Risk Assessment.

Periodic risk assessments, vulnerability scanning, and remediating what you find.

3.11.1 Assess Your Risks. Formal risk assessments at defined intervals — threats, vulnerabilities, likelihood, impact. 3 pts 3.11.2 Scan for Vulnerabilities. Regular vulnerability scans plus ad-hoc scans when new critical vulnerabilities are disclosed. 1 pts 3.11.3 Fix What You Find. Remediate vulnerabilities prioritized by risk — critical first, tracked to closure. 1 pts