Firewall & Perimeter Security
Review firewall rules, IDS/IPS, DMZ design, public services, VPN exposure, remote access paths, blocked ports, and risky inbound or outbound policies.
Firewall Security Audit
Network Vulnerability Assessment
Find network weaknesses before attackers do.
OC Security Audit provides professional network vulnerability assessment, internal and external vulnerability scanning, firewall security review, system security scanning, cloud security audit, patch and misconfiguration analysis, access control review, and compliance-focused remediation reporting for Orange County and Irvine businesses.
25+Years of cybersecurity, audit, and compliance experience
360°Internal, external, cloud, endpoint, identity, and perimeter review
RiskFindings prioritized by business impact and exploitability
AuditReports built for IT, executives, auditors, and compliance teams
What It Is
A strategic assessment of exploitable weaknesses across your IT environment.
A Network Vulnerability Assessment discovers, analyzes, and prioritizes vulnerabilities across your networks, systems, cloud services, applications, databases, endpoints, and security controls. It identifies missing patches, insecure configurations, exposed ports, weak access controls, outdated software, cloud permission issues, and other conditions that could allow ransomware, data theft, downtime, or compliance findings.
OC Security Audit combines scanning, auditor review, security context, business impact analysis, and remediation planning so your team knows what to fix first and why it matters.
Professional review turns raw scan data into practical security decisions.
Assessment Areas
What a complete vulnerability assessment should cover
A strong assessment evaluates the full technology ecosystem: network architecture, perimeter controls, internal systems, cloud resources, identity, endpoints, applications, databases, remote access, logging, backups, and compliance evidence.
Internal & External Network Scanning
Identify vulnerabilities across internal assets and internet-facing systems, including open ports, exposed services, weak protocols, and attack paths.
Internal Security AuditSystems & OS Security Scanning
Assess servers, operating systems, endpoints, domain controllers, software versions, hardening baselines, services, local security policies, and administrative access.
Endpoint SecurityPatch Level & Misconfiguration Analysis
Find missing updates, unsupported software, weak TLS/SSL, default settings, excessive services, firmware gaps, and exceptions that increase exploitability.
Cybersecurity Risk ManagementCloud Security Audit
Evaluate Azure, Microsoft 365, AWS, and GCP security controls including IAM, MFA, conditional access, storage exposure, logging, encryption, and API exposure.
Azure Cloud Security AuditAccess Control & Identity Review
Assess Active Directory, privileged accounts, user roles, MFA, service accounts, provisioning, de-provisioning, password policies, and remote access rights.
Account Control Audit
Network architecture, segmentation, firewalls, routers, switches, and VPNs must be assessed together.
Audit Checklist
20 areas a good auditor should assess
- Network architecture and topology
- Firewall and perimeter security
- Server security
- Endpoint security
- User accounts and identity management
- Application security
- Database security
- Wireless network security
- Vulnerability and patch management
- Backup and disaster recovery
- Logging and monitoring
- Incident response
- Cloud security
- Remote access and VPN
- Email and messaging security
- Physical security
- Data privacy and compliance
- Mobile device security
- Security awareness and training
- Third-party and vendor security
Why It Matters
The cost of not scanning is hidden risk.
Attackers continuously search for exposed systems, unpatched software, weak remote access, misconfigured cloud resources, and poor segmentation. Without regular vulnerability assessments, your organization may not know where it is exposed until after ransomware, data theft, downtime, an audit finding, or a cyber insurance issue.
Data breach exposureWeak services, unpatched systems, and overprivileged accounts can expose sensitive data.
Ransomware pathsFlat networks, exposed RDP/VPN, and missing patches can enable rapid lateral movement.
Compliance gapsPCI DSS, HIPAA, SOC 2, ISO, and NIST programs require evidence of ongoing security review.
Business disruptionUnvalidated backups, weak monitoring, and unresolved critical vulnerabilities increase downtime risk.
A vulnerability that is invisible to your team may be obvious to an attacker.
Know the Difference
Vulnerability scanning vs. assessment vs. risk assessment vs. management
These cybersecurity activities are related, but each serves a different purpose. OC Security Audit helps businesses choose the right level of review and build a program that can stand up to real-world threats and audit expectations.
| Activity | Primary Purpose | Best Use | Typical Output |
|---|---|---|---|
| Vulnerability Scanning | Automated detection of known weaknesses, missing patches, open ports, misconfigurations, and exposed services. | Recurring technical visibility across networks, systems, cloud assets, and applications. | Technical scan results, severity ratings, affected hosts, ports, services, and CVEs where applicable. |
| Vulnerability Assessment | Professional analysis of scan results with validation, prioritization, business context, and remediation planning. | Reducing technical risk, preparing for audits, and giving IT teams a clear remediation roadmap. | Executive summary, technical report, risk-ranked findings, remediation guide, and validation plan. |
| Risk Assessment | Broader review of threats, vulnerabilities, asset value, likelihood, impact, safeguards, and business consequences. | HIPAA risk analysis, cybersecurity governance, board reporting, cyber insurance, and enterprise risk management. | Risk register, likelihood and impact ratings, control gaps, treatment plans, and management priorities. |
| Vulnerability Management | Ongoing lifecycle of asset discovery, scanning, prioritization, remediation, tracking, rescanning, and reporting. | Continuous improvement, compliance operations, security governance, and patch accountability. | Recurring metrics, remediation tracking, exception management, SLA reporting, and continuous validation. |
Our Process
Structured, safe, and audit-ready from scope to validation.
OC Security Audit uses a repeatable process designed to identify weaknesses, reduce false positives, prioritize business risk, and provide remediation guidance that your technical team can act on.
Asset Discovery & Inventory
Identify networks, servers, endpoints, applications, cloud systems, databases, firewalls, VPNs, and critical business assets.
Scope Definition & Planning
Define internal, external, cloud, web application, endpoint, and compliance-focused testing scope with safe authorization.
