7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Asset Type |
Security Function |
Implementation Groups |
---|---|---|
Applications |
Identify |
2, 3 |
Dependencies
Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Safeguard 2.1: Establish and Maintain a Software Inventory
Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Inputs
GV1
: Enterprise asset inventoryGV25
: Vulnerability scanning softwareGV3
: Configuration standard
Operations
Use the
GV1
enterprise asset inventory to identify and enumerate all external assets (M2)- Use the output of Operation 1 and
GV25
to Identify and enumerate external assets covered by at least one vulnerability scanning software (M3)
Identify and enumerate external assets not covered by at least one vulnerability scanning software (M4)
- Use the output of Operation 1 and
- Use the
GV25
andGV3
Identify and enumerate vulnerability scanners properly configured to scan every 30 days or less (M5)
Identify and enumerate vulnerability scanners not properly configured to scan every 30 days or less (M6)
- Use the
Measures
M1 = Count of authorized
GV25
vulnerability scanning softwareM2 = Count of external enterprise assets
M3 = Count of external assets covered by a vulnerability scanner
M4 = Count of external assets not covered by a vulnerability scanner
M5 = Count of vulnerability scanners properly configured to run every 30 days or less
M6 = Count of vulnerability scanners not properly configured to run every 30 days or less
Metrics
Coverage of Vulnerability Scans
Metric |
The percentage of external assets covered by a vulnerability scanner
|
Calculation |
|