Please do not use this form if you are looking to extend the expiration of a previously accepted risk. You can submit a request for an extension by replying to the risk acceptance review email associated with the original request.

 
Requester (Network or Security Contact)
Requester Name
Please enter 4 letter department code
System Owner- Must be a NOC registered Network Contact
System Information
Please select an option. Multiple values must be comma separated, no spaces.
Please provide additional information about the purpose or use of this system.
Please choose the appropriate IS-3 Protection Level classification of this system.
Please choose the appropriate IS-3 Availability Level classification of this system.
Risk Acceptance Information
Please provide the numeric plugin ID(s) for all vulnerabilities you would like to whitelist for this host, separated by a commas (no spaces). This ID is available in the email output generated by the vulnerability scanner. When providing multiple plugin IDs, all IDs must be associated with the same service.
False Positive - A specific plugin/test against a specific host may be whitelisted if the test results in a false-positive AND the test is generally accurate. If the test produces multiple false-positives, the test should be disabled.
Risk Mitigated- A specific plugin/test against a host or network may be whitelisted if the risk is mitigated in a manner that is documented and accepted by the hosting department or CISO as defined by policy (IS-3).
Risk Accepted - The department chooses to accept the risk. This option should be rarely used.
All risk management decisions on critical and high vulnerabilities will go through an approval process with the campus CISO.
 

False Positive - A specific plugin/test against a specific host may be whitelisted if the test results in a false-positive AND the test is generally accurate. If the test produces multiple false-positives, the test should be disabled.
Risk Mitigated- A specific plugin/test against a host or network may be whitelisted if the risk is mitigated in a manner that is documented and accepted by the hosting department or CISO as defined by policy (IS-3).
Risk Accepted - The department chooses to accept the risk. This option should be rarely used.
All risk management decisions on critical and high vulnerabilities will go through an approval process with the campus CISO.

Provide more information about: why you believe it is a false positive, how you have mitigated the risk or why you can not mitigate the risk.
Persistent Risk Acceptance for this Vulnerability?
The nature of the vulnerability will qualify it for a persistent annual extension.
A risk acceptance entry will be valid no longer than 12 months (default is 1 month), after which point it will expire and be reviewed. The requester will be notified via email at 1 month, and 2 weeks before the expiration date, to begin the review process.  The requester can submit a request for an extension by replying to the risk acceptance review email.

A risk acceptance entry will be valid no longer than 12 months, after which point it will expire and be reviewed. The requester will be notified via email at one month, and two weeks before the expiration date, to begin the review process.