General Approach to Creating the Report
- Analyze the data collected during the security assessment to identify relevant issues.
- Prioritize your risks and observations; formulate remediation steps.
- Document the sections of the report detailing the assessment methodology and scope.
- Document the sections of the report describing your findings and recommendations.
- Attach relevant figures and raw data to support the main body of the report.
- Create the executive summary to highlight the key findings and recommendations.
- Proof-read and edit the document.
- Consider submitting the report's draft to weed out false positives and confirm expectations.
- Submit the final report to the intended recipient using agreed-upon secure transfer mechanism.
- Discuss the report's contents with the recipient on the phone or in person.
Analysis of the Security Assessment Data
Assessment Methodology Documentation
Scope of the Security Assessment
Prioritize findings related to security risks.
Provide practical remediation path, accounting for the organization’s strengths and weaknesses.
Qualities of a Good Assessment Report
- Starts with a strong executive summary that a non-technical reader can understand
- Provides meaningful analysis, rather than merely presenting the output of assessment tools
- Includes supporting figures to support the analysis
- Describes assessment methodology and scope
- Looks professional and is without typos
- Offers remediation guidance beyond merely pointing out security problems
- Is structured in logical sections to accommodate the different groups who'll read and act upon it