How to submit a risk acceptance request in the RiskSense platform.
The risk acceptance workflow serves as acknowledgment that after evaluating a vulnerability, the cost to remediate the vulnerability is larger than the risk posed by the vulnerability itself. For cases where an organization accepts a vulnerability’s risk, the RiskSense platform provides an option to mark that finding as a Risk Acceptance (RA).
To submit a risk acceptance, navigate to either the Network > Host Findings or Application > Application Findings pages. For this example, we will show you how to request a risk acceptance using the Application > Application Findings page.
Select the finding(s) you want to mark as a risk acceptance by clicking the check box in the page’s first column. You may select several vulnerabilities at a time for marking risk acceptance.
Click the Workflow button.
In the Workflow drop-down menu, click Request under the Risk Acceptance category. This option can be used for single and multiple vulnerabilities.
You may also select a single vulnerability and right click the line item to select workflow options from the pop-up menu. Note that using the right-click option only works for a single row, as designated in the screenshot below.
Clicking Workflow > Risk Acceptance > Request brings up the Request Risk Acceptance window.
The following list describes the fields that appear in the Request Risk Acceptance window.
- Description: Description of the risk acceptance.
- Reason: Why should the vulnerabilities be risk accepted?
- Expiration Date: Date that the risk acceptance should expire. If the date is blank, the risk acceptance will not expire. You may enter your own expiration date or select one of the presets underneath the expiration date field.
- Compensating Control: If there is a compensating control in place to support the risk acceptance request, enter it here. Click the information bubble next to the title for more information.
- Drag Files Here: Allows users to upload documents or images supporting the risk acceptance request. For a risk acceptance, supporting documentation must be added to complete the risk acceptance request; otherwise, the request cannot be submitted.
Once the form is complete, click Submit. Once a user requests a risk acceptance, the vulnerability state will change to RA Requested, as shown below. The risk acceptance request is then sent to a group manager or manager to either approve or reject the request.