Include business information for the assets included in this asset group.
Assign a business impact level to the asset group. The business impact level is automatically applied to all hosts in the group and will be used in reporting of business risk.
Business impact levels determine which asset groups are most critical to your organization. The higher the impact level, the higher the potential for business loss if compromised. For example, you may apply a higher impact level to a group of Linux servers running mission critical applications than to a group of desktop systems.
There are 5 business impact levels to choose from. Initially, impact levels are Low, Minor, Medium, High and Critical. If you do not assign an impact level to the asset group, then a level of High (or its equivalent) is automatically applied.
Managers can customize business impact titles to match the terminology used in your organization. Managers can also make changes to the business risk table, affecting how business risk will be calculated in reports. To customize business impact titles or make changes to the business risk table, see Business Risk.
The following fields are optional. Use these fields to enter notes about the asset group. For example, describe the business function of the assets included in the group and describe where the hosts are physically located. This information will appear in group details.
Division. Enter the division name or organization that these assets belong to.
Function. Enter the business function that the assets in this group pertain to, such as Manufacturing, Sales or Operations.
Location. Describe the location where the hosts reside, such as Sydney office, San Jose data center or Berlin assembly line.
Note: This option is only available if CVSS Scoring has been enabled for the subscription.
CVSS stands for the Common Vulnerability Scoring System and is an industry open standard designed to convey vulnerability severity and risk. When the CVSS Scoring feature is enabled in your account, CVSS Base and Temporal scores appear in vulnerability details shown in reports and online views. Also, a CVSS score is calculated and displayed with vulnerability details in Auto scan reports.
When calculating CVSS scores for Auto scan reports, the service uses various CVSS scoring metrics. The CVSS Environmental metrics are user-defined, and the CVSS Base and Temporal scores are provided by the service.
The CVSS Environmental metrics measure the implementation and environment specific qualities of a vulnerability. Environmental metrics defined for the asset group apply to all hosts in the asset group. The individual Environmental metrics and their values are described below.
See CVSS Scoring for general information on the CVSS Scoring feature, and how to enable this feature in your account.
Collateral Damage Potential. Collateral Damage Potential represents the possibility for loss in physical equipment and property damage. The possible values that may be assigned are below. Initially this metric is set to Not Defined.
Not Defined. Assigning this value to the metric will not influence the score. It is a signal to the CVSS scoring equation to skip the metric.
None. There is no potential for loss of life, physical assets, productivity or revenue.
Low. A successful exploit of this vulnerability may result in slight physical or property damage. Or, there may be a slight loss of revenue or productivity to the organization.
Low-Medium. A successful exploit of this vulnerability may result in moderate physical or property damage. Or, there may be a moderate loss of revenue or productivity to the organization.
Medium-High. A successful exploit of this vulnerability may result in significant physical property damage or loss. Or, there may be significant loss of revenue or productivity to the organization.
High. A successful exploit of this vulnerability may result in catastrophic physical or property damage or loss. Or, there may be a catastrophic loss of revenue or productivity to the organization.
Target Distribution. Target Distribution represents the relative size of the field of the target systems susceptible to the vulnerability. The possible values that may be assigned are below. Initially this metric is set to Not Defined.
Not Defined. Assigning this value to the metric will not influence the score. It is a signal to the CVSS scoring equation to skip this metric.
None. No target systems exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk.
Low. Targets exist inside the environment on a small scale. Between 1% - 25% of the total environment is at risk.
Medium. Targets exist inside the environment on a medium scale. Between 26% - 75% of the total environment is at risk.
High. Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is at risk.
The following Security Requirements metrics enable users to customize the final CVSS score, depending on the importance of the affected host to the user's organization.
Confidentiality Requirement. This environmental metric represents the impact that loss of confidentiality has on the organization or individuals associated with the organization (for example employees, customers).
Integrity Requirement. This environmental metric represents the impact that loss of integrity has on the organization or individuals associated with the organization (for example employees, customers).
Availability Requirement. This environmental metric represents the impact that loss of availability has on the organization or individuals associated with the organization (for example employees, customers).
The possible values that may be assigned to the Security Requirements metrics are listed below. Initially each of these metrics is set to Not Defined.
Not Defined. Assigning this value to the metric will not influence the score. It is a signal to the CVSS scoring equation to skip this metric.
Low. Loss of requirement is likely to have only a limited adverse effect on the organization or individuals associated with the organization (for example employees, customers).
Medium. Loss of requirement is likely to have a serious adverse effect on the organization or individuals associated with the organization (for example employees, customers).
High. Loss of requirement is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (for example employees, customers).