Vulnerability Scanning
Run credentialed and unauthenticated scans to detect missing patches, exposed services, insecure configurations, and known vulnerabilities.
Threat Analysis & Validation
Review findings, reduce false positives, analyze exploitability, and consider compensating controls and asset criticality.
Risk Prioritization
Rank findings by severity, likelihood, exposure, business impact, data sensitivity, and compliance implications.
Reporting, Remediation & Verification
Deliver actionable reports, remediation steps, executive summary, compliance mapping, and follow-up validation where needed.
Findings are organized for remediation, leadership decisions, and audit evidence.
Deliverables
Clear reporting for IT teams, executives, auditors, and compliance stakeholders.
A good vulnerability assessment should not leave your team guessing. OC Security Audit provides prioritized reporting that explains what was found, why it matters, what should be fixed, and how to verify remediation.
Full Vulnerability Assessment ReportDetailed findings, affected assets, severity ratings, technical evidence, remediation guidance, and CVE references where applicable.
Executive SummaryBusiness-impact summary for leadership covering critical risks, priorities, exposure, compliance concerns, and recommended next steps.
Risk-Based Findings MatrixPrioritized view of vulnerabilities by severity, exploitability, data sensitivity, internet exposure, and operational impact.
Remediation GuideStep-by-step recommendations for patching, configuration hardening, access control improvements, cloud security fixes, and policy updates.
Compliance MappingFindings organized to support PCI DSS, HIPAA, NIST CSF, ISO 27001, SOC 2, CMMC, and internal security policy requirements.
Follow-Up Validation ReportOptional rescanning and verification to confirm corrective actions were completed and risk has been reduced.
Compliance programs need evidence that security controls are tested, reviewed, and improved.
Compliance Value
Support PCI DSS, HIPAA, SOC 2, NIST, ISO 27001, and cyber insurance readiness.
Vulnerability assessments provide evidence that your organization is actively identifying, prioritizing, and remediating security weaknesses. For regulated or audit-driven organizations, that evidence can be just as important as the technical fixes.
PCI DSS
Supports secure configuration, vulnerability management, access control, logging, monitoring, segmentation review, and regular testing of systems and networks.
PCI-DSS ComplianceHIPAA
Helps identify risks and vulnerabilities to systems that create, receive, maintain, or transmit electronic protected health information.
HIPAA Risk AssessmentNIST, ISO, SOC 2 & CMMC
Supports control validation, risk treatment, audit readiness, governance, and continuous security improvement.
NIST CSF SOC 2 ISO 27001
Why OC Security Audit
25+ years of cybersecurity, audit, compliance, and CISO advisory experience.
OC Security Audit brings the perspective of both technical cybersecurity professionals and experienced auditors. Our work is designed to help your team reduce real risk, strengthen internal controls, improve security governance, and prepare for compliance reviews with confidence.
We provide vulnerability scanning, vulnerability assessment, risk assessment, cloud security audit, firewall review, access control audit, endpoint security review, and ongoing vulnerability management support for Orange County and Irvine organizations.
From network infrastructure to mobile access, security depends on visibility and control.
Free Cybersecurity Consultation
Start with visibility. Finish with a prioritized remediation plan.
Schedule a Network Vulnerability Assessment with OC Security Audit to identify exploitable weaknesses, reduce risk, support compliance, and protect your business before attackers find the gaps.
FAQ
Network Vulnerability Assessment FAQ
What is a network vulnerability assessment?
A network vulnerability assessment is a structured cybersecurity review that identifies exploitable weaknesses across internal networks, external-facing systems, cloud environments, endpoints, servers, applications, firewalls, identity systems, and access controls. It goes beyond a raw scan by validating risk, prioritizing remediation, and documenting findings for IT, executive, and compliance audiences.
Is vulnerability scanning the same as a vulnerability assessment?
No. Vulnerability scanning is usually the automated discovery of known weaknesses, missing patches, exposed services, and misconfigurations. A vulnerability assessment includes scanning plus auditor review, validation, business impact analysis, risk prioritization, and remediation planning.
How is a vulnerability assessment different from a risk assessment?
A vulnerability assessment focuses on technical weaknesses. A risk assessment is broader and evaluates threats, asset value, likelihood, impact, business consequences, safeguards, and management decisions. Both work together to reduce cybersecurity risk.
What is vulnerability management?
Vulnerability management is the ongoing program that includes asset discovery, recurring scans, remediation ownership, exception tracking, rescanning, reporting, metrics, and continuous improvement. A vulnerability assessment is one important part of that lifecycle.
Does this help with PCI DSS compliance?
Yes. PCI DSS requires organizations to maintain secure systems, manage vulnerabilities, control access, monitor activity, and regularly test security of systems and networks. A structured vulnerability assessment provides evidence and remediation tracking that supports PCI DSS audit readiness.
Does this help with HIPAA compliance?
Yes. HIPAA requires covered entities and business associates to evaluate risks and vulnerabilities to electronic protected health information and apply reasonable safeguards. Vulnerability assessment findings can support HIPAA risk analysis, remediation planning, and security documentation.
What happens if a business does not perform regular vulnerability assessments?
Unpatched systems, misconfigured firewalls, exposed cloud resources, weak access controls, shadow IT, ransomware exposure, and compliance gaps can remain hidden until an attacker or auditor finds them first.
What deliverables does OC Security Audit provide?
Deliverables may include a full vulnerability report, executive summary, technical evidence, severity ratings, CVE references where applicable, risk-based remediation plan, compliance mapping, and follow-up validation report.
Related OC Security Audit Services
Continue strengthening your cybersecurity program
Network Vulnerability Assessment Checklist
Network Vulnerability Scanner Coverage Matrix
This network vulnerability assessment checklist helps IT administrators, IT managers, system engineers, cybersecurity engineers, compliance teams, and security auditors review the areas that should be scanned, validated, documented, remediated, and monitored across a modern business network.
