Not all information security assessment reports equal. Many present irrelevant details and are tedious to read. They often miss the opportunity describe the risks and remediation approaches in a way that the assessment’s beneficiary—be it an external client or an internal group—can understand and act upon.
Even if the execution of the assessment tasks was flawless, the perceived value will be based to a large extent on the quality of the report that represents the project’s deliverable. Here is my list of 6 qualities of a good information security assessment report:
- Starts with a strong executive summary that a non-technical reader can understand. Given people’s short attention span and time limitations, there’s a good chance that most readers won’t get past the executive summary. Moreover, the executive summary is often the part of the report that is distributed internally beyond the group that commissioned the security assessment.
- Provides meaningful analysis, rather than merely presenting the output of assessment tools. The value that an experience assessor brings is in making sense and deriving meaning from the collected data. As the result, the report should narrate the assessor’s observations and conclusions.
- Includes supporting figures to support the analysis. Such details should be included to substantiate the findings, so that the reader can confirm that the observations are based on factual data and, in some cases, to allow the reader to replicate the discovered vulnerabilities.
- Describes assessment methodology and scope. Don’t assume that the reader will be aware of the initial discussions regarding what should be tested and how. Moreover, the report should describe the tools, approaches and techniques that the assessor employed, so that the reader can be confident in the professional and systemic approach to the project.
- Looks professional and is without typos. Though the substance of the report isn’t directly affected by the document’s look-and-feel, it’s hard for the reader to take seriously a document that looks sloppy and unprofessional. Moreover, typos distract from absorbing the text’s meaning and can offer an excuse to cast doubt on the assessor’s capabilities.
- Is structured in logical sections to accommodate the different groups who will need to read and act upon the report. Though some readers will be motivated to pay attention to the whole document, many might only care about some aspect of the assessment (e.g., application or infrastructure security). Also, the recipient might wish distribute the report’s contents on the need-to-know basis.
Of course, there’s more to a good security assessment report than the tips I offered above. My goal was to point out the qualities that I often see lacking missing from the reports that come across my desk. Keep these points in mind when creating a document to describe your findings and recommendations and when evaluating a group you might engage to perform a security assessment.
This note is part of a 4-post series on creating security assessment reports. For more, see:
- Security Assessment Report as Critique, Not Criticism
- 4 Tips for a Strong Executive Summary of a Security Assessment Report
- 4 Reasons Why Security Assessment Recommendations Get Ignored
For more on the topic, see my Tips for Creating an Information Security Assessment Report Cheat Sheet.