Use your Residual Risk Numbers as your Scoring Method

Using our OpenRMF Professional solution, you track your open vulnerabilities on checklists and compliance scans, patch vulnerability scans, as well as other technology scans (container, software, IaC, etc.). You can quickly see your scores as far as status (Open, Closed, Not Reviewed, Not Applicable) and severity.

There is another way to score your accreditation packages: Residual Risk. We have an organization doing this right now to score their accreditations and network by actual RISK not just raw severity a scanner gave them.

Take in the context of the machine, firewall, access controls, mitigations, layered security, and see what the actual risk is to your environment.

Invest a couple more minutes in yourself to see how below.

POAM Residual Risk Dashboard to show true scores

Tracking Vulnerabilities and Open Items

When you scan your network, devices, or applications you usually receive warnings on vulnerabilities or problems. And they have a status (open, not applicable, not reviewed) and a severity (critical, high, medium, low). This is true for compliance scans (think SCAP, Evaluate-STIG, Audit Compliance scans), patch vulnerability scans (think Nessus, Rapid 7, etc.) and others as well.

For a lot of folks, they take that status and severity and they start to order, prioritize, and report on that raw data. Then plan their team actions accordingly.

However, that is not the whole picture. There are a number of other factors within your environment, purpose, business model and team that go into that:

• is this a high profile exposed device to the public Internet?
• is this a known vulnerability, zero day, etc.?
• is this something being actively hacked or exposed by bad actors?
• is this a problem on your main domain controller or primary server?
• is this on a one-off machine never connected to any network that sits in a lab?
• is this a medical or life-saving device?
• does this device have PII or PHI or other confidential data it holds or transmits?

Raw vulnerability numbers based on severity and status

There are any number of questions to ask to dive in and see the actual risk of any of those vulnerabilities that come up on the scans for you to review.

You really should put them in context of your business model, security model, exposure, and weigh them accordingly.

Using your POAM to Track Your Residual Risk

The way to see your actual risk is to use your plan of action and milestones (POAM) to not only list the issues. You clarify the items so you can weigh them correctly.

• what is the actual severity if that vulnerability was exposed or used?
• what is the relevance of that to us?
• what is the likelihood of that happening?
• what is the impact of that?
• what is the residual risk of that?
• what is the resulting residual risk, with all this plus mitigations and other information combined?

And in OpenRMF Professional your POAM is live — automatically updated based on your live data and updates.

Residual Risk based on context, usage, mitigations, layered security, and more

You can use those questions above to edit your POAM items. Clarify the attributes to get a realistic risk fidelity on your information. With your entire team collaborating around all your data.

Then see the high level concentrated numbers in your risk cube (see below). And then act on the information according to real risk.

Risk Cube to see total numbers by area based on likelihood and impact

What That Gives You

It gives you true risk information on your network, your devices, and your accreditation. It also does it in an automated fashion. At least it does when you use OpenRMF Professional (unapologetic plug for our solution).

That allows you to get time back to use that information for better cyber hygiene and improved cyber security across your network and across your team.

It also gives you data driven information to know where to spend your resources.

See where you have true problems with the biggest impact.

See where you are exposed in ways you may or may not have even known.

Even use our cyber readiness scoring to know what devices and what areas are the most vulnerable.

And start there! Fix, remediate, mitigate, work.

Then rescan. And wash / rinse / repeat.

Updated Residual Risk numbers to track actual vulnerability impact

Check it out for Yourself

Want to learn more? Check out our demo site.

Get a live interactive demo with our technical team.

Or download and evaluate for yourself with our software, documentation, and online video training site.

See for yourself how we can help your team automate cyber compliance!