The checklist covers policies and procedures, user access, employee security awareness, endpoints, servers, VPN, cloud platforms, infrastructure, routers, switches, firmware, remote access, DMZ systems, applications, databases, antivirus, EDR, monitoring tools, vendors, patch management, compliance evidence, and additional security control areas required for a complete network security assessment.
| Assessment Area | Asset / Control Category | What the Vulnerability Scanner Should Cover | Auditor / Engineer Validation | Common Vulnerabilities or Weaknesses | Evidence to Review | Risk Score | Risk Impact | Remediation Priority | Last Scan Date | Last Remediation Date | Remediation Owner | Current Status | Compliance Mapping | Recommended Frequency | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Security Governance | Policies, standards, procedures | Confirm that vulnerability scanning, patching, access control, incident response, remote access, firewall review, and exception handling policies exist and are current. | Verify policy approval, review dates, ownership, scope, and alignment with actual technical practices. | Outdated policies, undocumented exceptions, weak enforcement, missing accountability, inconsistent remediation timelines. | Security policies, patch policy, vulnerability management standard, exception register, approval records. | High | Weak governance can cause inconsistent security practices and audit failures. | High | To be reviewed | To be documented | IT Manager / CISO | Assessment Needed | NIST, ISO 27001, SOC 2, HIPAA, PCI DSS | Annual and after major changes | Policies should define scanning frequency, severity SLAs, ownership, reporting, and risk acceptance. |
| Asset Inventory | Hardware, software, cloud assets, SaaS, virtual systems | Discover all systems in scope, including servers, endpoints, network devices, cloud resources, applications, databases, wireless devices, IoT, and shadow IT. | Compare scan discovery against CMDB, MDM, EDR, firewall, DHCP, cloud inventory, and procurement records. | Unknown assets, unmanaged devices, duplicate records, missing ownership, unsupported systems. | CMDB, device inventory, EDR inventory, cloud inventory, DHCP leases, network discovery reports. | Critical | Unknown assets cannot be patched, monitored, secured, or audited effectively. | Critical | To be reviewed | To be documented | IT Operations | Assessment Needed | NIST Identify, ISO 27001, CIS Controls, SOC 2 | Continuous or monthly | Asset inventory is the foundation for accurate vulnerability scanning and remediation. |
| Network Architecture | Network diagrams, topology, segmentation | Review network ranges, VLANs, subnets, routing paths, trust zones, critical system placement, guest networks, and segmentation boundaries. | Validate network diagrams against firewall rules, switch configurations, routing tables, scan results, and actual traffic paths. | Flat network, inaccurate diagrams, poor segmentation, unclear trust boundaries, unauthorized routes. | Network diagrams, switch configs, router configs, firewall configs, segmentation test results. | High | Poor architecture can allow lateral movement and increase breach impact. | High | To be reviewed | To be documented | Network Engineer | Assessment Needed | PCI DSS, HIPAA, NIST, ISO 27001 | Annual and after network changes | Segmentation should separate users, servers, cardholder data, ePHI, guest Wi-Fi, and management networks. |
| Firewall Security | Perimeter firewall, internal firewall, cloud firewall | Scan and review open ports, inbound rules, outbound rules, NAT, management interfaces, VPN exposure, geolocation rules, IDS/IPS, and rule cleanup. | Validate rule purpose, business owner, expiration date, least privilege, logging, and blocked unused services. | Any-to-any rules, exposed admin interfaces, unused rules, risky services, weak logging, broad outbound access. | Firewall rule base, change tickets, traffic logs, IDS/IPS events, external scan reports. | Critical | Misconfigured firewalls can expose critical systems directly to attackers. | Critical | To be reviewed | To be documented | Network Security Engineer | Assessment Needed | PCI DSS, NIST, ISO 27001, SOC 2 | Quarterly and after rule changes | Firewall reviews should include both technical scanning and manual rule review. |
| External Network Scanning | Public IPs, internet-facing systems | Scan public IP ranges, web servers, VPN portals, remote access systems, mail services, DNS, exposed APIs, SSL/TLS, and open ports. | Validate exposed services against business need and confirm critical findings with safe verification. | Open RDP, exposed SSH, outdated web services, weak TLS, vulnerable VPN, public database ports. | External vulnerability scan, DNS records, SSL reports, firewall NAT rules, public asset inventory. | Critical | Internet-facing vulnerabilities are often the fastest path to compromise. | Critical | To be reviewed | To be documented | Security Engineer | Assessment Needed | PCI DSS, SOC 2, NIST, ISO 27001 | Monthly or quarterly | External scans should be repeated after major deployments and firewall changes. |
| Internal Network Scanning | LAN systems, internal servers, endpoints, network devices | Scan internal IP ranges for missing patches, weak services, open shares, insecure protocols, unauthorized systems, and lateral movement exposure. | Confirm scan coverage with asset inventory and validate high-risk systems manually when appropriate. | SMB weaknesses, unsupported OS, vulnerable services, open file shares, weak SNMP, unnecessary ports. | Internal scan reports, asset list, AD inventory, EDR inventory, network discovery output. | High | Internal weaknesses can accelerate ransomware spread and privilege escalation. | High | To be reviewed | To be documented | Systems / Security Engineer | Assessment Needed | NIST, CIS Controls, HIPAA, PCI DSS | Monthly or quarterly | Credentialed internal scanning provides better visibility than unauthenticated scanning alone. |
| Routers | Routing devices and WAN edge | Assess router firmware, routing protocols, ACLs, management access, logging, SNMP, NTP, default credentials, and insecure services. | Review configuration backups, firmware level, admin access, secure management protocols, and route control. | Outdated firmware, weak SNMP strings, telnet enabled, exposed management, insecure routing changes. | Router configs, firmware inventory, admin logs, change records, vulnerability scan results. | High | Compromised routers can redirect traffic, disrupt operations, or expose sensitive data. | High | To be reviewed | To be documented | Network Engineer | Assessment Needed | NIST, ISO 27001, SOC 2 | Quarterly | Management access should be restricted to secure admin networks. |
