External scan reports must be generated through an ASV company. An important distinction is that the person running the scan does not have to be an employee of the ASV company. You can manage your own scans through the ASV's portal. The report will contain a page that has the ASV number associated with the company that performed the scan. If you're ever audited or have to submit your report to your acquiring bank, the auditor/bank will be looking for that number on the report. Basically, you cannot scan your own perimeter with your own copy of Nessus, generate a report, and say you're compliant. It must be done by an ASV company.
Internal scan reports can be done by anyone knowledgeable in Vulnerability Scanning/Management. It should not be managed by a person responsible for maintaining the systems being scanned, though (separation of duties).
Hope that helps.
Last edited by ziggy_567
on Mon Jan 14, 2013 11:52 am, edited 1 time in total.
eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+