Knowledge Base

Ask A Question

Questions

0

Standard measure for "Average asset risk score"

Good day, a client presented the following case: "I would like your help to know which are the best practices or standards that Rapid7/Nexpose recommends based on the "Average asset risk score", since we are in an audit process and we see that Nexpose gives us a level of risk, but we do not know what is the optimum level, medium or minimum. For example, in a report that was made, "Average asset risk score: 96,585", what would be the optimum level of this score recommended by the Rapid7 engineers? What is the standard that is taken for this type of score or who defines what is the optimal level and what is not? In one of the previous reports, an objective of 30,000 was defined internally in terms of the "Average asset risk score", but it was an internal agreement and what we want to know is what would this objective be based on a standard, or what number we should take as a basis for this "Average asset risk score" and that in front of an audit we can check, since we could put instead of 30,000 maybe less or more, but we want to base ourselves better on a standard." We investigate that to measure the "Average asset risk score" it is known that the risk score report provides grades for each of your Nexpose groups which can be organized by Sites, Tags, or Asset Groups based on how you want to organize your environment. The grading system works on the A through F range and is based on a curved scale system of your environment. In this case, the closer you are to the letter A is good and the further you move towards the F is critical (information from: https://blog.rapid7.com/2014/08/13/improving-visibility-into-your-security-program-the-risk-scorecard-report/). We want to know if you can suggest that "standard measure" to evaluate the "Average asset risk score" or if in this case it does not exist and everything depends on the evaluations carried out by other methods. First of all, Thanks. Best regards.

nexpose

Posted by Julio César Sánchez 2 months ago