Good communication is important when it comes to improving information security in your organization or for your clients. Outside of security policies and plans, your information security assessment reports will likely be the most critical documents you'll develop in your security career.
In the overall ethical hacking process, reporting on your results is as important as it is to get permission to do them from the start and to properly plan your testing. A solid security assessment report that outlines what you discovered along with prioritized recommendations on what to do about your findings is essential to make sure things get done and security risks are minimized.
The good thing is that you don't have to be an English scholar or top-notch technical writer to make sure your security assessment reports are effective. In fact, the process of sifting through all your test results is arguably the hardest part of performing information security assessments. Being able to differentiate between the vulnerabilities that are urgent and important and all the others that don't really matter in the context of your business is a critical skill that will come with time and training.
It's all in how you present it
Once you pull your results together and determine which security weaknesses need attention, include the following components. They will help you make up a good technical vulnerability assessment report, which will make your work stand out and increase the chances of something being done about the issues at hand.
Here are the six elements of a good report:
Take your reports seriously
If you're at place where you're formally documenting your vulnerability findings, you're likely taking things seriously and know it's the professional thing to do. First of all, good security assessment reports are good for you: They'll CYA in case something happens in the future to at least show you've been taking security testing
To continue reading for free, register below or login
To read more you must become a member of SearchEnterpriseDesktop.com
seriously. It's also good for your clients' records and your marketing and business development teams when clients and business partners ask to see the latest security assessment report. Finally, it's good for compliance and IT governance because most laws and regulations require ongoing testing and good documentation. Solid security reports are your organization's way to show that ongoing security testing has been taking place when the auditors or regulators ask to see them.
Remember to handle your security assessment reports like the confidential documents they are. If a security assessment report -- or any supporting test data -- were to fall into the wrong hands, it could spell bad news for you and your organization. Think of all the information such a report might contain, like what's hackable and here's how to hack it.
Store the reports and supporting data in a safe place on your server, local hard drive or removable media, and always assume that the worst could happen. This highlights the importance of good physical security (especially for hard copy versions of your reports) and drive encryption to keep prying eyes away. The same goes for when you email your reports. At the very least, zip them with a strong passphrase or create a PGP self-decrypting archive to keep them protected.
About the author: Kevin Beaver is an independent information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. He has more than 19 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He's also the creator of the Security On Wheels audiobook series. Kevin can be reached at kbeaver@principlelogic.com.
