Remediation prioritisation
Definition
The process of ordering vulnerability remediation by risk. Factors include CVSS base score, asset criticality, threat intelligence about active exploitation, and compensating controls already in place. The auditor reviews whether the organisation's prioritisation method is documented and consistently applied.
Related terms
- Approved Scanning Vendor (ASV)
- An organisation qualified by the PCI Security Standards Council to conduct external vulnerability scans of cardholder data environments. PCI-DSS requirement 11.3.2 mandates...
- Audit evidence
- Any information the auditor uses to draw conclusions about a control. To be acceptable, audit evidence must be sufficient (enough of it),...
- CVSS (Common Vulnerability Scoring System)
- An open standard maintained by FIRST (Forum of Incident Response and Security Teams) that assigns a numeric score from 0 to 10...
- Risk acceptance
- A formal decision by an authorised senior manager to tolerate a finding without full remediation, typically because the cost of remediation exceeds...
- Vulnerability assessment
- A systematic process of identifying, classifying, and prioritising security weaknesses in systems, software, and infrastructure. Produces a list of findings with severity...
Explained in
- Vulnerability Assessment as Audit EvidenceThe process of ordering vulnerability remediation by risk. Factors include CVSS base score, asset criticality, threat intelligence about active exploitation, a...