Results Analysis and Documentation

Results Analysis and Documentation

In the last step of your assessment, you will create a final report. You will have collected a large amount of information during your test, and now is the time to analyze it to determine the overall level of security for your network and what changes are necessary to make it completely secure.

Developing your findings can be the hardest part of producing your report. You will need to look at the results of every test you performed to see what they can tell you about the security of your network. Any tests that indicate weakness need to be examined to determine what the true impact of the weakness is to your organization. You will want to use three elements to determine this impact:

• Severity of the vulnerability

• Criticality of the affected system(s)

• Level of threat (how common the exploitation of the vulnerability is)

Once you've developed your individual findings, you will then want to examine the whole set to see if you can locate any common elements to them. You are looking for the root causes of problems, not the individual facts. For instance, if you discovered systems with vulnerabilities that your organization had previously eliminated, it is possible that your process for provisioning new systems on your network is at fault. If you allow systems be installed from the original installation CDs without a process to upgrade the systems to the latest patches before connecting them to your network, you may reintroduce vulnerabilities you have previously fixed. This type of information can be invaluable to identify the important things that need to change to keep your network secure.

When you are ready to write your report, you will want to examine what formats will best convey the information you have developed. There are many report formats you can use, but most will include the following elements:

• Executive summary This section provides a quick overview of what was done, what the major findings were, and what impact these findings may have to the organization.

• Introduction This section includes a description of the tests performed and the scope of the effort.

• Findings prioritized by risk This section will often provide specific remediation advice for each finding.

• Best practices This section documents areas of the network that were particularly strong.

Keep in mind that even though it comes first in the report, the executive summary should be written after the rest of the report is finished. Doing it any other way may cause you to unintentionally skew your results to keep them consistent with the executive summary you created prior to analyzing all the data.