I need to facilitate a process where our scan results are sent to the relevant support teams, and we expect feedback about whether the vulnerabilities will be addressed, or justification as to why they should not be mitigated (such as compliance with legacy systems or other measures which reduce the risk to an acceptable level). If we agree with their recommendations, then we either need to filter that out in the future, or at least mark them as exceptions.
CSV is probably the most useful format in that you can easily manipulate the data. However, if we allow the support teams to comment on individual entries, what happens with the next report? Merging the data from the previous result and taking into account new, re-opened and fixed vulnerabilities gets quite complicated and potentially cumbersome.
I also looked at the Remediation facility, which would allow us to comment on tickets, but the functionality appears limited and does not have the flexibility for reporting like the vulnerability data.
It is important that this process is quick to import new data and easy to use, and ideally does not require the use of other risk management products which I am unlikely to be able to get the support teams to use. Excel is acceptable!
Can anyone out there relate to my challenge and let me know how they handled it?