| Switches | Core, distribution, access switches | Review switch firmware, VLAN configuration, trunk ports, unused ports, port security, 802.1X, SNMP, logging, and management access. | Validate VLAN segmentation, disabled unused ports, secure management, and change control. | Open unused ports, weak management, VLAN hopping risk, old firmware, unauthorized devices. | Switch configs, NAC reports, port maps, firmware versions, network diagrams. | High | Switch weaknesses can enable unauthorized access and lateral movement. | High | To be reviewed | To be documented | Network Engineer | Assessment Needed | NIST, CIS Controls, ISO 27001 | Quarterly | Access switch controls should include port security or NAC where appropriate. |
| Network Hardware Firmware | Firewalls, routers, switches, APs, storage, appliances | Identify firmware versions, vendor advisories, unsupported hardware, known CVEs, update history, and patch exceptions. | Compare firmware inventory against vendor security bulletins and approved maintenance windows. | End-of-life hardware, vulnerable firmware, default services, unavailable patches, undocumented exceptions. | Firmware inventory, vendor advisories, maintenance logs, vulnerability reports, lifecycle records. | High | Firmware vulnerabilities can affect critical infrastructure and may be difficult to detect later. | High | To be reviewed | To be documented | Infrastructure Manager | Assessment Needed | NIST, ISO 27001, SOC 2 | Quarterly and after vendor advisories | Firmware patching should be included in formal patch management, not handled informally. |
| DMZ Security | Public-facing segmented systems | Scan DMZ servers, reverse proxies, load balancers, web services, exposed APIs, management ports, and segmentation from internal networks. | Verify DMZ rules, traffic direction, least privilege, logging, and isolation from internal assets. | Weak segmentation, broad internal access, exposed management, outdated public services, insufficient logging. | DMZ diagram, firewall rules, external and internal scans, server configs, WAF logs. | Critical | DMZ compromise can become a bridge into internal networks. | Critical | To be reviewed | To be documented | Network Security Engineer | Assessment Needed | PCI DSS, NIST, ISO 27001 | Quarterly and after deployments | DMZ systems should never have broad unrestricted access into internal networks. |
| VPN Security | Site-to-site VPN, remote user VPN, SSL VPN, IPsec | Assess VPN software versions, exposed portals, encryption settings, MFA, split tunneling, user groups, logs, and access restrictions. | Validate VPN access is limited, logged, monitored, patched, and protected with MFA. | Vulnerable VPN appliances, weak encryption, no MFA, inactive users, excessive network access. | VPN configs, user access lists, logs, MFA reports, firewall rules, vulnerability scans. | Critical | VPN compromise can provide direct access to internal systems. | Critical | To be reviewed | To be documented | Network / Security Engineer | Assessment Needed | NIST, HIPAA, PCI DSS, SOC 2 | Monthly or quarterly | VPN access should be reviewed frequently due to high exploitation value. |
| Remote Access | RDP, SSH, remote support, privileged remote tools | Scan for exposed RDP, SSH, VNC, remote admin tools, remote support software, weak authentication, and internet exposure. | Confirm remote access is approved, MFA-protected, logged, restricted by source, and not directly exposed unless justified. | Open RDP to internet, shared remote accounts, weak passwords, unmanaged support tools, missing logs. | Firewall rules, remote access logs, tool inventory, IAM reports, external scan results. | Critical | Weak remote access is a common ransomware entry point. | Critical | To be reviewed | To be documented | Security Engineer | Assessment Needed | NIST, HIPAA, PCI DSS, SOC 2 | Monthly | Remote access should use MFA, least privilege, strong logging, and restricted network paths. |
| Windows Servers | Domain controllers, file servers, application servers | Perform credentialed scans for missing patches, insecure services, weak local policies, SMB risks, unsupported OS, and configuration gaps. | Validate patch levels, baseline hardening, local admin control, logging, backups, and service exposure. | Missing patches, unsupported Windows versions, SMB weaknesses, weak permissions, exposed admin shares. | Patch reports, server inventory, scan reports, GPO settings, event logs, baseline reports. | Critical | Server compromise can impact identity, applications, files, and business operations. | Critical | To be reviewed | To be documented | Systems Engineer | Assessment Needed | NIST, HIPAA, PCI DSS, SOC 2 | Monthly | Domain controllers require special priority due to identity and privilege impact. |
| Linux / Unix Servers | Linux, Unix, appliances, open-source platforms | Scan packages, kernel versions, SSH configuration, sudoers, services, permissions, logging, and exposed daemons. | Validate patch management, secure SSH, least privilege, hardening baselines, and log monitoring. | Outdated kernel, weak SSH, exposed services, insecure permissions, missing audit logs. | Package inventory, vulnerability scan, SSH config, sudoers file, audit logs, hardening checklist. | High | Linux server vulnerabilities can expose applications, databases, and infrastructure services. | High | To be reviewed | To be documented | Systems Engineer | Assessment Needed | NIST, ISO 27001, SOC 2 | Monthly | Credentialed Linux scans help detect missing package updates and configuration risks. |
| Endpoint Security | Workstations, laptops, user devices | Scan endpoints for missing patches, vulnerable software, local admin rights, encryption status, insecure services, and unmanaged devices. | Compare endpoint scan results with EDR, MDM, asset inventory, encryption reports, and patch dashboards. | Missing patches, local admin users, unmanaged laptops, unencrypted disks, outdated browsers. | EDR console, MDM reports, patch reports, encryption reports, vulnerability scans. | High | Endpoints are common entry points for malware, credential theft, and ransomware. | High | To be reviewed | To be documented | Endpoint / Desktop Team | Assessment Needed | NIST, HIPAA, SOC 2, ISO 27001 | Monthly | Endpoint vulnerability data should be integrated with patch and EDR reporting. |
