I am wondering what others do in regards to setting up their enterprise scheduled vulnerability scan policies. For example do you prefer to create a single scan policy and scan all networks regardless of the hosts platforms (windows, linux, SQL Server, Oracle, Apache, IIS, etc.) or do you end up creating multiple scan policies with just the checks enabled for that OS, database, web server, etc? The latter seems like it would be a better choice for performance and for customizing the settings for the target platform however I think it would be difficult to ensure scan coverage and to maintain the policies as hosts are added, changed, or removed. It also adds a step at the end of merging the scan results back together from multiple policies for reporting.
I am using Nessus and currently I have a single policy that is configured to scan multiple /24's with most plugins enabled and credentials for the Windows and Linux hosts to perform authenticated scans. These scans are configured to run monthly and I generally create one off scan policies for ad-hoc requests. This works okay but I am wondering what tips & opinions others may have.
Thanks!