1. Overview
This standard supports the Vulnerability Management Policy by defining the mandatory technical requirements for conducting vulnerability scans. The objective is to ensure consistent, comprehensive, and timely identification of vulnerabilities across the organization’s assets.
2. Scope
This standard applies to all vulnerability scanning activities performed on company-owned or managed assets, including servers, workstations, network devices, applications, and cloud infrastructure.
3. Standard Requirements
3.1. Scanning Scope and Frequency
- Asset Inventory: All scanning activities must be based on the official asset inventory to ensure complete coverage.
- External Scans: All internet-facing assets must be subject to external vulnerability scans at least once per month.
- Internal Scans: All assets on the internal corporate network must be subject to internal vulnerability scans at least once per quarter.
- Web Application Scans: All web applications must be subject to dynamic application security testing (DAST) scans at least once per quarter.
- Container Scans: All container images must be scanned for vulnerabilities before being deployed to production and must be re-scanned at least weekly thereafter.
3.2. Scan Configuration
- Authenticated Scans: Authenticated (credentialed) scans must be used wherever technically feasible to provide the most accurate and in-depth vulnerability detection.
- Tooling: All vulnerability scanning must be performed using the vulnerability management platform approved and managed by the Security Engineering team. Unauthorized scanning is prohibited.
- Scan Profiles: Scan profiles must be configured to be comprehensive, covering all relevant vulnerability checks for the target asset type.
3.3. Reporting and Integration
- Centralized Reporting: All scan results must be automatically ingested into the central vulnerability management platform.
- Remediation Assignment: The platform will be used to assign remediation tickets to the appropriate asset owners with the risk rating and remediation deadline.
4. Enforcement
The Security Engineering team is responsible for enforcing this standard by managing the scanning platform and monitoring for compliance. Systems that are not configured to allow for authenticated scanning may be flagged as non-compliant. Any attempts to block or interfere with authorized vulnerability scans will be investigated as a potential security incident.