| Antivirus | Traditional antivirus protection | Review antivirus deployment coverage, signature updates, policy configuration, exclusions, quarantine events, and unmanaged devices. | Validate all active endpoints and servers are protected and reporting current status. | Disabled AV, outdated signatures, broad exclusions, unmanaged systems, alert fatigue. | Antivirus console, policy settings, exclusion list, quarantine logs, coverage reports. | Medium | Weak malware protection increases endpoint compromise and ransomware risk. | Medium | To be reviewed | To be documented | Endpoint Security Team | Assessment Needed | NIST, HIPAA, SOC 2 | Monthly | Antivirus should be reviewed with EDR and endpoint hardening controls. |
| EDR / XDR | Endpoint detection and response | Assess EDR deployment, sensor health, policy enforcement, alert coverage, tamper protection, isolation capabilities, and response workflow. | Confirm critical systems are onboarded and that alerts are reviewed and escalated. | Missing sensors, unhealthy agents, disabled protection, unreviewed alerts, weak response process. | EDR console, alert history, device health reports, response playbooks, incident tickets. | High | Weak EDR coverage reduces detection and response capability during active threats. | High | To be reviewed | To be documented | Security Operations | Assessment Needed | NIST Detect, SOC 2, ISO 27001 | Monthly | EDR health should be monitored continuously for coverage gaps. |
| Patch Management | Operating systems, applications, firmware, third-party software | Scan for missing security patches, unsupported software, vulnerable versions, patch exceptions, and remediation SLA violations. | Verify patch deployment process, testing, rollback, business exceptions, and rescan validation. | Critical patches missing, unsupported software, delayed remediation, undocumented exceptions. | Patch reports, vulnerability reports, exception register, change tickets, rescan results. | Critical | Unpatched systems are one of the most common paths to compromise. | Critical | To be reviewed | To be documented | IT Operations | Assessment Needed | PCI DSS, HIPAA, NIST, ISO 27001, SOC 2 | Monthly and emergency as needed | Critical internet-facing vulnerabilities should be handled with accelerated remediation. |
| Active Directory | Domain services, GPO, identity infrastructure | Review domain controller patching, weak protocols, privileged groups, stale accounts, delegation, GPO security, and password policies. | Validate privileged access, account lifecycle, Kerberos/NTLM exposure, GPO baselines, and audit logging. | Excessive domain admins, stale users, weak passwords, insecure legacy protocols, poor delegation. | AD reports, GPO exports, privileged group membership, identity logs, vulnerability scans. | Critical | Identity compromise can lead to enterprise-wide control by attackers. | Critical | To be reviewed | To be documented | Identity / Systems Engineer | Assessment Needed | NIST, HIPAA, PCI DSS, SOC 2 | Monthly or quarterly | Identity security should be treated as a top-tier vulnerability assessment area. |
| User Accounts | Employees, contractors, service accounts | Assess stale accounts, disabled account handling, password policy, MFA status, access rights, shared accounts, and service account exposure. | Verify joiner-mover-leaver process and compare HR records to active accounts. | Stale users, excessive privileges, shared passwords, weak MFA coverage, orphaned service accounts. | User lists, HR termination reports, IAM reports, MFA reports, access review records. | High | Weak account controls can enable unauthorized access and privilege misuse. | High | To be reviewed | To be documented | IT / HR / Security | Assessment Needed | HIPAA, PCI DSS, SOC 2, ISO 27001 | Monthly or quarterly | User access reviews should include employees, contractors, vendors, and service accounts. |
| Privileged Access | Admins, root, domain admins, cloud admins | Review privileged roles, admin workstations, MFA, PAM controls, emergency access, logging, and separation of duties. | Validate least privilege, approval workflow, session monitoring, and periodic access reviews. | Too many admins, no MFA, shared admin accounts, unmanaged privileged sessions, weak logging. | Privileged group reports, PAM logs, cloud role exports, admin access review records. | Critical | Privileged account misuse can cause full environment compromise. | Critical | To be reviewed | To be documented | CISO / Identity Team | Assessment Needed | PCI DSS, HIPAA, NIST, ISO 27001, SOC 2 | Monthly | Privileged access should be tightly controlled and continuously monitored. |
| MFA | Multi-factor authentication | Review MFA coverage for VPN, cloud, email, privileged accounts, remote access, administrative tools, and sensitive applications. | Validate enforcement policies, exceptions, bypasses, legacy authentication, and conditional access rules. | MFA gaps, bypass rules, legacy authentication, SMS-only reliance, weak enrollment process. | MFA reports, conditional access policies, VPN settings, cloud identity reports, exception list. | Critical | Missing MFA significantly increases account takeover risk. | Critical | To be reviewed | To be documented | Identity Team | Assessment Needed | PCI DSS, HIPAA, NIST, SOC 2 | Monthly | MFA should be enforced for privileged, remote, cloud, and sensitive application access. |
| Employee Security Awareness | Training, phishing awareness, reporting procedures | Review training coverage, phishing simulation results, policy acknowledgment, reporting methods, and targeted training for high-risk users. | Validate completion rates, training frequency, employee onboarding, and incident reporting awareness. | Low training completion, repeated phishing failures, no reporting process, outdated training material. | Training records, phishing reports, policy acknowledgments, onboarding checklist, incident reports. | Medium | Employee mistakes can lead to phishing, malware, credential theft, and data exposure. | Medium | To be reviewed | To be documented | Security / HR | Assessment Needed | HIPAA, SOC 2, ISO 27001, NIST | Annual with periodic refreshers | Security awareness should be included in cybersecurity audit and risk assessment programs. |
