Some security compliance demands periodic vulnerability assessments over the infrastructure in scope. For example, PCI/DSS demands a half-yearly vulnerability assessment for business-critical assets and yearly for noncritical assets that are covered under the scope of the PCI/DSS certification.

The tester and customer need to keep such compliance-driven requirements in mind while preparing the schedule for an assessment. At the same time, it's always beneficial to consider ongoing and critical changes in an environment that is part of the assessment scope. If the time frame enforced by the security compliance permits it, it's best to perform the assessment after completing critical changes, which will help in providing a long-lasting view of current security posture.

Another interesting part of scheduling and planning in a vulnerability assessment is testing hours. Usually, automated scanning profiles are used to perform vulnerability assessments and consume lots of network traffic (requests/responses per port per host/asset) and may also consume considerable resources on assets/hosts being scanned. In rare scenarios, it may happen that a certain asset/host stops responding, going into denial of service (DoS) mode and/or full-closed mode. This could happen with the business-critical system as well. Now imagine a business-critical system/service not responding to any requests in peak business hours. This could impact other services as well, covering a broader user space. This may lead to loss of data, reputation, and revenue. Also, it would present a challenge in recovering and restoring business functions in such a chaotic scenario. Hence, performing vulnerability assessments outside of business hours is always recommended. Advantages of doing so would be:

• No extra overhead over the network as there is no usual business/legitimate traffic
• Automated scans finishing in comparatively less time as more network bandwidth is available

• Implications of vulnerability assessments, if any, can be observed quickly as network traffic is already reduced
• Impact and side effects can be treated (restoration/recovery) with ease as a risk of business/revenue and reputation loss is minimized to acceptable limits

But there could be some exceptions to this approach where the tester needs to run assessments in business hours as well. One of the scenarios could be needed to assess user workstations for vulnerabilities. As user workstations will be available only in business peak hours, only that network segment should be scanned in business hours.

To sum up, the outcome of this phase is:

• Business and compliance needs for conducting the vulnerability assessment
• The time frame for conducting the vulnerability assessment (may be enforced by some security compliance)
• Business hours and nonbusiness hours
• Testing hours for critical assets and noncritical assets
• Testing hours for end-user workstation list with respective IPs