Hi, I am looking for some collective wisdom to build a security SLA report/dashboard.
We already have a CVSS score field in our JIRA data ranging from 0-10.
The first step would be to create a criticality field such as follows:
If CVSS >= 9.0 -> Critical
If CVSS between 7.0 - 8.9 -> High
If CVSS between 4.0 - 6.9 -> Medium
If CVSS between 0.1 - 3.9 -> Low
If CVSS = 0 -> None
The next step would be then to compare the criticality field against our SLA
Critical = 14 days
High = 30 days
Medium = 60 days
Low = 90 days
Not sure the best way to do this.
Finally, create a report that shows some sort of traffic light status (meet(green), fail(red)) for all non released SLA items.
I would think this has been done before, but my search didn't bear any fruit.
@Derek Hill You would just build the SLA so it is based on the CVSS field. So if the CVSS field is >= 9.0 the SLA would be 14 days. You can have a single SLA that evaluates this field and applies the SLA time based on the CVSS value. There are build in SLA reports that you can then use to see breached vs met and you could make a custom report to show all breached vs met based on the release.
Setting up SLAs:
Reporting on SLAs: