Understand the boundaries of your IT digital estate and do not overstep them. Know where your network begins and ends, which devices are yours (or you support) and those that are not. Like any good neighbour, liaise with your neighbouring organisations if you are unsure.
Boundaries can occur at many levels, such as multiple network tenancy in a building, between your local network and HSCN, and between wide area networks on the same estate.
Ultimately, you should know where your responsibilities end and another organisation’s begin. Consequently, you shouldn’t scan or try to update assets that are beyond your boundary.
Under no circumstances should you scan over HSCN without consulting NHS England prior to doing so. Some vulnerability scanners (depending on how aggressively or passively they are being used) can cause a false positive by being indistinguishable from a cyber-attack, with the same tools being used by hackers.
Software cannot exist on its own
Software is installed and used on devices. The devices of interest are end user devices. So that’s PCs laptops, tablets and phones. There should be a list of the end user devices used within your organisation (such as a hardware asset database). This can use the same technology as your software assets, as it makes sense to know what software is on what end user device.
You also need to know what removable media assets (such as USB sticks) your organisation has, though it is recognised these can be more difficult to track and control.