CG
SkillsPerforming Asset Criticality Scoring for Vulns
Start Free
Back to Skills Library
Vulnerability Management🟡 Intermediate

Performing Asset Criticality Scoring for Vulns

Develop and apply a multi-factor asset criticality scoring model to weight vulnerability prioritization based on business impact, data sensitivity, and operational importance.

3 min read2 code examples

Prerequisites

  • Configuration Management Database (CMDB) or asset inventory
  • Business Impact Analysis (BIA) data
  • Data classification policy
  • Network architecture documentation
  • Stakeholder input from business unit owners

Performing Asset Criticality Scoring for Vulns

Overview

Asset criticality scoring assigns a business impact rating to each IT asset so that vulnerability remediation efforts focus on systems with the greatest organizational risk. Without criticality context, a CVSS 9.0 vulnerability on a test server receives the same urgency as the same vulnerability on a payment processing database. This guide covers building a multi-factor scoring model incorporating data sensitivity, business function dependency, regulatory scope, network exposure, and recoverability to create a 1-5 criticality tier that directly modifies vulnerability remediation SLAs.

Prerequisites

  • Configuration Management Database (CMDB) or asset inventory
  • Business Impact Analysis (BIA) data
  • Data classification policy
  • Network architecture documentation
  • Stakeholder input from business unit owners

Core Concepts

Asset Criticality Scoring Model

FactorWeightScore RangeDescription
Business Function Impact25%1-5How critical is the supported business process
Data Sensitivity25%1-5Type and sensitivity of data processed/stored
Regulatory Scope15%1-5Regulatory requirements (PCI, HIPAA, SOX)
Network Exposure15%1-5Internet-facing vs internal-only
Recoverability10%1-5RTO/RPO requirements, DR capability
User Population10%1-5Number of users/customers affected

Criticality Tier Definitions

TierScore RangeLabelSLA ModifierExamples
14.5-5.0Crown Jewels-50% SLADomain controllers, payment systems, ERP
23.5-4.4High Value-25% SLAEmail servers, HR systems, CI/CD
32.5-3.4StandardBaseline SLAInternal apps, file servers
41.5-2.4Low Impact+25% SLATest environments, printers
51.0-1.4Minimal+50% SLADecommissioning, isolated labs

Data Sensitivity Scoring

ScoreClassificationExamples
5Restricted/SecretPII, PHI, payment card data, trade secrets
4ConfidentialFinancial reports, HR records, source code
3InternalInternal documents, policies, project files
2Semi-publicMarketing materials, press releases (draft)
1PublicPublished content, public APIs

Implementation Steps

Step 1: Define Scoring Criteria

class AssetCriticalityScorer:
    """Multi-factor asset criticality scoring engine."""

    WEIGHTS = {
        "business_function": 0.25,
        "data_sensitivity": 0.25,
        "regulatory_scope": 0.15,
        "network_exposure": 0.15,
        "recoverability": 0.10,
        "user_population": 0.10,
    }

    TIER_THRESHOLDS = [
        (4.5, 1, "Crown Jewels", -0.50),
        (3.5, 2, "High Value", -0.25),
        (2.5, 3, "Standard", 0.00),
        (1.5, 4, "Low Impact", 0.25),
        (1.0, 5, "Minimal", 0.50),
    ]

    def score_asset(self, asset):
        """Calculate criticality score for an asset."""
        weighted_score = sum(
            asset.get(factor, 3) * weight
            for factor, weight in self.WEIGHTS.items()
        )
        score = round(weighted_score, 2)

        for threshold, tier, label, sla_mod in self.TIER_THRESHOLDS:
            if score >= threshold:
                return {
                    "score": score,
                    "tier": tier,
                    "label": label,
                    "sla_modifier": sla_mod,
                }
        return {"score": score, "tier": 5, "label": "Minimal", "sla_modifier": 0.50}

    def adjust_vuln_sla(self, base_sla_days, asset_tier_data):
        """Adjust vulnerability SLA based on asset criticality."""
        modifier = asset_tier_data["sla_modifier"]
        adjusted = int(base_sla_days * (1 + modifier))
        return max(1, adjusted)  # Minimum 1 day SLA

