We are trying to understand how Qualys defines severity. We are having 2 diffrent rating for an organization with respect to Patch Management Team & Vulnerability Assessment Team.
Patch Management defines/rates a patch based on the importance of the application/software that is being used across the organization. Eg: Office related patches are rated as Low on servers when compared to Microsoft's Critical/Important.
As of now we are looking forward to standarize the patch ratings across MS, QG & our internal teams. So we need some help on understanding Qualys Severity (1 to 5) and Microsoft (Critical, Important, Moderate & Low).
Is these all ratings coming from Common Vulnerability Scoring System or some other orgaizational standards?
Also the same in the case of Policy Compliance, can we define a severity for each control based on Operating System? Looking forward to discuss on this.
Thanks & Regards,