| Cloud Security | Azure, AWS, GCP, Microsoft 365, SaaS platforms | Assess IAM, MFA, storage exposure, public access, logging, encryption, security posture, API exposure, workload vulnerabilities, and cloud network controls. | Validate cloud configuration against secure baselines, least privilege, and compliance requirements. | Public storage, overprivileged accounts, missing logs, weak conditional access, exposed workloads. | Cloud security reports, IAM policies, storage settings, activity logs, posture management findings. | Critical | Cloud misconfiguration can expose sensitive data and business systems quickly. | Critical | To be reviewed | To be documented | Cloud Security Engineer | Assessment Needed | HIPAA, PCI DSS, SOC 2, ISO 27001, NIST | Monthly or continuous | Cloud environments change quickly and should be monitored continuously where possible. |
| Microsoft 365 Security | Email, Teams, SharePoint, OneDrive, Entra ID | Review secure score, MFA, conditional access, legacy authentication, mailbox rules, DLP, sharing, admin roles, and audit logging. | Validate configuration against Microsoft 365 security baseline and business data protection needs. | Legacy authentication, risky sharing, overprivileged admins, weak audit logging, mailbox forwarding abuse. | M365 secure score, audit logs, admin roles, sharing reports, DLP reports, conditional access policies. | High | M365 weaknesses can expose email, files, identity, and collaboration data. | High | To be reviewed | To be documented | M365 Administrator | Assessment Needed | HIPAA, SOC 2, ISO 27001, NIST | Monthly | Email and cloud collaboration controls should be reviewed together. |
| Azure Security | Azure subscriptions, Entra ID, resources, storage, networking | Scan Azure workloads, NSGs, storage accounts, public IPs, IAM roles, Defender recommendations, encryption, logging, and key vaults. | Validate subscriptions, management groups, role assignments, conditional access, and workload exposure. | Public storage, overprivileged roles, exposed VMs, weak NSGs, missing Defender coverage. | Azure Defender, Azure Policy, role assignments, activity logs, NSG rules, vulnerability findings. | High | Azure misconfiguration can expose infrastructure, identities, and sensitive data. | High | To be reviewed | To be documented | Azure Administrator | Assessment Needed | NIST, HIPAA, SOC 2, ISO 27001 | Monthly or continuous | Azure security should include both identity and infrastructure configuration review. |
| Web Applications | Public websites, internal web apps, portals | Scan for OWASP Top 10 vulnerabilities, outdated frameworks, authentication flaws, injection, XSS, weak TLS, and insecure headers. | Validate scan findings with safe testing and review authentication, authorization, and session management. | SQL injection, XSS, broken access control, outdated plugins, weak headers, insecure cookies. | Web scan reports, WAF logs, app inventory, code release records, authentication settings. | High | Application vulnerabilities can expose customer data and business workflows. | High | To be reviewed | To be documented | Application / Security Team | Assessment Needed | PCI DSS, HIPAA, SOC 2, OWASP, NIST | Quarterly and after releases | Public applications should be scanned after major code, plugin, or infrastructure changes. |
| APIs | Internal APIs, public APIs, third-party integrations | Assess authentication, authorization, exposed endpoints, rate limiting, input validation, API keys, secrets, logging, and insecure methods. | Validate API inventory, business purpose, data exposure, token handling, and access restrictions. | Broken object authorization, exposed tokens, weak rate limiting, excessive data return, insecure APIs. | API inventory, API gateway logs, application scan results, integration documentation, secret scan reports. | High | API weaknesses can expose data and business logic at scale. | High | To be reviewed | To be documented | Application Security Team | Assessment Needed | OWASP API, PCI DSS, HIPAA, SOC 2 | Quarterly and after releases | API scanning should include authentication and authorization validation. |
| Databases | SQL, NoSQL, data warehouses, sensitive data stores | Scan for database vulnerabilities, insecure ports, weak authentication, excessive privileges, missing encryption, insecure backups, and outdated versions. | Validate access control, encryption, backup protection, audit logging, and sensitive data exposure. | Default accounts, exposed database ports, weak permissions, unencrypted data, outdated engines. | Database scan results, access reports, encryption settings, backup logs, audit logs. | Critical | Database compromise can expose high-value sensitive data. | Critical | To be reviewed | To be documented | Database Administrator | Assessment Needed | HIPAA, PCI DSS, SOC 2, ISO 27001 | Monthly or quarterly | Databases should not be directly exposed to the internet unless strictly justified and protected. |
| Email Security | Email gateways, Microsoft 365, Google Workspace, filtering | Review phishing protection, malware filtering, SPF, DKIM, DMARC, encryption, DLP, mailbox forwarding, and suspicious inbox rules. | Validate anti-phishing settings, domain authentication, alert review, and user reporting process. | Weak DMARC, mailbox forwarding abuse, phishing bypass, poor DLP coverage, missing alerts. | Email security console, DNS records, DMARC reports, DLP reports, mailbox audit logs. | High | Email compromise can lead to fraud, credential theft, malware, and data loss. | High | To be reviewed | To be documented | Email Administrator | Assessment Needed | HIPAA, SOC 2, ISO 27001, NIST | Monthly | Email security should be tied to awareness training and incident response. |
| Wireless Security | Corporate Wi-Fi, guest Wi-Fi, access points | Assess WPA2/WPA3, guest isolation, rogue AP detection, SSID configuration, authentication, firmware, and wireless segmentation. | Validate guest separation, AP inventory, access control, and wireless encryption standards. | Weak Wi-Fi passwords, shared keys, rogue APs, guest access to internal systems, outdated AP firmware. | Wireless controller reports, AP inventory, SSID configs, rogue AP logs, network diagrams. | High | Wireless weaknesses can allow unauthorized network access. | High | To be reviewed | To be documented | Network Engineer | Assessment Needed | PCI DSS, HIPAA, NIST, ISO 27001 | Quarterly | Guest wireless must be isolated from internal business systems. |
| Network Monitoring | SIEM, NDR, IDS/IPS, log monitoring, alerting | Review monitoring coverage for firewalls, servers, endpoints, cloud, identity, VPN, applications, and critical security events. | Validate log ingestion, retention, alert tuning, escalation, and incident ticket generation. | Missing logs, short retention, ignored alerts, poor correlation, no escalation process. | SIEM reports, IDS/IPS logs, alert history, log retention policy, incident tickets. | High | Weak monitoring delays detection and response to attacks. | High | To be reviewed | To be documented | Security Operations | Assessment Needed | PCI DSS, HIPAA, SOC 2, NIST, ISO 27001 | Continuous with monthly review | Critical logs should be protected from alteration and retained based on compliance needs. |
