After a significant network change, which statement is true about scanning?

• A. Scans after significant changes are optional.
• B. Internal scans only are required after significant changes.
• C. Rescans are not necessary after fixes.
• D. After significant changes, internal and external scans must be performed by qualified personnel.

Answer: (D)

After significant network changes, vulnerability scanning must cover both internal and external surfaces and be carried out by qualified personnel. This ensures any new weaknesses introduced by the changes are detected before they can be exploited. External scanning must be performed by an Approved Scanning Vendor (ASV), while internal scanning should be conducted by individuals with the appropriate qualifications and expertise. This combination keeps both external exposure and internal network risk in check after changes.

Choosing options that say scans are optional, only internal scans, or that rescans aren’t needed misses the requirement to verify security after changes and to confirm remediation, which is why those do not fit.