describe your applications. Use this example to customize the built-in risk rating. In this example, the business impact is calculated automatically, based on different application attributes.
About this task
Note: User role: Product Administrator
Ensure that you understand Built-in Formulas.
If you are a security analyst (or a similar role), you probably care about key information about
your applications. For example:
- Exposure
- PCI requirement
- SOX requirement
- Revenue-generating
- Confidential data
- Number of users
Warning: If you modify the risk rating formula, the Security Risk Rating trend chart
changes as of the month when you change the formula.
Procedure
- On the Portfolio tab of the Monitor view, click Edit Application Profile Template.
- Create an attribute that is called "Exposure" and select the Dropdown type.
- Click Edit to open the list of values for the attribute.
- Add Internal and set the numeric value to 1.
- Add External, set the numeric value to 2, and click Save.
- Repeat steps 2-5 to add more attributes that are used in calculations.
- Save the application profile template so that the attributes are available to use in formulas.
- Reopen the Edit Application Profile Template.
- Create an attribute that is called "Calculated Business Impact" and select Formula as the type.
-
Click Edit to enter the formula:
IF(exposure=2,5, IF(exposure=1,2,0))
- Save the formula, and then save the application profile template.
- Reopen the Edit Application Profile Template.
- Edit the Risk Rating formula and replace the two occurrences
of businessimpactwith calculatedbusinessimpact and
click Save. Note: You can hide the 'Calculated Business Impact' attribute from the application list but still use it in your formulas by clearing the Enabled check box in the application profile template.
- Save the application profile template.
- Edit the new Exposure attribute to either Internal or External.