Creating False Positive and Risk Accepted Workflows in Cisco Vulnerability Management

In Cisco Vulnerability Management vulnerabilities are given one of the following statuses: Open, Closed, Risk Accepted, or False Positive.

lmh.png

Note: In the screenshot above, the vulnerability’s current status is “Open” which is why “Open” is not an available status.

If your organization does not currently track False Positives or Risk Accepted vulnerabilities, you can create a workflow in Cisco Vulnerability Management. For this workflow, we will leverage several custom fields.

False Positive Workflow

When you are creating a False Positive workflow, Cisco recommends that you create three different custom fields, one for each of the following:

  1. False Positive Approver: The manager or security team member that approved the False Positive status

  2. False Positive Date: The date the vulnerability was designated as a False Positive

  3. False Positive Notes/Justification/Link: You can use this field to make any notes regarding the False Positive, explain the status, or link to an additional tool if another tool (such as SharePoint, or Jira) is used as a repository for storing this data long term.

Creating-False-Positive-1.png

Creating these three fields helps the organization with tracking and compliance.

Risk Acceptance Workflow

When you are creating a Risk Acceptance workflow, Cisco recommends that you create three different custom fields, one for each of the following:

  1. Risk Accepted Approver: The manager or security team member that approved the Risk Accepted status status.

  2. Risk Accepted Date: The date the vulnerability was designated as Risk Accepted.

  3. Risk Accepted Notes/Justification/Link: You can use this field to make any notes regarding the Risk Acceptance, explain the status, or link to an additional tool if another tool (such as SharePoint, or Jira) is used as a repository for storing this data long term.

Creating-False-Positive-2.png

Establishing these workflows will help the organization with tracking, and any future audits that might touch on these vulnerabilities. Additionally, once you have Risk Accepted vulnerabilities they will be removed from the group Risk Meter score. If you would like to see the Risk Meter score if you had not Risk Accepted that vulnerability, you can view the True Risk option on the reporting page for that Risk Meter. For more information about True Risk Score, refer to the information here.


For more information about creating a custom field, refer to the information here.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.