Security finding disposition meeting
batch the queue, decide each finding, and stamp an audit-defensible decision record

The intake cohort produced by the workspace findings query: open and reopened findings created since the last meeting with critical or high CVSS 3.1 severity and an asset criticality multiplier that warrants meeting attention. The chair reads the cohort first because the disposition decision shapes the rest of the cycle.

The acceptance-pending queue: open findings whose named owner has not acknowledged within the workspace policy window. The meeting forces a routing decision (escalate to alternate owner, reassign to a different team, mark as undeliverable pending asset-ownership-mapping refresh) so findings do not silently age on a queue waiting for an absent owner.

The SLA-breach-imminent queue: in_progress findings whose target remediation date falls within the next operating cycle. The meeting confirms the date holds, accepts a documented date shift with rationale, or escalates to the named accountable owner so the breach is decided rather than discovered.

The retest-pending queue: resolved findings awaiting the verification scan or manual retest. The meeting confirms the retest is scheduled, accepts a documented delay with rationale, or moves the finding back to in_progress if the retest evidence will not arrive in the operating cycle. Resolved without verified is an open claim and the meeting refuses to let the claim age silently.

The exception-expiring queue: active overrides (accepted risk, compensating control, deferral, severity downgrade, false positive) whose expiry or review date falls within the operating cycle. The meeting decides renewal with refreshed rationale, revocation back to the open state, or conversion into a closed-with-control disposition. The exception lifecycle never silently lapses.

The reopened queue: findings that returned from verified or closed state because a regression, a refactor, a base-image update, or a third-party assessment caught recurrence. The meeting reads the regression source, restores severity to the original unless a documented downgrade applies, and routes the new remediation cycle to a named owner.

The aged-state queue: findings whose time-in-state exceeds the workspace threshold (a stale open, a hung in_progress, an unverified resolved). The meeting decides whether the disposition is a routing failure, a remediation bottleneck, a deferral the team is avoiding writing down, or a finding that should move to false positive on documented reproduction failure.

A triage channel surfaces a critical finding, three people debate the severity, the AppSec lead writes "lets defer" with a thumbs-up emoji, and the chat message becomes the disposition. Six weeks later the auditor asks for the deferral rationale, the named approver, and the expiry; the team reconstructs from chat history that no longer threads. The fix is the disposition meeting writing every decision onto the workspace finding record at the moment of the call so the activity log carries the named approver, the rationale, the expiry, and the chair as the audit-defensible record.

Each meeting opens with whoever shouts loudest about a finding from the last seven days; the older findings drift to the bottom; the queue length climbs every week. The fix is a published agenda the recorder pulls from the workspace findings record before the meeting: newest highest-severity intake cohort, stale acceptance-pending cohort, SLA-breach-imminent cohort, retest-pending cohort, exception-expiring cohort, reopened cohort. The agenda is a workspace query, not a freeform list.

A high-severity finding inconveniences the sprint, the AppSec lead and the engineering lead agree on the spot to call it medium, the spreadsheet cell flips colour, the SLA clock no longer breaches, and leadership reads a quieter dashboard. The fix is the finding overrides discipline: any severity change at the meeting captures the original CVSS vector and base score, the new CVSS vector and base score, the named calibration approver under workspace RBAC, the documented rationale, and the activity log stamp so the override is auditable rather than silent.

The meeting accepts risk on a finding "for now", the disposition gets recorded with no expiry and no review cadence, and three years later the exception register reads as a permanent shelter for hundreds of unresolved issues. The fix is the workspace exception lifecycle: every accepted-risk and deferral disposition records a named expiry date, a named review cadence, a named approver who can renew, and an explicit closed-loop renewal record refreshing the rationale at expiry. Accepted risk is a state with a clock, not a one-time write.

A finding lands on the meeting, the chair says "engineering will take this", and the disposition stamps in_progress with no named individual and a vague "soon" target. Three weeks later the finding still sits on open queues because no engineer believed it was theirs. The fix is the named-owner field on every in_progress disposition the meeting accepts, the realistic target date, and the engineering RBAC binding so the activity log records who is on the hook and the routing workflow can escalate when the date slips.

The meeting marks a scanner finding false positive, the chair calls the next item, and the next scan cycle produces the same finding because the workspace-wide suppression never updated. The next meeting handles it again, the cycle repeats, and the queue carries scanner noise the team already disposed of. The fix is the false-positive disposition writing both the per-finding dismissal and the workspace suppression update so the intake exception register filters the pattern before it lands as a fresh open ticket.

The team typed a meeting note, attached it to a shared drive, and never linked it to the underlying findings. The next audit asks for the disposition history per finding; the answer is "let me search the drive". The fix is the disposition recorded on each finding record itself with the activity log carrying the chronology and the meeting reference, so the audit reads the disposition history by querying the finding rather than searching documents.

The recorded disposition for the finding at the meeting: accept work and route to a named owner, defer with rationale and expiry, accept risk with rationale and expiry, mark false positive with reproduction failure mode, request retest, downgrade severity with named override approver and original vector, request additional information from the asset owner. The disposition is one of a documented set rather than a freeform note so the workspace can query disposition outcomes across the operating cycle.

The chair who called the decision and the recorder who stamped it on the finding record, each captured under the workspace RBAC so a later role change does not erase the historical attribution. The activity log row pairs the disposition with the named actors so the audit reads who decided and who recorded the decision.

The evidence the disposition rests on: the scan ID that surfaced the finding, the template binding (the platform ships 300+ remediation templates), the asset binding from the asset criticality scoring discipline, the prior closure history if reopened, the CVSS 3.1 vector and base score at decision time, the EPSS and KEV signals at decision time, and the original intake provenance. The decision record cites the evidence rather than restating it.

For accept-work dispositions, the target remediation date and the named owner expected to drive the fix. For deferral and accepted-risk dispositions, the named expiry date and the documented review cadence that brings the exception back to a future meeting. The clock is on the record so neither work nor exception can silently age past the operating policy.

For severity overrides, the original CVSS vector and base score, the new CVSS vector and base score, and the named calibration approver. For accepted risk and compensating control dispositions, the documented rationale and the compliance framework citation grid the GRC partner read against (ISO 27001 Annex A 8.8 and 5.7, SOC 2 CC7.1 and CC8.1, PCI DSS 6.3.1 and 11.3, NIST 800-53 RA-5 and SI-2, NIST CSF 2.0 ID.RA and DE.CM, NIS2 Article 21, DORA Article 8 and 13, CIS Controls v8.1 control 7) so the audit read of the disposition is supported by the same record the meeting produced.

The disposition record carries the meeting identifier so the next audit query can return every disposition stamped in a given cycle from a single index. The activity log stamps the chair, the recorder, the disposition, the prior state, the new state, the timestamp, and the meeting reference so the chronology reads continuous rather than spliced from minutes documents.