16.6: Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

CSF v1.1 References:


Info icon.

Incorporates the following control from the previous version of the control set: 3.7: Utilize a Risk-Rating Process.

Control Statement

Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually.

[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]