You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/content/triage_findings/findings_workflows/OS__risk_acceptance.md
+19-19Lines changed: 19 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,13 +26,13 @@ When a Finding is Risk Accepted, the following will occur:
26
26
- The Finding’s status will be changed to “Risk Accepted.”
27
27
- The Finding will no longer be counted toward Metrics, but will still appear within the Test it originated from.
28
28
29
-
Findings can be Risk Accepted in one of two ways: They can either be manually added to a **Linked Risk Acceptance**, or by using the **Simple Risk Acceptance** workflow.
29
+
Findings can be Risk Accepted in one of two ways: They can either be manually added to a **Full Risk Acceptance**, or by using the **Simple Risk Acceptance** workflow.
30
30
31
-
### Linked Risk Acceptances
31
+
### Full Risk Acceptances
32
32
33
-
A Linked Risk Acceptance allows Users to accept the risk of multiple Findings within an Engagement and bundle them into a single unit. If organizational policy requires formal, documented risk acceptances, or Users wish to trigger certain actions once a Risk Acceptance expires, Linked Risk Acceptances are the best choice, as they capture the internal decision-making process and can serve as a source of truth.
33
+
A Full Risk Acceptance allows Users to accept the risk of multiple Findings within an Engagement and bundle them into a single unit. If organizational policy requires formal, documented risk acceptances, or Users wish to trigger certain actions once a Risk Acceptance expires, Full Risk Acceptances are the best choice, as they capture the internal decision-making process and can serve as a source of truth.
34
34
35
-
Each Linked Risk Acceptance adds additional context, such as:
35
+
Each Full Risk Acceptance adds additional context, such as:
36
36
- The name of the Risk Acceptance.
37
37
- The owner of the Risk Acceptance.
38
38
- The security recommendation and decision regarding how to handle the Finding(s).
@@ -43,37 +43,37 @@ Each Linked Risk Acceptance adds additional context, such as:
43
43
- Whether the Finding’s status will return to “Active” upon expiration.
44
44
- Whether the SLA will restart upon expiration.
45
45
46
-
Expiration is unique to Linked Risk Acceptances, and allows any Findings that have been Risk Accepted to be re-examined at an appropriate time. Once a Linked Risk Acceptance expires, any Findings will be set to Active again. If you don’t specify a date, the Default Risk Acceptance / Default Risk Acceptance Expiration date will be used from the System Settings page.
46
+
Expiration is unique to Full Risk Acceptances, and allows any Findings that have been Risk Accepted to be re-examined at an appropriate time. Once a Full Risk Acceptance expires, any Findings will be set to Active again. If you don’t specify a date, the Default Risk Acceptance / Default Risk Acceptance Expiration date will be used from the System Settings page.
47
47
48
-
Importantly, as Linked Risk Acceptances are restricted to individual Engagements, there is no single section in which to view all Linked Risk Acceptances. They can only be viewed within the respective Engagement that includes the Findings that the Linked Risk Acceptance contains.
48
+
Importantly, as Full Risk Acceptances are restricted to individual Engagements, there is no single section in which to view all Full Risk Acceptances. They can only be viewed within the respective Engagement that includes the Findings that the Full Risk Acceptance contains.
49
49
50
-
#### How to Create a Linked Risk Acceptance
50
+
#### How to Create a Full Risk Acceptance
51
51
52
-
In order to create a Linked Risk Acceptance, navigate to the Engagement view and click the **+** symbol in the Risk Acceptance box.
52
+
In order to create a Full Risk Acceptance, navigate to the Engagement view and click the **+** symbol in the Risk Acceptance box.
53
53
54
54
55
55
56
-
From there, fill out the details of the Linked Risk Acceptance and select the Findings to be included. **Accepted Findings** contains a dropdown list of all available Findings to be added to the Risk Acceptance. The list of Findings within the Engagement will appear in descending order of severity (Critical Findings at the top, Low Findings at the bottom). If a Finding has been previously Risk Accepted, it will not appear in the dropdown list.
56
+
From there, fill out the details of the Full Risk Acceptance and select the Findings to be included. **Accepted Findings** contains a dropdown list of all available Findings to be added to the Risk Acceptance. The list of Findings within the Engagement will appear in descending order of severity (Critical Findings at the top, Low Findings at the bottom). If a Finding has been previously Risk Accepted, it will not appear in the dropdown list.
