Risk Acceptance: Overview

Summary: High-level overview of the risk acceptance workflow.

The risk acceptance workflow serves as acknowledgment that after evaluating the vulnerability, the cost to remediate the vulnerability is larger than the risk posed by the vulnerability itself. For cases where an organization accepts the risk, Ivanti Neurons for RBVM/ASOC provides an option to mark that finding as a risk acceptance (RA).

Once a scanner finding is marked as a risk acceptance, that finding will remain as a risk acceptance unless a user manually removes it from that state or the risk acceptance status expires. Users do not have to account for or address those findings marked as risk accepted each time they are identified by a scanner.

Findings marked as risk acceptances are removed from the Ivanti RS³ calculations entirely, providing neither negative nor positive impact. You can compare the Ivanti RS3 score both with and without marked findings by viewing the Ivanti RS3 widget on the Executive Dashboard.

Executive Dashboard - Overall RiskSense Security Score Widget

Risk acceptance workflows have 5 states:

  • RA Requested: A requested workflow awaits a manager’s review and approval.
  • RA Approved: A user with the appropriate privileges can approve a workflow. When a risk acceptance workflow moves into an Approved state, the system closes all marked findings.
  • RA Reworked: The approver can move the risk acceptance request in the Reworked state if the requester needs to modify the scope (add or remove marked findings) or provide more documentation.
  • RA Expired: The workflow expires on its designated expiration date. Upon expiration, the system reopens marked findings unless another user or system workflow is keeping them closed.
  • RA Rejected: The organization decides that it should not accept the risk and rejects the workflow.