We are trying to wordsmith a document that sets out in simple terms what we do and don't scan. I confess I thought this would be relatively easy but this has not been the case!
As you have deduced from the above we do not scan everything on our network and its actually more for this reason that I need to flush out some sort of list. I'm hoping that the once I have the list of what we don't scan, I can then clarify the reasons why we don't.
I was wondering if anybody out there in the community has tried to do something similar or even suceeded, and would be willing to share their policy in some form or provide hints as to its structure and level of detail that it goes to.
Maybe we could even try collaboratively developing a template !
Thanks in advance
Hywel, thanks for your response. Unfortunately PCI complinace is not an issue for us (at the moment). However your response got me thinking and I have crafted the following as a starter.
As always I'd be interested in anyones views, comments or suggestions.
All devices connected to the [organisation's] infrastructure will be liable for automatic vulnerability scanning by QualysGuard unless:
All such exceptions must be submiited in writing to, and approved by the Information Security Steering Group.