Impact requirement is inconsistent in the Findings classes: Impact attributes should be included in Incident profile.

[pagbabian-splunk]

The Compliance Finding and the Vulnerability Finding classes omit the impact_id and related attributes.

The Incident Finding Detection Finding and Data Security Finding classes include the impact_id and related attributes.

The Incident profile, extracted from the Incident Finding attributes omits the impact_id and related attributes.

Impact seems to be an incident level attribute, even though it is also a finding level attribute in 3 of the finding classes. The Incident profile should include impact so that when used with any of the non-Incident Finding classes it is brought in. profile=null adjustments should be added to protect the existing attributes in the classes that already include the incident_id and related attributes.

Finally, the descriptions of 'Low 'Medium High Critical are missing; they can be added to reflect the NIST definitions for 3 of the 4 (no Critical defined by NIST). NIST defines impact in context of CIA values which we don't explicitly include (and maybe should). Critical verbage arguably isn't correct: is the impact high? or is the impact critical (e.g. a physical impact can be high, acceleration or velocity based impact, but it can't be critical). We could define Critical impact to be scope-based rather than magnitude-based, e.g. Widespread scope of a High impact incident (or finding).