Phase 4: Policy and Risk Context Configuration

Policy and risk context configuration is the fourth phase of your Tenable One adoption. This phase focuses on tailoring the platform to reflect your organization's specific risk context and business priorities, enabling more meaningful exposure metrics.

Expected Outcomes

During this phase, you apply your business logic and risk appetite to the platform. The expected outcomes include:

• Exposure views are customized for priority areas (for example, Cloud, Identity, Internet-facing).

• Attack path analysis is returning valid paths based on your data.

• Exposure signals are customized for combination and identity risks.

• Visible benchmarking is configured to compare against industry peers or internal baselines.

• The exposure card SLA is set for each criticality level.

• Business context is added to identify critical assets, "crown jewels," and compliance domains.

Why This Is Important

This phase transforms Tenable Exposure Management from a data repository into a tailored risk management solution. By configuring policies and adding business context, you ensure the platform surfaces the most relevant and high-priority exposures, allowing your teams to focus on what matters most.

Verification

You can verify the success of this phase by confirming the following:

• Exposure cards, attack paths, and signals are visible, customized, and populated with data. For more information, see Exposure Card Library, Attack Path Dashboard, and Exposure Signals.

• Benchmarking is configured against the correct industry. For more information, see Configure Exposure View Page Settings.

• Contextual dashboards are created and accessible to each stakeholder group. For more information, see Analytics Dashboard.

• Where possible, the Asset Criticality Rating (ACR) is reviewed and configured for critical systems. For more information, see Edit Asset ACR.

What to do next:

Proceed to Phase 5: Workflow and Integration Enablement.