| Backup & Disaster Recovery | Backups, recovery systems, replication, immutable storage | Review backup coverage, backup encryption, offsite copies, immutability, restore testing, access control, and ransomware resilience. | Validate recovery tests, RPO/RTO, backup access permissions, and separation from production identity. | Untested backups, exposed backup consoles, no immutable copies, weak backup permissions, failed jobs. | Backup logs, DR plan, test reports, access lists, retention settings, restore evidence. | Critical | Weak backups can make ransomware and outages much more damaging. | Critical | To be reviewed | To be documented | Infrastructure / DR Owner | Assessment Needed | HIPAA, SOC 2, ISO 27001, NIST | Monthly with periodic restore tests | Backup systems should be included in access control and vulnerability reviews. |
| Incident Response | IR plan, playbooks, escalation, forensics readiness | Review incident response documentation, ransomware playbooks, contact lists, escalation paths, evidence handling, and tabletop testing. | Validate that teams know roles, reporting steps, containment options, and communication procedures. | No tested IR plan, unclear ownership, missing contacts, weak evidence handling, slow escalation. | IR plan, playbooks, tabletop results, incident tickets, communication templates, lessons learned. | High | Poor response planning increases downtime, legal exposure, and breach impact. | High | To be reviewed | To be documented | CISO / Security Lead | Assessment Needed | HIPAA, SOC 2, ISO 27001, NIST | Annual with tabletop exercises | Vulnerability findings should feed incident prevention and response playbooks. |
| Third-Party Vendors | MSPs, SaaS providers, contractors, support vendors | Review vendor access, remote tools, contractual security requirements, vendor risk assessments, MFA, logging, and access expiration. | Validate vendor access is approved, least privilege, monitored, and removed when no longer needed. | Persistent vendor access, unmanaged remote tools, weak contracts, no MFA, unmonitored third-party activity. | Vendor list, contracts, risk assessments, access logs, remote support logs, user access reports. | High | Vendor compromise can create indirect access to business systems and data. | High | To be reviewed | To be documented | Vendor Manager / Security | Assessment Needed | HIPAA, PCI DSS, SOC 2, ISO 27001 | Quarterly or annual based on risk | Vendor access should be treated as part of identity and remote access risk. |
| Mobile Devices | Smartphones, tablets, BYOD, corporate mobile | Review MDM enrollment, encryption, screen lock, OS version, app controls, remote wipe, conditional access, and device compliance. | Validate mobile devices accessing email, cloud, and business applications meet security requirements. | Unmanaged BYOD, outdated OS, no encryption, no remote wipe, risky apps, weak mobile access controls. | MDM reports, device inventory, conditional access reports, mobile compliance policies. | Medium | Mobile weaknesses can expose email, cloud data, and authentication tokens. | Medium | To be reviewed | To be documented | Endpoint / MDM Admin | Assessment Needed | HIPAA, SOC 2, NIST, ISO 27001 | Monthly | Mobile access should be linked to identity and conditional access controls. |
| IoT / OT Devices | Cameras, printers, sensors, building systems, specialized devices | Discover and assess IoT/OT devices for default passwords, outdated firmware, open services, weak segmentation, and unmanaged access. | Validate ownership, network isolation, vendor access, patch feasibility, and monitoring coverage. | Default credentials, unsupported firmware, exposed web interfaces, flat network placement, no logs. | Device inventory, network scans, firmware versions, vendor documentation, segmentation rules. | High | IoT and OT devices can create hidden attack paths into business networks. | High | To be reviewed | To be documented | Facilities / IT / Security | Assessment Needed | NIST, ISO 27001, SOC 2 | Quarterly | IoT systems should be segmented and monitored due to limited patch options. |
| Certificates & Encryption | TLS certificates, encryption protocols, key management | Scan for expired certificates, weak ciphers, old TLS versions, self-signed certificates, insecure key lengths, and unencrypted services. | Validate certificate ownership, renewal process, trusted CAs, secure protocols, and encryption standards. | Expired SSL certificates, TLS 1.0/1.1, weak ciphers, unencrypted services, poor key management. | SSL scan reports, certificate inventory, key management records, service configuration reports. | Medium | Weak encryption can expose credentials and sensitive data in transit. | Medium | To be reviewed | To be documented | Security / Systems Engineer | Assessment Needed | PCI DSS, HIPAA, ISO 27001, SOC 2 | Monthly or quarterly | Certificate expiration should be monitored proactively. |
| DNS, DHCP & NTP | Core network services | Review DNS exposure, zone transfers, DHCP scope security, rogue DHCP risk, NTP configuration, logging, and service patching. | Validate authorized DNS/DHCP servers, secure configuration, access restrictions, and monitoring. | Open zone transfer, rogue DHCP, weak DNS security, outdated services, incorrect time sync. | DNS configs, DHCP logs, NTP settings, scan reports, server inventory. | Medium | Core network service weaknesses can disrupt operations and support attacks. | Medium | To be reviewed | To be documented | Network / Systems Engineer | Assessment Needed | NIST, ISO 27001, SOC 2 | Quarterly | Accurate time synchronization is important for logging, investigation, and compliance evidence. |
| Virtualization | VMware, Hyper-V, hypervisors, virtual networks | Scan hypervisors, management consoles, virtual switches, templates, snapshots, patches, admin access, and exposed management interfaces. | Validate hypervisor patching, restricted management, backup coverage, and segmentation of management networks. | Exposed management consoles, old hypervisors, weak admin controls, unmanaged snapshots, poor isolation. | Hypervisor reports, patch logs, admin roles, virtual network configs, backup records. | High | Virtualization compromise can affect many systems at once. | High | To be reviewed | To be documented | Infrastructure Engineer | Assessment Needed | NIST, SOC 2, ISO 27001 | Monthly or quarterly | Virtualization management should be isolated and strongly authenticated. |
