Critical & High Vulnerability Risk Acceptance Request Form

Requester (Network or Security Contact)
Requester Name
Please enter 4 letter department code

System Owner

System Information
A human-readable "friendly" name for system
Risk Acceptance Information
Is this a renewal of a previous request?
A risk acceptance entry will be valid no longer than 12 months, after which point it will expire and be reviewed. The requester will be notified via email at one month, and two weeks before the expiration date, to begin the review process.

A risk acceptance entry will be valid no longer than 12 months, after which point it will expire and be reviewed. The requester will be notified via email at one month, and two weeks before the expiration date, to begin the review process.

Please provide the numeric plugin ID(s) for all vulnerabilities you would like to whitelist for this host, separated by a space. This ID is available in the email output generated by the vulnerability scanner. When providing multiple plugin IDs, all IDs must be associated with the same service.
False Positive - A specific plugin/test against a specific host may be whitelisted if the test results in a false-positive AND the test is generally accurate. If the test produces multiple false-positives, the test should be disabled.
Risk Mitigated- A specific plugin/test against a host or network may be whitelisted if the risk is mitigated in a manner that is documented and accepted by the hosting department or CISO as defined by policy (IS-3).
Risk Accepted - The department chooses to accept the risk. This option should be rarely used.
All risk management decisions on critical and high vulnerabilities will go through an approval process with the campus CISO.
 

False Positive - A specific plugin/test against a specific host may be whitelisted if the test results in a false-positive AND the test is generally accurate. If the test produces multiple false-positives, the test should be disabled.
Risk Mitigated- A specific plugin/test against a host or network may be whitelisted if the risk is mitigated in a manner that is documented and accepted by the hosting department or CISO as defined by policy (IS-3).
Risk Accepted - The department chooses to accept the risk. This option should be rarely used.
All risk management decisions on critical and high vulnerabilities will go through an approval process with the campus CISO.

Provide more information about: why you believe it is a false positive, how you have mitigated the risk or why you can not mitigate the risk.