Risk Acceptance: Overview
Summary: High-level overview of the risk acceptance workflow.
The risk acceptance workflow serves as acknowledgment that after evaluating the vulnerability, the cost to remediate the vulnerability is larger than the risk posed by the vulnerability itself. For cases where an organization accepts a vulnerability’s risk, the RiskSense platform provides an option to mark that finding as a Risk Acceptance (RA).
Once a scanner finding/vulnerability is marked as a risk acceptance, that finding will remain as a risk acceptance unless a user manually removes it from that state or the risk acceptance status expires. Users do not have to account for or address those vulnerabilities marked as risk accepted each time they are identified by a scanner.
Vulnerabilities marked as risk acceptance are removed from the RiskSense Security Score (RS³) calculations entirely, providing neither negative nor positive impact. The Overall RiskSense Security Score (RS³) widget on the Executive Dashboard shows, in the upper-left corner, the RS³ value if there were no risk-accepted findings on the account.
There are three states associated with the risk acceptance workflow.
RA Requested: The risk acceptance request was submitted and is awaiting manager approval.
RA Approved: The risk acceptance request was approved by a manager.
RA Reworked: The manager received the risk acceptance request but selected this option because the finding needs more justification for approval.
When a user receives the risk acceptance request and outright rejects it, the state will revert to Assigned.