Are your systems and applications regularly scanned externally for vulnerabilities?
Explanation
External vulnerability scanning is the subject of this question, which asks whether your systems and applications are regularly scanned from outside your network. External vulnerability scanning involves using automated tools to examine your internet-facing assets (websites, servers, cloud resources, etc.) from outside your network to identify security weaknesses that could be exploited by attackers.
Why it's being asked:
- External scanning provides visibility into what potential attackers can see and potentially exploit
- Regular scanning helps identify new vulnerabilities as they emerge
- It demonstrates a proactive security posture
- Many compliance frameworks (PCI DSS, SOC 2, ISO 27001, etc.) require regular vulnerability scanning
The assessor wants to know:
- If you conduct external scans at all
- How frequently these scans occur
- What tools you use
- How you manage the findings
A good answer should address the frequency of scans (quarterly is common, monthly is better), mention the scanning tools used, describe the process for reviewing and remediating findings, and note any third-party involvement in the scanning process. If you use a reputable third party for scanning, this can add credibility to your security program.
Example Responses
Example Response 1
Yes, we conduct external vulnerability scans on all internet-facing systems and applications monthly using Qualys Vulnerability Management Our security team reviews all findings within 48 hours of scan completion Critical and high vulnerabilities are remediated within 14 days, medium vulnerabilities within 30 days, and low vulnerabilities within 90 days Additionally, we engage a third-party security firm to perform quarterly penetration tests that include external vulnerability scanning to provide an independent assessment All scanning results and remediation activities are documented in our vulnerability management system and reported to senior management quarterly.
Example Response 2
Yes, our organization performs external vulnerability scans bi-weekly using Tenable.io We have configured automated scanning for all our public-facing assets including our web applications, APIs, and cloud infrastructure The security operations team receives real-time alerts for critical findings and reviews all scan results within 24 hours We follow a risk-based approach to remediation with SLAs of 7 days for critical, 14 days for high, 30 days for medium, and 60 days for low-severity vulnerabilities We also conduct ad-hoc scans after significant infrastructure changes or when new vulnerabilities are publicly disclosed that could affect our systems.
Example Response 3
No, we currently do not perform regular external vulnerability scans on our systems and applications We rely on our firewall's built-in threat detection capabilities and periodic manual security reviews by our IT team We recognize this is a gap in our security program and are in the process of evaluating vulnerability scanning solutions with the goal of implementing quarterly external scans within the next six months In the interim, we have engaged a security consultant to perform a one-time comprehensive external vulnerability assessment to identify any critical issues requiring immediate attention.
Context
- Tab
- Infrastructure
- Category
- Vulnerability Management
Related questions
- Are your systems and applications scanned with an authenticated user account for vulnerabilities (that are remediated) prior to new releases?
- Will you provide results of application and system vulnerability scans to the institution?
- Will you allow the institution to perform its own vulnerability testing and/or scanning of your systems and/or application, provided that testing is performed at a mutually agreed upon time and date?
- Have your systems and applications had a third-party security assessment completed in the last year?
- Do you regularly scan for common web application security vulnerabilities (e.g., SQL injection, XSS, XSRF, etc.)?

