This cheat sheet presents recommendations for creating a strong report as part of an information security assessment project. To print, use the one-sheet PDF version; you can also edit the Word version for you own needs.
Your analysis should provide value beyond regurgitating the data already in existence.
Consider what information provided to you is incomplete or might be a lie or half-truth.
Group initial findings based on affected resources, risk, issue category, etc. to look for patterns.
Identify for trends that highlight the existence of underlying problems that affect security.
If examining scanner output, consider exploring the data using spreadsheets and pivot tables.
Fill in the gaps in your understanding with follow-up scans, document requests and/or interviews.
Involve colleagues in your analysis to obtain other peopleís perspectives on the data and conclusions.
Document the methodology used to perform the assessment, analyze data and prioritize findings.
The methodology's description need to demonstrate a systemic and well-reasoned assessment approach.
Clarify the type of the assessment performed: penetration test, vulnerability assessment, etc.
If applicable, explain what security assessment tools were used and how they were configured.
If applicable, describe what approach guided the questions you asked during interviews.
Describe the criteria used to assign severity or criticality levels to the findings of the assessment.
Refer to the relevant frameworks you used to guide the assessment efforts (PCI DSS, ISO 27001, etc.).
Specify what systems, networks and/or applications were reviewed as part of the security assessment.
State what documentation was reviewed if any.
List the people whom you interviewed, if any.
Clarify the primary goals of the assessment project.
Discuss what contractual obligations or regulatory requirements were accounted for in the assessment.
Document any items that were specifically excluded from the assessment's scope and explain why.
Include both negative and positive findings.
Account for organization's industry, business model and compliance requirements where appropriate.
Stay consistent with the methodology and scope.
Prioritize findings related to security risks.
Provide practical remediation path, accounting for the organizationís strengths and weaknesses.
Create templates based on prior reports, so you don't have to write every document from scratch.
Safeguard (encrypt) the report when storing and sending it, since its contents are probably sensitive.
Use concrete statements; avoid passive voice.
Explain the significance of the security findings in the context of current threats and events.
Put effort into making the report as brief as possible without omitting important and relevant contents.
This cheat sheet is distributed according to the Creative Commons v3 "Attribution" License. File version 1.0.
Take a look at my other security cheat sheets.
Authored by Lenny Zeltser. Lenny is a seasoned business and tech leader with extensive experience in information technology and security. His areas of expertise include incident response, cloud services and product management. Lenny focuses on safeguarding customers' IT operations at NCR Corporation. He also teaches digital forensics and anti-malware courses at SANS Institute. Lenny frequently speaks at conferences, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania. You can follow Lenny on Twitter, read his blog and circle him on Google+.
Copyright © 1995-2013 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.