Like any other security policy, a policy on ongoing vulnerability scanning needs to be practical, enforceable and enforced. Keep in mind that vulnerability scans are merely snapshot-in-time views of your current vulnerabilities. Information systems are dynamic, and new vulnerabilities and flaws are discovered practically every day. Given this, make sure that vulnerability scanning is performed on an ongoing basis -- weekly, monthly, quarterly, bi-yearly, etc. depending on your number of users and the complexity of your information systems infrastructure.
A good place to start regarding a policy such as this would be the following SANS sample policies:
Also, section two on security policies in the RFC2196 Site Security Handbook provides some excellent guidelines. See the following URL for more info: http://www.ietf.org/rfc/rfc2196.txt?Number=2196
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Network assessment
Best Web Links: Risk analysis
This was first published in February 2003