My view on the pen testing/vulnerability assessment reports is the response to them seems to be pretty reactive, i.e. The internal IT team addresses the findings as and when they are made aware of them, aka security firefighting. My personal theory is that for every vulnerability found there is a root cause/lack of security procedure as to why this vulnerability was evident in the network. Rather than have the pen testers come in 12 months later and scan all the new servers and find the exact same types of vulnerability again and again and again – I feel strategically we should look how these issues came to be, and how we can prevent them from them occuring again – preventative measures, or failing that detective measures to find them ourselves on regular basis. Are there any useful best practice guides for internal security/IT teams that can prevent 99% of the security issues a 3rd party would find through effective security standards and maintenance/monitoring. Sort of a root cause for each type of vulnerability/security weakness, and some strategic best practices how to prevent them ever happening again, i.e. The security standards, and pro-active maintenance and monitoring tasks required to keep your network vulnerability free. I dont really know how to phrase what this kind of checklist would be so any guidance most welcome.