Voted Best Answer
Jan 04, 2016 - 01:21 AM
Best practice in my mind is to strive for 90% of client devices scanned (s/w installed and in-use) every 30 days. For servers and virtual hosts it should be close to 100% every 30 days given the finanal risk of making a mistake with over deploying enterprise software.
If you are asked for any information by 3rd parties you'll want to provide the minimum they need to carry out their support of your systems.
If it's an audit the data request typically float between 30 and 90 days depending on the vendor in question and auditor but this is where your negotiation starts with the auditor.
Where Active Directory (AD) is the source requested 30-45 days is acceptable. Where greater than 45 days, push back. Ask them to specifiy the clause in the contact that supports the request, reject any arguement where they say it's implied under license reassignment (typically 90 days).
For Enterprise Software there are many sources they might request (port scans, ILMT report, LAW report, backup logs, etc) and in most cases they'll want to go back 12-18 months. Again this negotiable, especially if it's a significant burnden to collect the requested data.