Hi Chai CK,
yes, CCS uses risk calculation based on which you can prioritize your non-compliant assets. CCS follows the Common Vulnerabilities Scoring System (CVSS) version 2 to calculate the risk that is associated with a particular asset. Risk is calculated using attributes of both asset and standard/check.
Asset has following attributes:
- Confidentiality
- Integrity
- Availability
CCS standard/check have following attributes:
- Confidentiality
- Integrity
- Availability
- Access vector
- Access complexity
- Authentication
How attributes are configured, look at the documentation, links are below.
After you scan you asset and there are findings, following is calculated based on above attributes:
- Compliance score
- Risk score
- Risk rating
Sample:
Then in your web console you have dashboards that can display "Top 10 Assets with Highest Risk Score by Standard", "Top 10 Failed Checks by Standard", "Asset Compliance by Asset group", etc.
For more details please check following links: