Identify the responsible personnel interviewed who confirm:
i. That processes are in place to identify new security vulnerabilities
ii. Whether a risk ranking is assigned to such vulnerabilities
If risk ranking is assigned to new vulnerabilities, briefly describe the observed process for assigning a risk ranking, including how critical, highest risk vulnerabilities are ranked as “High”*
(Note: The ranking of vulnerabilities is considered a best practice until June 30, 2012, after which it becomes a requirement.)