Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Both

  • Comments and Expiration Date (reasonable length no longer than a year) are always mandatory
  • "No known exploits" is not a valid reason by itself for accepted or recast risk (an exploit could come out tomorrow)
  • No need to accept/recast risk if Low severity (or lower)

Accepted Risk

  • Accepted Risk is accepting you won't/can't fix (intentionally not addressing the issue), at the Tenable reported severity.
  • Put reason why you can't fix in the comments, especially highlighting if due to lack of resources.
  • Should be accepted risk if there is a time period involved (i.e. decommissioning system soon, expiration date as the shutdown date), "low risk server", "no important data", or if unable to fix.

  • If implemented compensating controls, use this to accept the residual risk (explain compensating controls in the comments).

  • If system has already been shut down, re-run scan to verify it is no longer there rather than accept risk.

Recast Risk

  • Recast Risk is when you disagree with the Tenable ranking based on risk of the asset, whether it they think it should be higher or lower.
  • False positives, an inaccurate answer based on incomplete data, should be labeled as recast risks after you've verified it. Mention in the comments you believe it is a "false positive". (Can also run a credentialed scan to be more accurate and less likely occurrence of false positives).
  • No labels