search

SerpicoProject / Serpico

SimplE RePort wrIting and COllaboration tool
Other
1.09k stars 369 forks source link

Request: NIST Naming Changes #555

Closed kmackinley closed 4 years ago

kmackinley commented 5 years ago

Please fill out the Bug Form or Feature Request Below

Feature Request

Name NIST800 Impact, Likelihood and Overall Risk Ratings according to NIST800-30 publication: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Currently the NIST800 Overall and Impact ratings include "Informational" and "Critical" and should be "Very Low" and "Very High" instead, respectively.

The Likelihood ratings missing "Very Low" and "Very High".

If there is a particular reason for this that I am unaware of, please let me know as clients viewing the NIST800 ratings are asking about why they deviate from the NIST800-30 publication's ratings.

Example Use Case

Would be great to generate reports with NIST800 scoring that correlate to the NIST800-30 publication above.

MaxNad commented 5 years ago

Hi,

Thanks for reporting this.

The NIST800-30 scoring is the latest type of scoring to have been implemented in Serpico. The severity labels were simply reused from the other scoring methods.

This is something that might not be that hard to change in the platform itself. In the meantime, you can use the solution posted in #501 to rename the problematic labels.

kmackinley commented 5 years ago

Great idea, didnt think of that. That would work for most thing except the Likelihood ratings are missing 2 entries and there is the calculation in the helpers.rb file that calculates the risk based upon those two (Impact and Likelihood) ratings. Thanks.