16.6: Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
CSF v1.1 References:
Incorporates the following control from the previous version: 3.7: Utilize a Risk-Rating Process.
Control Statement
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]