p22

VUL ID #	Asset	Vulnerability Description	Threat Description
From P1	From P1	From Project 1	From Project 1
Likelihood	Impact
From P1	From P1	Recommended Remediation	Risk Response Strategy/Factor
Risk Level	Priority	From Project 1	(Remediate, Accept and Mitigate, or Transfer)/(Cost, Capabilities, or Resources)
From P1	From P1
VUL ID #	Asset	Vulnerability Description	Threat Description
Likelihood	Impact
		Recommended Remediation	Risk Response Strategy
Risk Level	Priority
VUL ID #	Asset	Vulnerability Description	Threat Description
Likelihood	Impact
		Recommended Remediation	Risk Response Strategy
Risk Level	Priority
VUL ID #	Asset	Vulnerability Description	Threat Description
Likelihood	Impact
		Recommended Remediation	Risk Response Strategy
Risk Level	Priority

Prioritized Risks and Response Matrix

Notes on the Risk Response Strategy Cell:

The possible options are:

1. Remediate,

2. Accept and Mitigate, or

3. Transfer

Remember, remediate is to fix the issue. Mitigate is part of accepting the risk and includes implementing compensating controls because you are not going to fix the issue. Transfer means to transfer the risk to an outside agency such as an insurance company.

You only need to list the risk response along with the factor for any responses other than remediate. This should state the factor that was most in play for why you were not able to remediate. For example, cost would be the factor if the cost to remediate outweighed the potential damage. Resources could be the factor if you did not have enough employees to implement the remediation. Capability could be a factor if the risk was with vendor software and they had not yet developed a patch.

Your entries in this cell should look like this.

Remediate

Accept/Cost

Transfer/resource

These are just some of the examples and you’ll need to determine your actual entries for yourself.