57
57
58
-
Once completed, the Linked Risk Acceptance will appear within the Risk Acceptance box in the Engagement view.
58
+
Once completed, the Full Risk Acceptance will appear within the Risk Acceptance box in the Engagement view.
59
59
60
60
A Risk Acceptance can also be created by clicking the **Add Risk Acceptance** button from within an individual Finding's ⋮ kebab menu.
61
61
62
62
63
63
64
-
#### Interacting with Linked Risk Acceptances
64
+
#### Interacting with Full Risk Acceptances
65
65
66
-
Once a Linked Risk Acceptance has been created, it can be opened to view the Findings that were added to it as well as any details that were input when it was created (e.g., the date, owner, decision, expiration, etc.).
66
+
Once a Full Risk Acceptance has been created, it can be opened to view the Findings that were added to it as well as any details that were input when it was created (e.g., the date, owner, decision, expiration, etc.).
67
67
68
-
To remove a Finding from a Linked Risk Acceptance, click the **Remove** button within the Findings Accepted table.
68
+
To remove a Finding from a Full Risk Acceptance, click the **Remove** button within the Findings Accepted table.
69
69
70
70
71
71
72
-
The Linked Risk Acceptance's view also includes a table at the bottom for all other Findings from Tests within that Engagement. From there, you may select additional Findings and add them to that Linked Risk Acceptance.
72
+
The Full Risk Acceptance's view also includes a table at the bottom for all other Findings from Tests within that Engagement. From there, you may select additional Findings and add them to that Full Risk Acceptance.
73
73
74
-
Additionally, there is a Notes function that allows Users to include additional context to the Linked Risk Acceptance. All public notes will appear in any Reports that are generated for the Linked Risk Acceptance, whereas notes that are toggled as **Private** will not appear in reports.
74
+
Additionally, there is a Notes function that allows Users to include additional context to the Full Risk Acceptance. All public notes will appear in any Reports that are generated for the Full Risk Acceptance, whereas notes that are toggled as **Private** will not appear in reports.
75
75
76
-
Importantly, if a Linked Risk Acceptance is deleted entirely, the Findings within will have their status automatically reverted to “Active.”
76
+
Importantly, if a Full Risk Acceptance is deleted entirely, the Findings within will have their status automatically reverted to “Active.”
77
77
78
78
### Simple Risk Acceptances
79
79
@@ -92,10 +92,10 @@ A Simple Risk Acceptance can be performed in either one of two ways:
92
92
93
93
Once a Finding has been Simple Risk Accepted, it will still appear in the Test's Findings table, but the status will be changed to **Inactive, Risk Accepted.** A complete list of individual risk-accepted Findings is viewable in the **Risk Accepted Findings** submenu of the **Findings** section in the sidebar.
94
94
95
-
If you Simple Risk Accept a Finding and later wish to add it to a Linked Risk Acceptance, the Risk must be unaccepted prior to adding it to a Linked Risk Acceptance.
95
+
If you Simple Risk Accept a Finding and later wish to add it to a Full Risk Acceptance, the Risk must be unaccepted prior to adding it to a Full Risk Acceptance.
96
96
97
97
### Risk Acceptance Best Practices
98
98
99
-
As a standard practice, it is generally preferable to use either Linked Risk Acceptances or Simple Risk Acceptances exclusively, rather than leveraging both.
99
+
As a standard practice, it is generally preferable to use either Full Risk Acceptances or Simple Risk Acceptances exclusively, rather than leveraging both.
100
100
101
-
For example, if Linked Risk Acceptances are the default approach, if a Finding is Simple Risk Accepted, it may cause confusion if there is no associated Linked Risk Acceptance that contains the affected Finding. Similarly, if Findings are typically Simple Risk Accepted, it may also create confusion to then add some Findings to a Linked Risk Acceptance when there are no such objects for most other Findings.
101
+
For example, if Full Risk Acceptances are the default approach, if a Finding is Simple Risk Accepted, it may cause confusion if there is no associated Full Risk Acceptance that contains the affected Finding. Similarly, if Findings are typically Simple Risk Accepted, it may also create confusion to then add some Findings to a Full Risk Acceptance when there are no such objects for most other Findings.
0 commit comments