Step 2: Integrate with Vulnerability Prioritization

def apply_criticality_to_vulns(vulns_df, asset_scores):
    """Enrich vulnerability data with asset criticality context."""
    for idx, vuln in vulns_df.iterrows():
        asset_id = vuln.get("asset_id", "")
        asset_data = asset_scores.get(asset_id, {"tier": 3, "sla_modifier": 0})

        vulns_df.at[idx, "asset_tier"] = asset_data["tier"]
        vulns_df.at[idx, "asset_label"] = asset_data.get("label", "Standard")

        base_sla = get_base_sla(vuln["severity"])
        adjusted_sla = int(base_sla * (1 + asset_data["sla_modifier"]))
        vulns_df.at[idx, "adjusted_sla_days"] = max(1, adjusted_sla)

    return vulns_df

Best Practices

  1. Involve business stakeholders in criticality scoring; IT alone cannot assess business impact
  2. Review and update criticality scores at least quarterly or when systems change roles
  3. Automate scoring where possible using CMDB tags and data classification labels
  4. Apply criticality tiers to vulnerability SLAs for risk-proportional remediation
  5. Validate scoring against actual incident impact data to calibrate the model
  6. Start with a simple 3-tier model before expanding to 5 tiers

Common Pitfalls

  • Classifying all assets as "critical" which defeats the purpose of tiering
  • Not updating criticality scores when systems are repurposed or decommissioned
  • Using only technical factors without business context
  • Applying uniform SLAs regardless of asset importance
  • Not documenting the scoring methodology for audit and consistency

Related Skills

  • performing-cve-prioritization-with-kev-catalog
  • building-vulnerability-aging-and-sla-tracking
  • performing-business-impact-analysis
  • implementing-asset-management-program

Verification Criteria

Confirm successful execution by validating:

  • [ ] All prerequisite tools and access requirements are satisfied
  • [ ] Each workflow step completed without errors
  • [ ] Output matches expected format and contains expected data
  • [ ] No security warnings or misconfigurations detected
  • [ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

  • SOC 2: CC7.1 (Monitoring), CC8.1 (Change Management)
  • ISO 27001: A.12.6 (Technical Vulnerability Management)
  • NIST 800-53: RA-5 (Vulnerability Scanning), SI-2 (Flaw Remediation), CM-6 (Configuration Settings)
  • NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

Register this skill with your Claw GRC agent for automated execution:

# Install via CLI
npx claw-grc skills add performing-asset-criticality-scoring-for-vulns

# Or load dynamically via MCP
grc.load_skill("performing-asset-criticality-scoring-for-vulns")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

  • SHA-256 chain hashing ensures no step can be modified after execution
  • Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
  • Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Use with Claw GRC Agents

This skill is fully compatible with Claw GRC's autonomous agent system. Deploy it to any registered agent via MCP, and every execution will be logged in the tamper-evident audit trail.

// Load this skill in your agent
npx claw-grc skills add performing-asset-criticality-scoring-for-vulns
// Or via MCP
grc.load_skill("performing-asset-criticality-scoring-for-vulns")

Tags

asset-criticalityvulnerability-prioritizationrisk-managementcmdbbusiness-impactcrown-jewelsasset-classification

Related Skills

Vulnerability Management

Triaging Vulnerabilities with Ssvc Framework

3m·advanced
Vulnerability Management

Building Vulnerability Aging and Sla Tracking

5m·intermediate
Vulnerability Management

Implementing Epss Score for Vulnerability Prioritization

3m·advanced
Vulnerability Management

Performing CVE Prioritization with Kev Catalog

5m·advanced
Vulnerability Management

Building Patch Tuesday Response Process

5m·intermediate
Vulnerability Management

Building Vulnerability Dashboard with DefectDojo

3m·intermediate

Skill Details

Domain
Vulnerability Management
Difficulty
intermediate
Read Time
3 min
Code Examples
2

On This Page

OverviewPrerequisitesCore ConceptsImplementation StepsBest PracticesCommon PitfallsRelated SkillsVerification CriteriaCompliance Framework MappingDeploying This Skill with Claw GRC

Deploy This Skill

Add this skill to your Claw GRC agent and start automating.

Get Started Free →