| Containers | Docker, Kubernetes, container registries | Scan container images, base images, exposed ports, secrets, Kubernetes API, RBAC, network policies, and registry permissions. | Validate image scanning, deployment controls, least privilege, runtime monitoring, and secrets management. | Vulnerable images, exposed Kubernetes API, hardcoded secrets, privileged containers, weak RBAC. | Image scan reports, cluster configs, RBAC exports, registry logs, deployment manifests. | High | Container weaknesses can expose applications, secrets, and cloud infrastructure. | High | To be reviewed | To be documented | DevOps / Cloud Security | Assessment Needed | NIST, SOC 2, ISO 27001 | Continuous or per release | Container scanning should be integrated into CI/CD pipelines. |
| Secrets Management | Passwords, API keys, tokens, certificates, keys | Scan repositories, configuration files, scripts, endpoints, cloud resources, and applications for exposed secrets and weak key storage. | Validate secrets are stored in approved vaults, rotated, access-controlled, and not hardcoded. | Hardcoded passwords, exposed API keys, unrotated secrets, shared credentials, weak vault access. | Secret scan reports, vault access logs, code repository scans, key rotation records. | Critical | Exposed secrets can allow direct unauthorized access to systems and data. | Critical | To be reviewed | To be documented | Security / DevOps | Assessment Needed | NIST, SOC 2, ISO 27001, PCI DSS | Continuous or monthly | Secrets should never be stored in public repositories, scripts, or shared documents. |
| Data Loss Prevention | DLP, sensitive data handling, classification | Assess DLP coverage for email, endpoints, cloud storage, file sharing, removable media, and sensitive data movement. | Validate data classification, DLP rules, alert review, exception handling, and response workflow. | Sensitive data in public shares, weak DLP policies, ignored alerts, no classification process. | DLP reports, classification policies, cloud sharing reports, endpoint DLP events. | High | Weak DLP can lead to unauthorized disclosure of regulated or confidential data. | High | To be reviewed | To be documented | Compliance / Security | Assessment Needed | HIPAA, PCI DSS, SOC 2, ISO 27001 | Quarterly | DLP should align with data classification and privacy requirements. |
| Physical Security | Server rooms, network closets, devices, environmental controls | Review access controls, visitor logs, camera coverage, server room access, environmental monitoring, and network closet protection. | Validate access logs, authorized personnel, badge controls, and physical safeguards for critical equipment. | Unlocked closets, poor visitor control, exposed network ports, no environmental alerts, weak access logs. | Access logs, visitor logs, CCTV policy, environmental monitoring records, physical security procedures. | Medium | Physical access can bypass many technical controls. | Medium | To be reviewed | To be documented | Facilities / IT | Assessment Needed | HIPAA, PCI DSS, ISO 27001, SOC 2 | Annual or semiannual | Physical safeguards should be included in security audit evidence. |
| Compliance Evidence | PCI DSS, HIPAA, SOC 2, ISO 27001, NIST, CMMC | Map vulnerability scanning, remediation, patching, access reviews, logging, and risk management evidence to compliance requirements. | Validate that evidence is current, complete, repeatable, and tied to actual security controls. | Missing evidence, outdated reports, unsupported exceptions, lack of remediation proof, poor audit trail. | Audit reports, compliance matrices, scan reports, remediation records, access reviews, risk register. | High | Weak evidence can lead to audit findings even when controls exist. | High | To be reviewed | To be documented | Compliance Manager | Assessment Needed | PCI DSS, HIPAA, SOC 2, ISO 27001, NIST, CMMC | Quarterly and before audits | Evidence should show both findings and verified remediation activity. |
| Risk Register | Risk tracking, exceptions, accepted risk | Review whether scan findings are transferred into risk tracking, assigned to owners, prioritized, remediated, or formally accepted. | Validate risk acceptance approvals, expiration dates, compensating controls, and executive visibility. | Untracked findings, expired exceptions, missing owners, accepted risks without controls, poor reporting. | Risk register, exception logs, remediation tickets, management reports, acceptance approvals. | High | Unmanaged vulnerabilities can remain open indefinitely and increase organizational exposure. | High | To be reviewed | To be documented | Risk Manager / CISO | Assessment Needed | NIST, ISO 27001, SOC 2, HIPAA | Monthly | Risk tracking connects vulnerability scanning to management accountability. |
| Remediation Tracking | Tickets, owners, SLAs, verification | Review whether vulnerabilities are assigned, tracked, prioritized, remediated, rescanned, and closed with evidence. | Validate remediation dates, closure evidence, SLA compliance, and recurring vulnerabilities. | No owner, delayed remediation, repeated findings, false closure, lack of rescan validation. | Ticketing system, scan reports, rescan results, patch reports, closure evidence. | Critical | Finding vulnerabilities without remediation does not reduce risk. | Critical | To be reviewed | To be documented | IT Operations / Security | Assessment Needed | PCI DSS, HIPAA, NIST, SOC 2, ISO 27001 | Weekly or monthly | Critical and high-risk findings should have defined remediation SLAs. |
| Continuous Vulnerability Management | Ongoing scanning and security improvement | Assess recurring scan schedules, asset coverage, remediation workflow, dashboards, executive reporting, risk acceptance, and trend analysis. | Validate vulnerability management is continuous, measurable, and tied to business risk reduction. | One-time scans only, no trends, no ownership, no SLA tracking, no executive visibility. | Vulnerability dashboards, scan schedules, trend reports, remediation metrics, risk reports. | High | Without an ongoing program, vulnerabilities return and security posture declines. | High | To be reviewed | To be documented | CISO / Security Program Owner | Assessment Needed | NIST, ISO 27001, SOC 2, PCI DSS | Continuous | Vulnerability management should combine scanning, prioritization, remediation, reporting, and governance. |