jramos/cve-dashboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4c04c9870a181aeff6146402b4579a97540ae5ae
cve-dashboard/frontend/src/data/metricDefinitions.json

1395 lines
57 KiB
JSON
Raw Blame History

[
{
"metric_id": "1.1.1",
"metric_title": "% of identified Red Criticality application(s) with a defined owner",
"asset_types": "Applications",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "",
"special_conditions": "Business owner field cannot be null or empty",
"data_sources_required": "Cherwell CMDB",
"business_justification": "Critical apps need ownership for incident response",
"notes": "Variants: Corp (no exclusions), Cust (exemption 1.1.1-Cust), SpecBus (WIP trend metric)"
},
{
"metric_id": "1.1.1A",
"metric_title": "% of identified risk Tier 1 application(s) with a defined owner",
"asset_types": "Applications",
"asset_types_in_scope": "Tier 1 Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Business owner documented, Tier 1 flag must be True",
"data_sources_required": "Cherwell CMDB",
"business_justification": "Tier 1 apps need ownership for risk management",
"notes": ""
},
{
"metric_id": "1.1.2",
"metric_title": "% of production applications assets that have been classified",
"asset_types": "Assets, Servers",
"asset_types_in_scope": "Production Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Criticality rating defined (not Undefined or No Criticality)",
"data_sources_required": "Cherwell CMDB",
"business_justification": "Asset classification drives prioritization",
"notes": "Variants: Corp (count assets not applications), Cust (currently not reporting)"
},
{
"metric_id": "1.1.3",
"metric_title": "% of Red Criticality applications compliant with disaster recovery exercise requirements",
"asset_types": "Applications",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "Charter On-Prem/Charter Managed, Charter Private Cloud/Charter Managed, Hybrid/Charter Managed",
"criticality_levels_in_scope": "Critical",
"exclusions": "Admin instances excluded",
"special_conditions": "DR exercise within 365 days",
"data_sources_required": "Cherwell CMDB",
"business_justification": "DR testing ensures business continuity",
"notes": "9box requirements implemented"
},
{
"metric_id": "1.1.3A",
"metric_title": "% of risk Tier 1 applications compliant with disaster recovery exercise requirements",
"asset_types": "Applications",
"asset_types_in_scope": "Tier 1 Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "Charter On-Prem/Charter Managed, Charter Private Cloud/Charter Managed, Hybrid/Charter Managed",
"criticality_levels_in_scope": "Critical, High, Medium",
"exclusions": "Admin instances excluded",
"special_conditions": "DR exercise based on criticality thresholds",
"data_sources_required": "Cherwell CMDB",
"business_justification": "DR testing for high-risk applications",
"notes": ""
},
{
"metric_id": "1.2.2",
"metric_title": "% of servers associated with Red Criticality applications generating actionable logs",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "Appliances excluded",
"special_conditions": "Logs seen in last 7 days",
"data_sources_required": "Splunk, Cherwell CMDB",
"business_justification": "Log visibility for critical systems",
"notes": "OS or APP logs ingested by SIEM"
},
{
"metric_id": "1.2.2A",
"metric_title": "% of servers associated with risk Tier 1 applications generating actionable logs",
"asset_types": "Servers",
"asset_types_in_scope": "Tier 1 Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances excluded",
"special_conditions": "Logs ingested by SIEM with actionable alerting",
"data_sources_required": "Cherwell CMDB, Splunk",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.2.2All",
"metric_title": "% of servers associated with applications generating actionable security logs",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances excluded",
"special_conditions": "Security logs with actionable alerting",
"data_sources_required": "Cherwell CMDB, Splunk",
"business_justification": "Comprehensive log monitoring",
"notes": ""
},
{
"metric_id": "1.2.2B",
"metric_title": "% of servers associated w/ Red Criticality applications generating actionable OS logs",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "Appliances excluded",
"special_conditions": "OS logs in Splunk indices containing 'nix' or 'win'",
"data_sources_required": "Cherwell CMDB, Splunk",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.2.2C",
"metric_title": "% of servers associated w/ Red Criticality applications generating actionable APP logs",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "Appliances excluded",
"special_conditions": "APP logs in Splunk indices NOT containing 'nix' or 'win'",
"data_sources_required": "Cherwell CMDB, Splunk",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.2.3",
"metric_title": "% of servers associated with Red Criticality applications monitored for compliance with a defined configuration baseline",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "Appliances excluded",
"special_conditions": "Tanium deployed and monitoring",
