Contracting experts to perform security scans on your network
is a must and should be done at least annually. However, you
should also maintain the ability to perform your own security
audits on a least a quarterly basis. Any time a change is
made to an operating system, application, server, or part
of your infrastructure, a focused audit should be performed
to insure the configuration change did not introduce any new
security issues. As anyone who has run an audit will tell
you, the value of the tool is in the methodology it utilizes
to create the report. No one has time to sift through a ream
of paper looking for the needle in the proverbial haystack.
Pick your tool carefully.