Industry standard advises organizations to scan their internal and external systems at least quarterly. Ideally, it is recommended to perform assessments monthly. Compliance requirements dictate how often assessments must be performed. For instance, below are a few examples of how often scans must be performed to meet compliance:
- Payment Card Industry (PCI DSS) - Quarterly
- Health Information Protection Accountability Act (HIPAA) - Scanning not required but states a detailed assessment process must be established.
- Cyber Security Maturity Model Certification (CMMC) - Weekly to quarterly based on auditor requirements
- National Institute of Standards and Technology (NIST) - Quarterly to monthly depending on governing framework
Additionally, the more frequently scanning is performed the better chances you are able to identify weaknesses sooner. An assessment should also be performed anytime new changes are made to the network. This will ensure a new vulnerability has not been introduced during the change process and provide an up to date analysis.
We hope you found this helpful. Please contact us if you have additional questions.