I have a question regarding scheduling a vulnerability scanning and assessment exercise.
I'm in the process of laying a schedule for vulnerability scans. I'm wondering when and why to initiate the scan in the first place - What conditions should necessitate the requirement.
Should this exercise be initiated whenever there is a change in a system / application design or configuration?
If I go with approach I'm compelled to question the correctness of the change. Was this changed approved, followed guidelines or best way for implementing / introducing change.
As the risk resulting from not following change management protocol / procedures is not the direct responsibility of vulnerability scanners, should this risk not be handled by change control system and other means (audits etc).
Why would I waste time assessing the risk / testing a vulnerability when I know if a proper change management process was followed I wouldn't need to scan.
So should a vulnerability scan exercise be driven by change or demand?