Hi,
I started using Nessus about a month ago. The security metrics that I use is that the IT Server Staff must review/correct Nessus security findings that are rated as "High" in the severity column of the report and/or if the risk factor is "Serious" in the Description column. I know this security metric I am using may seem kind of simple minded�.but I have 400 servers on multiple platforms �and the CIO wants all of the finding rated as high or serious to be corrected first before addressing less risky findings. Question: Should I be concerned about a finding that has a low severity rating but the risk factor is high? Why isn't a finding that has a high risk factor rated with a high severity rating? I have seen lots of findings like this that have a low severity rating but a high risk factor. Just does not make sense to me. What is the logic behind Nessus doing this? Tony _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com
