Mechanisms exist to identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices.
Does the organization identify and assign a risk ranking to newly discovered security vulnerabilities that is based on industry-recognized practices?