RS.MI-03
Does your organization have a documented process for mitigating newly identified vulnerabilities or formally accepting them as risks?
Explanation
This question assesses whether your organization has a systematic approach to handling vulnerabilities discovered through scanning, penetration testing, or security advisories. Effective vulnerability management requires timely assessment of new vulnerabilities, prioritization based on risk, and either implementation of appropriate mitigations or formal risk acceptance when mitigation isn't feasible. Evidence could include a vulnerability management policy document, screenshots of your vulnerability tracking system showing remediation workflows, or sample risk acceptance forms with appropriate approvals for vulnerabilities that cannot be immediately remediated.
Context
- Function
- RS: RESPOND
- Category
- RS.MI: Incident Mitigation
- Sub-Category
- Newly identified vulnerabilities are mitigated or documented as accepted risks
