Conduct compliance audit scans effectively and efficiently with Nessus Professional by leveraging these best practices.
Tasks required to maintain compliance don't find themselves on most people's lists of favorite activities. But while such regulatory responsibilities can sometimes be taxing, complex or tedious, that doesn't make them any less necessary. Among the standards and practices pertaining to information security, compliance scanning is one of the most important.
Some in your organization may worry about performing a compliance scan of your network: Perhaps they think it's the same thing as a system-wide vulnerability scan and are worried about potential operational delays (though this is something of a misconception). Or maybe they're simply hoping to complete the process as soon as possible. As such, it will be critical to make sure your compliance scanning is as efficient and effective as possible. Following a few best practices can help you maximize the compliance audit functionality available in Nessus Professional.
Determine your scanning priorities
"Standards" and "regulations" are umbrella words that mean a lot of different things to different organizations. The business next door might solely adhere to PCI DSS for their payment processing, whereas you might also have HIPAA and GDPR to contend with. And then there may be "voluntary," but ultimately no less valuable, guidelines to follow like the security standards CIS creates for dozens of applications and operating systems.
You don't have to conduct compliance audit scans for all standards you follow at the same time. Even if your system could handle the traffic that such a broad operation would create, it would slow everything down to a snail's pace and leave a lot of your peers frustrated (particularly everyone in IT). We recommend creating independent scans for each standard against which you're testing compliance to reduce the load and simplify reporting.
In other words, you'll want to schedule compliance scans around both regulatory and operational needs: for example, starting with PCI DSS in one scanning window, and then periodically rotating through the other standards. Prioritize anything that may have a specific recertification time frame, of course. So if it's been almost a year since your last PCI certification (or three months since your last scan),1 that should probably be at the top of your list for the moment.
Template-based and customized compliance scans
When you run Nessus Professional "straight out of the box," so to speak, it runs all of its compliance scanning operations based on templated policies for specific standards. In more than a few use cases, that may be all that's needed, as the audit templates cover a broad swath of protocols for all of the major operating systems.
But that won't be true for every organization. Maybe your IT team has developed unique configurations for your registry values that a templated scan wouldn't properly analyze, or perhaps the terms of a particular standard changed a few hours ago and you need to change the existing audit policy to reflect that. Doing so is simple with Nessus - you and your infosec team can download the raw text files of the policies and modify them according to your precise scanning requirements.
Authenticate with credentials
You’ll need credentials to authenticate the execution of your compliance scans. With credentials, you'll be able to track down and resolve flaws, coding, configurations or other digital assets that represent even the slightest deviations from the standards you're obligated to uphold. This minimizes the risk of accruing fines or sanctions from either government agencies or industry regulators.
It's important to remember that credentialed compliance scans should be conducted using a dedicated account – one you create from scratch and provide with all appropriate administrator-level permissions. Doing so serves a dual purpose: You avoid exposing the admin-level credentials of an actual executive or member to a third-party application while allowing the solution to access all necessary areas of the network and paint the most accurate possible picture of your digital compliance. For added security, you can disable the auditing account whenever it isn't actively being used.2
Understand the compliance audit limits
To paraphrase Clint Eastwood: "An infosec operation's got to know its limitations."
Lest you misinterpret this, there are little to no limits to a properly credentialed compliance audit conducted with Nessus. But compliance auditing and vulnerability scanning, which aren't identical, are sometimes confused with each other.
To achieve both optimal compliance and comprehensive network protection, it's critical that you run compliance audits in close coordination with vulnerability scanning. Stagger these processes appropriately to avoid major operational interruption, but not by too long: You don't want to risk missing a network issue that could either leave you open to a cyberattack or get you in hot water with a regulator.
Nessus Professional can help give you the network visibility you need.
1. Merchant Services, "PCI DSS Frequently Asked Questions"
2. Security Boulevard, "Why You Should Perform Credentialed Scanning," April 2018