Control Criticality is a policy compliance feature that provides ratings for controls, including the ability to customize ratings at the control level and at the policy level. If you have the PC app, this feature can be enabled for your subscription by Support or your Account Manager.
Go to PC > Policies > Controls. You'll see a Criticality column with the criticality level assigned to each control.
We've defined 5 criticality levels ranging from Minimal to Urgent, and each control is assigned a level. You can rename these levels and change their colors if you want (go to PC > Policies > Setup and select Control Criticality Levels). You can also add and edit the definitions for each criticality level.
|
If control is for Version checking, OS/DB Updates, Root/Admin account access/credentials - Score is 5 (Urgent) |
|
If control is in CIS benchmark as Scored and Level 1 (and if not generic or organization specific like Services etc.) or if related to access controls/credentials for user accounts - Score is 4 (Critical) |
|
If control is in CIS benchmark as Scored and Level 2 (or if generic like Services) - Score is 3 (Serious) |
|
If control is non-CIS and not related to access control/user credentials - Score is 2 (Medium) |
|
Initial scores for Windows are defined by leveraging SCM recommendations with comparisons against CIS to refine the settings. - Score is 1 (Minimal) |
|
If score was not defined by any of the above, then it is scored as undefined and will be researched and criticality defined accordingly - Score is 0 (Undefined) |
You can change or remove the criticality for any control at the control level or at the policy level.
We'll display control criticality in compliance reports and on the Policy Summary dashboard. Policy reports will include 2 pie charts showing the total number of passed and failed controls at each criticality level and a Criticality column under Control Statistics. If you don't want to see any criticality information in your report, you can choose "Do Not Include Criticality" in the policy report template.
Note that any control that does not have a criticality level is counted as "Undefined".
Can I filter reports by criticality?Can I filter reports by criticality?
Yes! For policy reports, edit your policy report template and select the criticality levels you want to include in the report or choose "Do Not Include Criticality" if you don't want to see any criticality information in the report. For the Individual Host Compliance report, edit the report setup options.