Notifications

325 views

Description

Risk Assessment assigns incorrect risk value to a change request if all questions are answered with the lowest scoring option. This issue occurs if the threshold on the lowest risk is changed from 0 to a number equal or greater to the number of questions minus one.

Steps to Reproduce

  1. Activate the Risk Assessment plugin.
  2. Modify the Low Threshold in the Change Risk Assessment from 0 to 4.
  3. Create a new Emergency Change Request and save it.
    3. Complete Risk Assessment only picking the following options: "Not critical", "Easy", "Easy", "Yes", "Easy". Observe only the risk conditions affect the change request.
  4. Navigate to the asmt_metric_result.list.
  5. Add the Normalized Value column to the list view.
  6. Filter on source column by the number of Change Request previously created. Observe one of the metrics has a negative normalized value.

Workaround

This problem has been fixed. If you are able to upgrade, review the Fixed In section to determine the latest version with a permanent fix your instance can be upgraded to.

As a workaround, the low risk threshold should be always set to 0. As this is the lowest possible total for the assessment, this ensures the risk is still assigned correctly in case the questions become non-mandatory or removed.


Related Problem: PRB1375719

Seen In

SR - IRM - Audit Management - New York 2019 Q3
SR - IRM - GRC Profiles - Madrid 2019 Q2
SR - IRM - Policy and Compliance - Madrid 2019 Q2
SR - IRM - Risk Management - New York 2019 Q3
SR - IRM - Vendor Risk Management - Madrid 2019 Q1
SR - Security - Integration Framework - Madrid 2019 Q2
SR - Security - Support Common - Madrid 2019 Q2
SR - Security - Support Orchestration - Madrid 2019 Q2
SR - SIR - PhishTank Kingston r1 - v5.0.9
SR - SIR - RiskIQ Integration - New York 2019 Q3
SR - SIR - Security Incident Response - Madrid 2019 Q2
SR - SIR - Security Incident Response PA Content - New York 2019 Q3
SR - SIR - Security Incident Response UI Patch - London 2019 Q2 v.6.2.3
SR - SIR - Store SecOps Setup Assistant - Madrid 2019 Q2
SR - SIR - Store Threat Core - Madrid 2019 Q2
SR - SIR - Store Trusted Security Circles Client - New York 2019 Q3
SR - SIR - Threat intelligence - New York 2019 Q3
SR - SIR - VirusTotal Integration - New York 2019 Q3
SR - VR - Rapid7 - London 2019 Q2 v.6.2.1
SR - VR - Solution Management Madrid Q2
SR - VR - Vulnerability Response - New York 2019 Q3
SR - VR - Vulnerability Response PA Content - Madrid 2019 Q2

Fixed In

New York Patch 7
Orlando Patch 2
Paris

Associated Community Threads

There is no data to report.

Article Information

Last Updated:2020-08-12 02:07:47
Published:2020-03-07