thorough report with the following key pieces of information to help your organization quantify overall IT security risk and how to prioritize mitigation steps.

• A written inventory of current externally accessible server and network vulnerabilities
• A validation of the effectiveness of existing external network security infrastructure
• A prioritized list of recommendations for mitigating risks, including cost and effort
• Increased awareness to support security training, hardware, or software expenditure

How often should scans be performed?
While a one-time external scan is a great place to start if your organization has never engaged in this type of audit, many organizations decide to implement a monthly or quarterly scan­ning schedule in order to proactively detect vulnerabilities and promote security awareness in their IT departments.

By scanning regularly, organizations that are required to comply with federal regulations such as HIPAA and Sarbanes-Oxley can keep up with vigilance requirements and mitigate violations before they evolve into costly incidents. While keeping an organization 100% secure is impossible, knowing your organization's security vulnerabilities is the first step toward achieving this goal.

External vulnerability scanning sounds important! How do I do it?
There are freely available tools you can use to perform scans yourself. The most popular tools are nmap (www.nmap.org) and nessus (www.nessus.org). In order to pro-vide an objective view of your network, these tools need to be run from some other location on the Internet, external to your organization. The data they provide can be confus­ing and overwhelming, so make sure that the person inter­preting the data has experience with the tools, can quantify risks in the context of your organization, and make practical mitigation recommendations.

If you'd like expert help with external vulnerability scanning, contact Applied Trust at (303) 245-4545 (or visit us online at www.atrust.com).