Methodology for handling vulnerabilities really come down to:
1) Identify the vulnerability exists (Cisco official announcements, vulnerability scanner reports, 3rd party release)
2) Can the vulnerability be exploited (maybe this vulnerability requires conditions to occur in order to be exploited that will never occur in your environment)
3) What level of risk does this vulnerability pose (if this vulnerability is exploited, what level of harm could that cause to the organization.This might prioritize which vulnerability gets fixed first)
4) Can the vulnerability be resolved (patch, upgrade, turn off vulnerable service, remove attack vector or specific conditions that must occur to be exploited, replace equipment)
If you are getting a report of a vulnerability, you've satisfied #1. Often times I don't see false positives but rather the vulnerability isn't applicable to my environment. For example, let's say there's an FTP vulnerability but my network policy states no FTP is allowed. So long as I ensure that FTP is not configured or turned on and I set technical controls in place to prevent TCP 20 & 21 from reaching the vulnerable device then that vulnerability can be marked off the list because it cannot be exploited.
If you are told that there are vulnerabilities within some Cisco equipment surrounding a particular service or technology, I would first find out if you're even using that service (see my FTP example above). If you are, find out the details of the vulnerability and if there are any special conditions that have to exist to exploit the vulnerability. In many cases, simply upgrading the device to the latest recommended code version will fix a lot of vulnerabilities. If this vulnerability exists in a service you are using that can be exploited at any time and there is not a patch or mitigation technique that you can use, it's up to management to decide whether to accept the risk or find another solution which might mean purchasing new equipment or redesigning how things are done.
Hope this helped
