Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

20) How many internal automated vulnerability scans does your organisation conduct each year?

September 11, 2024
Network and Cloud Security
Internal Vulnerability Scans

Please state the number of automated scans completed every year.

What is the control?

As mentioned in the previous article, it’s important to regularly scan your internal systems in order to catch any vulnerabilities.

However, finding the vulnerabilities isn’t enough; they also have to be found in time, which is to say before they can be exploited. It’s therefore equally important to have a high-frequency of scanning.

Why should I have it?

Traditionally, internal vulnerability scans were often performed on an annual, quarterly, or monthly basis.

However, vulnerabilities tend to be disclosed and exploited on a far tighter timescale. As a result, best practices have evolved in recent years to recommend much more frequent scanning.

While generally being considered at lower risk than public-facing systems, internal systems should not be neglected as they could be easy targets for insider threats or anyone that has pierced or bypassed your outer defences.

How to implement the control

Fortunately, vulnerability scanning is simple to implement and maintain with much of the scanning work and notifications in case of findings easy to automate.

Once you’ve decided on a scanning frequency, make sure to define it in your policies and schedule any work needed to maintain your process accordingly.

Do however ensure that the checks performed include all publicly known vulnerabilities and are updated with checks for new vulnerabilities as soon as they appear.

There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.