Within the Nessus application, there are many existing policies for various purposes, and new ones are added to the database quite often. Nessus policies are the parameters that control the technical aspects of a scan on a target system. To elaborate further, the technical aspects of a scan may include the number of host devices to scan, the port numbers and services, protocol type (TCP, UDP, and ICMP), the type of port scanner, and so on.

Nessus policies also allow the use of credentials (usernames and passwords) for local scanning on Windows-based operating systems, database applications such as Oracle platforms, and other application-layer protocols such as FTP, POP, and HTTP.

There are preinstalled policies that help security practitioners to perform compliance auditing on systems. An example is checking whether a network that handles payment card transactions is vulnerable, using an internal PCI network scan. This policy would check for any vulnerability according to the Payment Card Industry Data Security Standard (PCI DSS).

The Nessus policies allow the scanning of malware infections on Windows operating systems by comparing the hash checksums against both good and malicious files on a target system. This policy is quite handy when determining the number of hosts infected with a type of malware on the network.

To get started with policies on Nessus, ensure you are currently logged in to Nessus. On the left pane, click on Policies. The following screenshot shows the currently available policies within the home edition of Nessus. However, if you would like to unlock the other plugins and policies, you'll need to acquire the professional edition:

As mentioned before, a policy contains predefined configurations for scanning a target in search of specific vulnerabilities and to ensure a system meets the compliance standard. However, as a security professional, you will need to customize your own scanning policies to perform vulnerability assessments on various types of systems.