"data_sources_required": "Cherwell CMDB, Tanium",
"business_justification": "Configuration drift detection",
"notes": ""
},
{
"metric_id": "1.2.3A",
"metric_title": "% of servers passing configuration compliance",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances excluded",
"special_conditions": "Tanium compliance percentage >= 0.9",
"data_sources_required": "Tanium",
"business_justification": "90% compliance threshold",
"notes": ""
},
{
"metric_id": "1.2.3All",
"metric_title": "% of servers monitored for compliance with a defined configuration baseline",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances excluded",
"special_conditions": "Tanium deployed and monitoring",
"data_sources_required": "Cherwell CMDB, Tanium",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.2.4",
"metric_title": "% Red critical servers with confirmed supported operating systems",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "Appliances excluded",
"special_conditions": "OS not past end of life and EOL date known",
"data_sources_required": "Cherwell CMDB, ESD",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.2.4A",
"metric_title": "% of risk Tier 1 applications without end of support operating system",
"asset_types": "Applications",
"asset_types_in_scope": "Tier 1 Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances excluded",
"special_conditions": "Applications not utilizing EOL systems",
"data_sources_required": "Cherwell CMDB, ESD",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.2.5",
"metric_title": "% of servers associated with Red Criticality Applications with installed and functioning endpoint security agents",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "Appliances excluded",
"special_conditions": "CrowdStrike agent active within 7 days",
"data_sources_required": "Cherwell CMDB, CrowdStrike",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.2.5A",
"metric_title": "% of servers associated with risk Tier 1 Applications with installed and functioning endpoint security agents",
"asset_types": "Servers",
"asset_types_in_scope": "Tier 1 Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances excluded",
"special_conditions": "CrowdStrike agent active within 7 days",
"data_sources_required": "Cherwell CMDB, CrowdStrike",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.2.5All",
"metric_title": "% of servers with installed and functioning endpoint security agents",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances excluded",
"special_conditions": "CrowdStrike agent active within 7 days",
"data_sources_required": "Cherwell CMDB, CrowdStrike",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.3.1A",
"metric_title": "% of vulnerabilities (critical and high) associated with Tier 1 Applications detected within SLA / Policy",
"asset_types": "Assets",
"asset_types_in_scope": "Tier 1 Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Critical: 15 days, High: 60 days from first found",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.4.1",
"metric_title": "% of Red Criticality applications compliant with Business Impact Analysis review requirements",
"asset_types": "Applications",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All except Admin",
"criticality_levels_in_scope": "Critical",
"exclusions": "Admin instances excluded",
"special_conditions": "BIA completed within 365 days",
"data_sources_required": "Cherwell CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.4.1A",
"metric_title": "% of Tier 1 applications compliant with Business Impact Analysis review requirements",
"asset_types": "Applications",
"asset_types_in_scope": "Tier 1 Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All except Admin",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Admin instances excluded",
"special_conditions": "BIA based on criticality: Low=731 days, others=366 days",
"data_sources_required": "Cherwell CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.4.1All",
"metric_title": "% of applications compliant with Business Impact Analysis review requirements",
"asset_types": "Applications",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All except Admin",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Admin instances excluded",
"special_conditions": "BIA based on criticality: Low=731 days, others=366 days",
"data_sources_required": "Cherwell CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.4.2",
"metric_title": "% of Red Criticality applications with a defined and operational backup process",
"asset_types": "Applications",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All except Public Cloud/3rd Party Managed, Public Cloud/Charter Managed",
"criticality_levels_in_scope": "Critical",
"exclusions": "Appliances, Public cloud managed excluded",
"special_conditions": "NetBackup or application method defined",
"data_sources_required": "Cherwell CMDB, NetBackup",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.4.2A",
"metric_title": "% of Tier 1 application environments with a defined and operational backup process",
