Risk acceptance
Definition
A formal decision by an authorised senior manager to tolerate a finding without full remediation, typically because the cost of remediation exceeds the risk exposure or the remediation is not technically feasible in the current environment. Risk acceptance requires documentation and a review date.
Related terms
- Approved Scanning Vendor (ASV)
- An organisation qualified by the PCI Security Standards Council to conduct external vulnerability scans of cardholder data environments. PCI-DSS requirement 11.3.2 mandates...
- Audit evidence
- Any information the auditor uses to draw conclusions about a control. To be acceptable, audit evidence must be sufficient (enough of it),...
- Closure evidence
- Documentation that demonstrates a finding has been remediated. Acceptable evidence types vary by control: updated policies with effective dates, configuration screenshots, vulnerability...
- CVSS (Common Vulnerability Scoring System)
- An open standard maintained by FIRST (Forum of Incident Response and Security Teams) that assigns a numeric score from 0 to 10...
- Finding owner
- The individual or team accountable for implementing the corrective action specified in a management action plan. The finding owner is typically the...
- Follow-up verification
- An independent check, usually by internal audit or the compliance function, that reviews closure evidence and confirms the control gap has been...
- Management action plan (MAP)
- A formal document issued in response to an audit finding, recording the agreed corrective action, the accountable owner, the target closure date,...
- Recurring finding
- An audit finding that has appeared in two or more consecutive audit cycles despite previous remediation commitments. Recurring findings indicate that the...
- Remediation prioritisation
- The process of ordering vulnerability remediation by risk. Factors include CVSS base score, asset criticality, threat intelligence about active exploitation, and compensating...
- Vulnerability assessment
- A systematic process of identifying, classifying, and prioritising security weaknesses in systems, software, and infrastructure. Produces a list of findings with severity...
Explained in these topics
- Remediation Tracking and Management Action PlansA formal decision by an authorised senior manager to tolerate a finding without full remediation, typically because the cost of remediation exceeds the risk ex...
- Vulnerability Assessment as Audit EvidenceA formal decision by authorised management to tolerate a known vulnerability without remediation, because the cost or operational impact of fixing it exceeds t...