jennyd
commented
5 years ago Does it matter if the level of granularity is the same across everything, since we will inevitably have a wide range of kinds and scales of system anyway? Or is it ok if teams know that they can split bigger systems up and score them separately if that makes the data clearer and easier to use/maintain?
When we are identifying services to record the risk on, how do we decide what is a service and what is a component in a service.
For example. If we have an oracle database that is core, and has it's own patching cycle etc, is that a row, or is it bound up with the EBS application that uses it?
If an app has multiple components that can be released independently and users would raise tickets against them for issues, is that a row?
Are the individual pieces in a microservices architecture rows, or are they just the service.
We need to provide guidance in this so that the level of granularity is the same.