Does your organization have a documented process for mitigating newly identified vulnerabilities or formally accepting them as risks?
Explanation
Disposition of discovered vulnerabilities is what reviewers want to confirm, specifically whether you have a documented process for either mitigating newly found vulnerabilities or formally accepting them as risks. Effective vulnerability management requires timely assessment of new vulnerabilities, prioritization based on risk, and either implementation of appropriate mitigations or formal risk acceptance when mitigation isn't feasible.
Evidence could include a vulnerability management policy document, screenshots of your vulnerability tracking system showing remediation workflows, or sample risk acceptance forms with appropriate approvals for vulnerabilities that cannot be immediately remediated.
Context
- Function
- RS: RESPOND
- Category
- RS.MI: Incident Mitigation
- Sub-Category
- Newly identified vulnerabilities are mitigated or documented as accepted risks
Related questions
- Do your cybersecurity technologies and security features in other systems automatically perform containment actions when threats are detected?
- Does your incident response process allow responders to manually select and execute containment actions during security incidents?
- Does your organization have formal agreements with third parties (e.g., ISPs, MSSPs) authorizing them to perform containment actions during security incidents?
- Does your organization automatically transfer compromised endpoints to a remediation VLAN for isolation and remediation?
- Does your organization implement automated eradication capabilities within cybersecurity technologies and security features of other technologies?
- Does your incident response system allow authorized responders to manually select and execute eradication actions during security incidents?

