All Vulnerabilities in SecurityCenter
- Should always either remediate, accept, or recast critical and high vulnerabilities.
- If you are going to Accept or Recast Risk, comments and expiration date (reasonable length no longer than a year) are always mandatory.
- "No known exploits" is not a valid reason by itself for accepted or recast risk (an exploit could come out tomorrow).
- No need to accept/recast risk if Low severity (or lower).
Accepted Risk
- Accepted Risk is accepting you won't/can't fix (intentionally not addressing the issue), at the Tenable reported severity.
- Put reason why you can't fix in the comments, especially highlighting if due to lack of resources.
- Should be accepted risk if there is a time period involved (i.e. decommissioning system soon, expiration date as the shutdown date), "low risk server", "no important data", or if unable to fix.
If implemented compensating controls, use this to accept the residual risk (explain compensating controls in the comments).
- If system has already been shut down, re-run scan to verify it is no longer there rather than accept risk.
Recast Risk
- Recast Risk is when you disagree with the Tenable ranking based on risk of the asset, whether it they think it should be higher or lower.
- False positives, an inaccurate answer based on incomplete data, should be labeled as recast risks after you've verified it. Mention in the comments you believe it is a "false positive". (Can also run a credentialed scan to be more accurate and less likely occurrence of false positives).