Entity classification and tags can be inherited from other entities using entity relationships. Any relationship between two entities can be configured to propagate control assignments, control results, risk, tags, or criticality. The system is designed to make circular references impossible. Entities cannot inherit what they propagate.
To specify the propagation associated with an entity relationship, go to Configuration > Entity Configuration > Relationships. Click on a relationship to display the Relationship Type dialog.
Control results and risks are propagated, but only within a particular program. Propagating control results or risks across programs can be performed manually. If a control profile is specified, the system uses the control profile and ignores the control assignment.
When propagating criticality, choose the value to use:
- The "from" entity's criticality
- The highest criticality between the "from" and the "to" entity
- The lowest criticality between the "from" and the "to" entity
Adding entities and then creating a new relationship with an existing entity relationship type requires running the Update Objects job to propagate the scores effectively to the newly added entities. A child entity inherits the security risk score if you configure the parent entity to propagate the risk score.
EXAMPLE |
Your program owner configures each entity with different criticality values. They establish a parent-child relationship between entities such that the parent entity propagates either criticality or tags and control results to the child entities. Run the Update Objects job first before you include entity pairs in an assessment. By doing so, you can ensure that all the child entities inherit the criticality value of the parent entity. When you run the assessment, the control results will propagate effectively. |