Saner CSRP uses the Stakeholder-Specific Vulnerability Categorization (SSVC) decision tree model of CISA to prioritize risks into 4 possible decisions (Act, Attend, Track*, and Track).
Note: In the context of Cloud Security Risk Prioritization, the terms vulnerability and misconfiguration are considered equivalent and are used interchangeably.
Act
The misconfiguration requires attention from the organization’s internal, supervisory-level, and leadership-level individuals. Necessary actions include requesting assistance or information about the misconfiguration and publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and execute agreed-upon actions. Cybersecurity & Infrastructure Security Agency recommends remediating Act misconfigurations as soon as possible.
Attend
The misconfiguration requires attention from the organization’s internal, supervisory-level individuals. Necessary actions include requesting assistance or information about the misconfiguration and may involve publishing a notification either internally and/or externally. Cybersecurity & Infrastructure Security Agency recommends remediating Attend misconfigurations sooner than standard update timelines.
Track*
The misconfiguration contains specific characteristics that may require closer monitoring for changes. Cybersecurity & Infrastructure Security Agency recommends remediating Track* misconfigurations within standard update timelines.
Track
The misconfiguration does not require action currently. The organization would continue tracking and reassessing the misconfiguration until new information becomes available. Cybersecurity & Infrastructure Security Agency recommends remediating Track misconfigurations within standard update timelines.
Follow the link to read more on how to navigate and explore the risk categories in Saner CSRP.
Related Topics