"asset_types": "Applications",
"asset_types_in_scope": "Tier 1 Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All except Public Cloud/3rd Party Managed, Public Cloud/Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances, Public cloud managed excluded",
"special_conditions": "NetBackup or specific application IDs",
"data_sources_required": "Cherwell CMDB, NetBackup",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.4.2All",
"metric_title": "% of application environments with a defined and operational backup process",
"asset_types": "Applications",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All except Public Cloud/3rd Party Managed, Public Cloud/Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances, Public cloud managed excluded",
"special_conditions": "NetBackup or specific application IDs",
"data_sources_required": "Cherwell CMDB, NetBackup",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.5.1A",
"metric_title": "% of Red Criticality servers with software components inventoried and cataloged in the system of record",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "Appliances excluded",
"special_conditions": "Flexera deployed",
"data_sources_required": "Flexera, CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.5.1B",
"metric_title": "% of Red Criticality applications with associated software bill of materials (SBOM) defined maintained and cataloged",
"asset_types": "Applications",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "",
"special_conditions": "SBOM field = Yes",
"data_sources_required": "Cherwell CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "1.5.2",
"metric_title": "% of Red Criticality applications subject to code security testing (e.g. SAST DAST)",
"asset_types": "Applications",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "",
"special_conditions": "Contrast, Veracode, or SpecFlow deployed",
"data_sources_required": "Cherwell CMDB, Contrast",
"business_justification": "",
"notes": ""
},
{
"metric_id": "2.3.3",
"metric_title": "% of vulnerabilities (critical/high) on red critical servers that were closed or risk accepted within due date in the last 30 days",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "",
"special_conditions": "Closed by due date or risk accepted by due date, due date in last 30 days",
"data_sources_required": "Kenna, Cherwell CMDB",
"business_justification": "Risk meter 67-100",
"notes": ""
},
{
"metric_id": "2.3.4",
"metric_title": "% of vulnerabilities (critical/high) on servers that were closed/risk accepted within due date in the last 30 days",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Closed by due date or risk accepted by due date, due date in last 30 days",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "Risk meter 67-100",
"notes": ""
},
{
"metric_id": "2.3.5",
"metric_title": "% of red critical servers without active critical/high-severity vulnerability that are overdue",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "",
"special_conditions": "No open overdue or risk accepted vulnerabilities",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "Risk meter 67-100",
"notes": ""
},
{
"metric_id": "2.3.6",
"metric_title": "% of servers without active critical/high-severity vulnerability that are overdue",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "No open overdue or risk accepted vulnerabilities",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "Risk meter 67-100",
"notes": ""
},
{
"metric_id": "2.3.7",
"metric_title": "% of red critical servers with no open past due vulnerabilities (critical/high)",
"asset_types": "Servers",
"asset_types_in_scope": "Red Critical Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "Critical",
"exclusions": "",
"special_conditions": "No open past due vulnerabilities",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "Risk meter 67-100, past due only",
"notes": ""
},
{
"metric_id": "2.3.8",
"metric_title": "% of servers with no open past due vulnerabilities (critical/high)",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "No open past due vulnerabilities",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "Risk meter 67-100, past due only",
"notes": ""
},
{
"metric_id": "2.3.9",
"metric_title": "% of network devices with no open past due vulnerabilities (critical/high)",
"asset_types": "Network Devices",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Qualys exclusion list",
"special_conditions": "No open past due vulnerabilities",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.2.3",
"metric_title": "% of storage components protected by MFA",
"asset_types": "Storage Components",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "FOS operating systems excluded",
"special_conditions": "MFA method configured",
"data_sources_required": "Cherwell CMDB, ESD",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.2.4",
"metric_title": "% of network components protected by MFA",
"asset_types": "Network Components",
"asset_types_in_scope": "Jump Host Application (APP2394)",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "MFA = 1",
