Saner CSRP uses the Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree model of CISA to prioritize risks into 4 possible decisions (Act, Attend, Track*, and Track).
Note: In the context of Cloud Security Risk Prioritization, the terms vulnerability and misconfiguration are considered equivalent and are used interchangeably.
Act
The misconfiguration requires attention from the organization’s internal, supervisory-level, and leadership-level individuals. Necessary actions include requesting assistance or information about the misconfiguration and publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and execute agreed-upon actions. Cybersecurity & Infrastructure Security Agency recommends remediating Act misconfigurations as soon as possible.
Attend
The misconfiguration requires attention from the organization’s internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the misconfiguration and may involve publishing a notification either internally and/or externally. Cybersecurity & Infrastructure Security Agency recommends remediating Attend misconfigurations sooner than standard update timelines.
Track*
The misconfiguration contains specific characteristics that may require closer monitoring for changes. Cybersecurity & Infrastructure Security Agency recommends remediating Track* misconfigurations within standard update timelines.
Track
The misconfiguration does not require action currently. The organization would continue tracking and reassessing the misconfiguration until new information becomes available. Cybersecurity & Infrastructure Security Agency recommends remediating Track misconfigurations within standard update timelines.
Related Topics
