Get Started with Control Criticality
Control Criticality is a policy compliance feature that provides ratings for controls, including the ability to customize ratings at the control level and at the policy level. If you have the PA app, this feature can be enabled for your subscription by Support or your Account Manager.
Check the Criticality
Go to PA > Policies > Controls. you can view a Criticality column with the criticality level assigned to each control.
Review and Customize Levels
We've defined 5 criticality levels ranging from Minimal to Urgent, and each control is assigned a level. You can rename these levels and change their colors if you want (go to PA > Policies > Setup and select Control Criticality Levels). You can also add and edit the definitions for each criticality level.
Tell me about approach used for setting the default scores
If control is for Version checking, OS/DB Updates, Root/Admin account access/credentials - Score is 5 (Urgent) |
If control is in CIS benchmark as Scored and Level 1 (and if not generic or organization specific like Services etc.) or if related to access controls/credentials for user accounts - Score is 4 (Critical) |
If control is in CIS benchmark as Scored and Level 2 (or if generic like Services) - Score is 3 (Serious) |
If control is non-CIS and not related to access control/user credentials - Score is 2 (Medium) |
Initial scores for Windows are defined by leveraging SCM recommendations with comparisons against CIS to refine the settings. - Score is 1 (Minimal) |
If score was not defined by any of the above, then it is scored as undefined and will be researched and criticality defined accordingly - Score is 0 (Undefined) |
How to update control criticality
You can change or remove the criticality for any control at the control level or at the policy level.
Your reports
Control criticality is displayed in compliance reports and on the Policy Summary dashboard. Policy reports are included 2 pie charts showing the total number of passed and failed controls at each criticality level and a Criticality column under Control Statistics. If you do not want to see any criticality information in your report, you can choose Do Not Include Criticality in the policy report template.
Any control that does not have a criticality level is counted as Undefined.
Can I filter reports by criticality?
Yes! For policy reports, edit your policy report template and select the criticality levels you want to include in the report or choose Do Not Include Criticality if you do not want to see any criticality information in the report. For the Individual Host Compliance report, edit the report setup options.