"data_sources_required": "Cherwell CMDB, Centrify",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.2.5",
"metric_title": "% of servers protected by MFA",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Incompatible OS excluded",
"special_conditions": "MFA = 1 or ESD MFA Method defined",
"data_sources_required": "Cherwell CMDB, Centrify",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.2.6",
"metric_title": "% of database servers protected by MFA",
"asset_types": "Database Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All statuses",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "MFA method configured for database access",
"data_sources_required": "Database security tools",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.2.7",
"metric_title": "% of externally accessible enterprise applications protected by MFA",
"asset_types": "Applications",
"asset_types_in_scope": "Corporate Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Installed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Blue Enterprise and Blue Red Network excluded",
"special_conditions": "Network: Corp",
"data_sources_required": "Cherwell CMDB, JIRA (ESSO)",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.2.8",
"metric_title": "% of customer facing applications protected by MFA",
"asset_types": "Applications",
"asset_types_in_scope": "Customer-Facing Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Installed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Applications with exemption 5.2.8-Cust excluded",
"special_conditions": "End User Type: Customer",
"data_sources_required": "Cherwell CMDB, CyberArk, Cisco ISE, Centrify",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.3.4",
"metric_title": "% of database servers with data integrity controls and monitoring",
"asset_types": "Servers",
"asset_types_in_scope": "Database Servers",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Legacy Enterprise systems excluded",
"special_conditions": "Server Type: Database",
"data_sources_required": "Cherwell CMDB, Imperva Apex",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.4.2",
"metric_title": "% of workstations with endpoint security agents installed and functioning",
"asset_types": "Workstations",
"asset_types_in_scope": "All Workstations",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Last seen within 30 days",
"data_sources_required": "Cherwell CMDB, CrowdStrike",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.4.3",
"metric_title": "% of workstations with endpoint DLP agents installed and functioning",
"asset_types": "Workstations",
"asset_types_in_scope": "All Workstations",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Last seen within 60 days",
"data_sources_required": "Cherwell CMDB, JAMF, ADDM, MS Defender",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.4.4",
"metric_title": "% of workstations utilizing whole device encryption",
"asset_types": "Workstations",
"asset_types_in_scope": "All Workstations",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Mobile devices excluded",
"special_conditions": "Device encryption enabled",
"data_sources_required": "Cherwell CMDB, MaaS360, JamF",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.4.5",
"metric_title": "% of workstations with internet security agent installed and functioning",
"asset_types": "Workstations",
"asset_types_in_scope": "All Workstations",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "NetSkope client last seen within 30 days",
"data_sources_required": "Cherwell CMDB, JAMF, ADDM, NetSkope",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.4.6",
"metric_title": "% of workstations without overdue critical/high vulnerabilities",
"asset_types": "Workstations",
"asset_types_in_scope": "All Workstations",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Workstations not in Kenna excluded",
"special_conditions": "SCCM or JAMF managed workstations",
"data_sources_required": "Kenna, SCCM, JAMF",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.5.2",
"metric_title": "% of servers with confirmed supported operating systems",
"asset_types": "Servers",
"asset_types_in_scope": "All Servers",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "EOS data available",
"data_sources_required": "Cherwell CMDB, ESD",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.5.4",
"metric_title": "% of infrastructure without overdue critical/high vulnerabilities",
"asset_types": "Servers",
"asset_types_in_scope": "All Infrastructure",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Kenna vulnerability data available",
"data_sources_required": "Kenna",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.5.5",
"metric_title": "% of servers which have been decommissioned and are no longer connected to the network",
"asset_types": "Servers",
"asset_types_in_scope": "All Servers",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Retired",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "No recent activity in security tools",
