7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Asset Type |
Security Function |
Implementation Groups |
---|---|---|
Applications |
Identify |
2, 3 |
Dependencies
Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Safeguard 2.1: Establish and Maintain a Software Inventory
Safeguard 4.1: Establish and Maintain a Secure Configuration Process
Inputs
GV1
: Enterprise asset inventoryGV5
: Authorized software inventoryGV3
: Configuration standard
Operations
- Use the :code:`GV5`authorized software inventory to
Identify and enumerate
GV25
vulnerability scanning software (M1)Identify and enumerate authenticated vulnerability scanning software (M2)
Use the
GV1
enterprise asset inventory to identify and enumerate all internal assets (M3)- Use the output of Operation 2 and Operation 1.1
Identify and enumerate internal assets covered by at least one vulnerability scanning software (M4)
Identify and enumerate internal assets not covered by at least one vulnerability scanning software (M5)
- Use the output of Operation 2 and Operation 1.2
Identify and enumerate internal assets covered by at least one authenticated vulnerability scanner (M6)
Identify and enumerate internal assets not covered by at least one authenticated vulnerability scanner (M7)
- Use the output of Operation 1.1 and
GV3
Identify and enumerate vulnerability scanners properly configured to scan every 3 months or less (M8)
Identify and enumerate vulnerability scanners not properly configured to scan every 3 months or less (M9)
- Use the output of Operation 1.1 and
- Use the output of Operation 1.2 and
GV3
Identify and enumerate authenticated vulnerability scanners properly configured to scan every 3 months or less (M10)
Identify and enumerate authenticated vulnerability scanners not properly configured to scan every 3 months or less (M11)
- Use the output of Operation 1.2 and
Measures
M1 = Count of authorized vulnerability scanning software
M2 = Count of authorized authenticated vulnerability scanning software
M3 = Count of internal enterprise assets
M4 = Count of internal assets covered by a vulnerability scanner
M5 = Count of internal assets not covered by a vulnerability scanner
M6 = Count of internal assets covered by an authenticated vulnerability scanner
M7 = Count of internal assets not covered by an authenticated vulnerability scanner
M8 = Count of vulnerability scanners properly configured to run every 3 months or less
M9 = Count of vulnerability scanners not properly configured to run every 3 months or less
M10 = Count of authenticated vulnerability scanners properly configured to run every 3 months or less
M11 = Count of authenticated vulnerability scanners not properly configured to run every 3 months or less
Metrics
Coverage of Vulnerability Scans
Metric |
The percentage of internal assets covered by a vulnerability scanner
|
Calculation |
|