Quarterly external-attack-surface review
Demonstrate that the organization systematically identifies, catalogs, and assesses all internet-facing assets on a quarterly basis, and takes timely action to remediate unauthorized or vulnerable exposures.
Description
What this control does
This control requires the organization to conduct a structured review of its external attack surface at least once per quarter. The review identifies all internet-facing assets (web applications, APIs, cloud services, IP ranges, domains, subdomains, certificates, and third-party integrations), maps them to business owners, assesses their exposure and security posture, and compares findings against the previous quarter to detect drift or shadow IT. The output drives remediation of unauthorized exposures, misconfigurations, and expired assets, reducing the organization's exploitable footprint visible to external adversaries.
Control objective
What auditing this proves
Demonstrate that the organization systematically identifies, catalogs, and assesses all internet-facing assets on a quarterly basis, and takes timely action to remediate unauthorized or vulnerable exposures.
Associated risks
Risks this control addresses
- Unmonitored or forgotten internet-facing assets (shadow IT, orphaned cloud instances, forgotten subdomains) provide adversaries with undefended entry points
- Externally accessible services with known vulnerabilities, weak configurations, or expired TLS certificates enable remote exploitation
- Undocumented third-party integrations or APIs with excessive permissions expose sensitive data or business logic to unauthorized access
- Absence of asset ownership or security accountability allows misconfigurations to persist undetected across quarters
- Failure to detect changes in external footprint (new acquisitions, deployments, or decommissioned services) causes gaps in monitoring and patch management
- Publicly exposed administrative interfaces, staging environments, or debug endpoints leak credentials or permit unauthorized administrative access
- Untracked DNS records, expired domains, or subdomain takeovers enable phishing campaigns or man-in-the-middle attacks impersonating the organization
Testing procedure
How an auditor verifies this control
- Obtain the asset inventory reports and attack surface review documentation from the most recent four quarters
- Verify that each quarterly review was completed within the required 90-day interval by examining report timestamps and approval dates
- Review the methodology used for discovery, confirming it includes automated scanning (e.g., ASM tools, DNS enumeration, certificate transparency logs, cloud inventory APIs), not solely self-reported asset lists
- Select a sample of 10-15 internet-facing assets from the most recent review and independently verify their existence and classification using open-source reconnaissance (DNS lookup, port scans, certificate queries, Shodan or similar)
- Cross-reference the current quarter's asset inventory against the prior quarter's inventory to confirm the review identified newly added, modified, or decommissioned assets and flagged discrepancies
- Examine findings from the most recent review for identified vulnerabilities, misconfigurations, or unauthorized exposures, and trace each to a remediation ticket or risk acceptance record with assigned ownership and due dates
- Interview the security team responsible for the review to confirm business unit owners are notified of assets attributed to them and participate in validating asset legitimacy
- Review evidence that senior management or a governance committee receives a summary of quarterly attack surface findings, trends, and remediation status
Where this control is tested