"data_sources_required": "Cherwell CMDB, CrowdStrike, Kenna, Splunk",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.6.1",
"metric_title": "% of network monitored or scanned for connection of unknown devices",
"asset_types": "Network",
"asset_types_in_scope": "All Devices",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Customer-owned ranges excluded",
"special_conditions": "Charter-known IP ranges",
"data_sources_required": "Forescout, Cherwell CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.6.2",
"metric_title": "% of IP addresses active on network covered by vulnerability scans",
"asset_types": "Network",
"asset_types_in_scope": "All IP Addresses",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Exception ranges excluded",
"special_conditions": "Charter-known IP ranges",
"data_sources_required": "Cherwell CMDB, ESD, Qualys",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.6.2A",
"metric_title": "% of Active Workstations and Servers covered by vulnerability scans",
"asset_types": "Workstations and Servers",
"asset_types_in_scope": "All",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Qualys scan within 60 days",
"data_sources_required": "Cherwell CMDB, Qualys",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.6.3",
"metric_title": "% of devices identified that are in the centralized asset inventory",
"asset_types": "Network Devices",
"asset_types_in_scope": "All Devices",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Device discovery and inventory correlation",
"data_sources_required": "Forescout, Resolve, Charter Asset Discovery, Cherwell CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.6.3B",
"metric_title": "% of devices Managed Enforced over all devices permitted on network by NAC",
"asset_types": "Network Devices",
"asset_types_in_scope": "All Devices",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Blocked and Uncategorized devices excluded",
"special_conditions": "NAC policy enforcement",
"data_sources_required": "Forescout",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.6.4",
"metric_title": "% of unique undocumented devices detected and remediated within 30 days",
"asset_types": "Network Devices",
"asset_types_in_scope": "Undocumented Devices",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Unknown",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Device remediation within 30 days",
"data_sources_required": "Forescout, Resolve, Charter Asset Discovery, Cherwell CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.7.1",
"metric_title": "% of AWS accounts sending logs to SIEM for monitoring",
"asset_types": "Cloud Accounts",
"asset_types_in_scope": "AWS Accounts",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "CloudTrail and GuardDuty enabled",
"data_sources_required": "AWS CloudTrail, AWS GuardDuty",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.7.2",
"metric_title": "% of external data connections encrypted in transit accessible to public cloud services",
"asset_types": "Cloud Connections",
"asset_types_in_scope": "Data Connections",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "External cloud connections",
"data_sources_required": "AWS S3 Bucket",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.7.3",
"metric_title": "% of data encrypted at rest stored in and accessible via public cloud",
"asset_types": "Cloud Data",
"asset_types_in_scope": "Data Objects",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Public cloud storage",
"data_sources_required": "AWS S3 Bucket",
"business_justification": "",
"notes": ""
},
{
"metric_id": "5.8.1",
"metric_title": "% of applications subject to code security testing within the past year",
"asset_types": "Applications",
"asset_types_in_scope": "Charter Developed Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Installed",
"instance_types_in_scope": "Charter In-house/Third Party Custom",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Development type filtering",
"data_sources_required": "Cherwell CMDB, Veracode, SpecFlow",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.1.1",
"metric_title": "% of servers generating actionable logs ingested into enterprise monitoring solution",
"asset_types": "Servers",
"asset_types_in_scope": "All Servers",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Appliances excluded",
"special_conditions": "Splunk log ingestion",
"data_sources_required": "Cherwell CMDB, Splunk",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.1.4",
"metric_title": "% of assets discovered during last quarter that are managed by Charter and documented",
"asset_types": "Assets",
"asset_types_in_scope": "All Assets",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Quarterly discovery tracking",
"data_sources_required": "Cherwell CMDB, Forescout, Resolve, Charter Asset Discovery",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.2.1",
"metric_title": "% of cases that met Time to Detect objective within the last month",
"asset_types": "Security Cases",
"asset_types_in_scope": "All Cases",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All Severities",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Manual/Phishing cases excluded",
