Hywel, thanks for your response. Unfortunately PCI complinace is not an issue for us (at the moment). However your response got me thinking and I have crafted the following as a starter.
As always I'd be interested in anyones views, comments or suggestions.
All devices connected to the [organisation's] infrastructure will be liable for automatic vulnerability scanning by QualysGuard unless:
- It does not support the business objectives of [organisation]
- It increases the risk of service disruption
- It is not technically possible or viable
- It exposes [organisation] to unacceptable levels of residual risk
- It is prohibited by Contract, Legislation or Regulation
- It is not cost beneficial to do so
- There are adequate compensating controls
All such exceptions must be submiited in writing to, and approved by the Information Security Steering Group.