Configuration Compliance calculator groups

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Configuration Compliance calculator groups

    Configuration Compliance calculators in ServiceNow are used to update record values when predefined conditions are met, helping to assess and manage risks associated with configuration items (CIs). These calculators are organized into groups based on criteria that determine how records are updated. From version 14.9, terminology was updated to better reflect their roles, such as renaming "Test Result Group" to "Remediation Task Group" and "Rules" to "Remediation Task Rules."

    Show full answer Show less

    Key Features

    • On-demand Application: From the Default Risk Calculator record, calculator rules can be applied on-demand to all affected test results and collections, allowing vulnerability managers to experiment with prioritization schemes and see their impact on import findings.
    • Risk Calculators: The Risk Score calculator group was renamed to Risk Calculators, which includes individual risk score calculators and risk score rollup calculators.
    • Risk Score Rollup Calculators: There are two types:
      • Configuration Test Risk Roll Up Calculators: Aggregate risk scores for all test results associated with the same configuration test, providing an overall risk score for that test.
      • Remediation Task Risk Score Rollup Calculators: Aggregate risk scores for all test results within a remediation task, giving an overall risk score for the task.
    • Test Results and Remediation Tasks: Test results identify compliance states of CIs, and remediation tasks group these test results for bulk analysis and remediation planning, similar to vulnerability groups.
    • Risk Scores: Calculated based on the business criticality of assets and severity of test results, risk scores range from 0 to 100 and are color-coded for immediate severity recognition. These scores are displayed in test results, remediation tasks, and configuration tests, and dynamically update as remediation progresses.
    • Risk Ratings: Numeric risk ratings from 1 (Critical) to 5 (None) correspond to risk score ranges, helping prioritize remediation efforts.
    • Historical Risk Score: Reflects the risk that was remediated in a test group after it is closed and the risk score reaches zero, providing insight into risk reduction over time.

    Practical Implications for ServiceNow Customers

    ServiceNow customers can utilize Configuration Compliance calculator groups to dynamically assess and prioritize risks based on real-time test results and business context. The on-demand application capability enables experimentation with risk prioritization strategies without disrupting ongoing operations.

    By understanding and leveraging risk score rollups at both the configuration test and remediation task levels, customers gain comprehensive visibility into compliance status and risk exposure, facilitating informed decision-making and more efficient remediation planning.

    Note that some advanced features, such as historical risk scoring, require the Service Mapping plugin, which is a separately licensed product and must be activated by ServiceNow personnel.

    Configuration Compliance calculators are used to update record values when pre-defined conditions are met. The calculators are grouped based on the criteria used to determine how the records are updated.

    Note:
    Starting with v14.9 of Configuration Compliance, the following terms have been renamed:
    Table 1. Changes in terminology
    Terminology prior to v14.9 Terminology v14.9 onwards
    Test Result Group Remediation Task
    Group Rules Remediation Task Rules
    Policy Test group

    Configuration Compliance calculator groups

    From the Default Risk Calculator record, calculator rules can be applied to all affected test results and collections on-demand. Vulnerability managers may use this feature adjust their risk calculator configuration. They might experiment with several prioritization schemes early in their deployment and apply those changes on-demand to view how they impact import findings.

    The Risk Score calculator group has been renamed to Risk Calculators.

    Risk Score Rollup Calculators are included with Configuration Compliance. There are two types of individual rollup calculators:
    Configuration Test Risk Roll Up
    Calculators that roll up risk scores for all Test Results with the same Configuration Test to provide an overall risk score for the Configuration Test. The rolled-up value is displayed in the Risk Score fields.
    Remediation Task Risk Score Rollup
    These calculators roll up risk scores for all Test Results in a Remediation Task to provide an overall risk score for that remediation task. The rolled-up value is displayed in the Risk Score fields.

    Both the Risk Score calculator group and Risk Score Rollup Calculators group are enabled by default.

    For more information, review the following key terms for Configuration Compliance calculators:

    Test result
    A test result is the outcome of the configuration test on a configuration item (CI) and the associated technology. Test results in Failed, error, and Unknown states identify hardware, software, and assets that are out of compliance with your policies.
    Remediation task
    Test results are grouped together at the time of data import based on the pre-defined remediation task rules. These remediation tasks are similar to vulnerability groups in Vulnerability Response. Remediation Tasks organize test results into groups for bulk analysis and represent a set of items to remediate.
    Risk score in a test result

    A value calculated by risk score calculators that is based on the business context of an asset and the severity of the associated test. It is the average of the business criticality of the affected asset as defined in the CMDB, and the severity of the test as communicated by the scanner.

    Each asset can have multiple services associated with it. The business criticality of an asset is determined by the service with the highest criticality.

    The calculated value is displayed in the Risk Score fields of test results. The scores display values that range from 0-100. Fields are also color-coded to provide you with the severity at-a-glance.

    Risk score in remediation task
    This score is displayed on the Remediation Task record and is the rolled up value of the risk scores for all the active test results in a Remediation Task. This score changes as test results are remediated in the Remediation Task.
    Risk score in configuration test
    This score is displayed on configuration tests and is the rolled up value of the risk scores for all the active test results with that configuration test. This score changes as the test results associated with this configuration test are remediated.
    Risk rating
    The amount of risk a failed test result poses to your system. It is based on a range of risk scores on a 1-5 numeric scale that rates risks as Critical (1) to None (5). The score is based on a range of risk scores and is displayed in Risk Rating fields.
    Table 2. Risk rating ranges
    Risk rating Risk score
    1- Critical 90 to 100
    2- High 70 to 89
    3- Medium 40 to 69
    4- Low 1 to 39
    5- None 0
    Risk score rollup calculators
    There are two types of rollup calculators:
    • Configuration Test Risk Roll Up: These calculators roll up risk scores for all Test Results with the same Configuration Test to provide an overall risk score for the Configuration Test. The rolled-up value is displayed in the Risk Score fields. You can edit the script values for weight and score for these calculators.
    • Remediation Task Risk Score Rollup: These calculators roll up risk scores for all Test Results in a remediation task to provide an overall risk score for that remediation task. The rolled-up value is displayed in the Risk Score fields. You can edit the script values for weight and score for these calculators. For an example of a Risk score rollup calculator and how it calculates scores, see Risk rollup calculation example for Configuration Compliance (prior to v15.0).
    Historical risk score
    The inherent risk score across all the passed test results in a remediation task. This field displays the amount of risk that was remediated by a test group and is only displayed after a test group is in the ‘Closed’ state and the risk score is zero.

    Scores are calculated whenever the risk score changes or when test results are added or removed from a remediation task.

    Note:
    To work properly, this script requires the Service Mapping plugin. Service Mapping is available as a separate subscription and requires activation by ServiceNow personnel.