"special_conditions": "TTD within 10 minutes",
"data_sources_required": "Swimlane",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.2.2",
"metric_title": "% of cases that met Time to Acknowledge objective within the last month",
"asset_types": "Security Cases",
"asset_types_in_scope": "All Cases",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All Severities",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "TTA within 15 minutes",
"data_sources_required": "Swimlane",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.2.3",
"metric_title": "% of cases that met Time to Close objective within the last month",
"asset_types": "Security Cases",
"asset_types_in_scope": "Closed Cases",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All Severities",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "TTC within 120 hours",
"data_sources_required": "Swimlane",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.3.1",
"metric_title": "% of incidents that met Time to Detect objective within the last month",
"asset_types": "Security Incidents",
"asset_types_in_scope": "All Incidents",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All Severities",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "TTD varies by severity",
"data_sources_required": "Swimlane",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.3.2",
"metric_title": "% of incidents that met Time to Acknowledge objective within the last month",
"asset_types": "Security Incidents",
"asset_types_in_scope": "All Incidents",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All Severities",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "TTA varies by severity",
"data_sources_required": "Swimlane",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.3.3",
"metric_title": "% of incidents that met Time to Contain objective within the last month",
"asset_types": "Security Incidents",
"asset_types_in_scope": "All Incidents",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All Severities",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "TTC varies by severity",
"data_sources_required": "Swimlane",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.3.4",
"metric_title": "% of incidents that met Time to Close objective within the last month",
"asset_types": "Security Incidents",
"asset_types_in_scope": "Closed Incidents",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All Severities",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Resolution within target time",
"data_sources_required": "Swimlane",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.4.6",
"metric_title": "% of incidents closed within defined target resolution time/SLA within last quarter",
"asset_types": "Security Incidents",
"asset_types_in_scope": "All Incidents",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Closed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Quarterly SLA measurement",
"data_sources_required": "Swimlane",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.6.13",
"metric_title": "% of applications compliant with disaster recovery exercises requirements",
"asset_types": "Applications",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Installed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "Critical, High, Medium",
"exclusions": "Admin applications excluded",
"special_conditions": "DR exercise completion tracking",
"data_sources_required": "Cherwell CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.6.15",
"metric_title": "% of critical outages not resulting from cyber causes during the past month",
"asset_types": "Outages",
"asset_types_in_scope": "Critical Outages",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "Critical",
"exclusions": "",
"special_conditions": "Monthly outage tracking",
"data_sources_required": "Swimlane, Remedy Report",
"business_justification": "",
"notes": ""
},
{
"metric_id": "7.6.16",
"metric_title": "% of applications compliant with disaster recovery plan review requirements",
"asset_types": "Applications",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "PROD",
"status_in_scope": "Installed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "Admin applications excluded",
"special_conditions": "DR plan review tracking",
"data_sources_required": "Cherwell CMDB",
"business_justification": "",
"notes": ""
},
{
"metric_id": "8.0.1",
"metric_title": "% of Resources/Accounts compliant with Cloud Configuration Standards",
"asset_types": "Cloud Resources",
"asset_types_in_scope": "All Cloud Resources",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Cloud configuration compliance",
"data_sources_required": "CrowdStrike CSPM",
"business_justification": "",
"notes": ""
},
{
"metric_id": "8.0.2",
"metric_title": "% of Accounts using AMIs and ECRs with supported OS",
"asset_types": "Cloud Accounts",
"asset_types_in_scope": "AMI/ECR Images",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Supported OS validation",
"data_sources_required": "Cloud Image Management",
"business_justification": "",
"notes": ""
},
{
"metric_id": "8.0.3",
"metric_title": "% of cloud accounts configured for MFA requirements",
"asset_types": "Cloud Accounts",
"asset_types_in_scope": "All Cloud Accounts",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "MFA configuration validation",
"data_sources_required": "Cloud Account Management",
"business_justification": "",
"notes": ""
},
{
"metric_id": "8.0.4",
"metric_title": "% of cloud accounts configured for WAF requirements",
"asset_types": "Cloud Accounts",
"asset_types_in_scope": "All Cloud Accounts",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "WAF configuration validation",
"data_sources_required": "Cloud Security Management",
"business_justification": "",
"notes": ""
},
{
"metric_id": "8.0.5",
"metric_title": "% of cloud accounts logging",
"asset_types": "Cloud Accounts",
"asset_types_in_scope": "All Cloud Accounts",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Logging configuration validation",
"data_sources_required": "Cloud Logging Management",
"business_justification": "",
"notes": ""
},
{
"metric_id": "8.0.6",
"metric_title": "% of cloud accounts configured for vulnerability scanning on compute resources",
"asset_types": "Cloud Accounts",
"asset_types_in_scope": "Compute Resources",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "All",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Inspector service enabled",
"data_sources_required": "AWS Inspector",
"business_justification": "",
"notes": ""
},
{
"metric_id": "8.0.7",
"metric_title": "% of cloud compute resources covered by vulnerability scans",
"asset_types": "Cloud Resources",
"asset_types_in_scope": "Compute Resources",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "AWS Account resources excluded",
"special_conditions": "Active scan status",
"data_sources_required": "AWS Inspector",
"business_justification": "",
"notes": ""
},
{
"metric_id": "2.3.4i",
"metric_title": "% of vulnerabilities (critical/high) on servers that were closed/risk accepted within due date in the last 30 days (infrastructure)",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Closed by due date or risk accepted by due date, due date in last 30 days",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "Vulnerability Management",
"notes": "Infrastructure variant of 2.3.4"
},
{
"metric_id": "2.3.6i",
"metric_title": "% of servers without active critical/high-severity vulnerability that are overdue (infrastructure)",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "No open overdue or risk accepted vulnerabilities",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "Vulnerability Management",
"notes": "Infrastructure variant of 2.3.6"
},
{
"metric_id": "2.3.8i",
"metric_title": "% of servers with no open past due vulnerabilities (critical/high) (infrastructure)",
"asset_types": "Servers",
"asset_types_in_scope": "All Applications",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "No open past due vulnerabilities",
"data_sources_required": "Cherwell CMDB, Kenna",
"business_justification": "Vulnerability Management",
"notes": "Infrastructure variant of 2.3.8"
},
{
"metric_id": "5.5.4i",
"metric_title": "% of infrastructure without overdue critical/high vulnerabilities (infrastructure)",
"asset_types": "Servers",
"asset_types_in_scope": "All Infrastructure",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "Charter Managed",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Kenna vulnerability data available",
"data_sources_required": "Kenna",
"business_justification": "Vulnerability Management",
"notes": "Infrastructure variant of 5.5.4"
},
{
"metric_id": "Missing_AppID",
"metric_title": "Assets missing Application ID assignment",
"asset_types": "Assets",
"asset_types_in_scope": "All Assets",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Application ID field is empty or null",
"data_sources_required": "Cherwell CMDB",
"business_justification": "Asset Data Quality",
"notes": "Data quality metric for CMDB hygiene"
},
{
"metric_id": "Missing_DF",
"metric_title": "Assets missing Data Function assignment",
"asset_types": "Assets",
"asset_types_in_scope": "All Assets",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Data Function field is empty or null",
"data_sources_required": "Cherwell CMDB",
"business_justification": "Asset Data Quality",
"notes": "Data quality metric for CMDB hygiene"
},
{
"metric_id": "Missing_OS",
"metric_title": "Assets missing Operating System assignment",
"asset_types": "Assets",
"asset_types_in_scope": "All Assets",
"application_types_in_scope": "",
"environment_in_scope": "All environments",
"status_in_scope": "Active, Installed",
"instance_types_in_scope": "All instance types",
"criticality_levels_in_scope": "All criticality levels",
"exclusions": "",
"special_conditions": "Operating System field is empty or null",
"data_sources_required": "Cherwell CMDB",
"business_justification": "Asset Data Quality",
"notes": "Data quality metric for CMDB hygiene"
}
]
Reference in New Issue View Git Blame Copy Permalink