Building the Final Report

With the analysis complete, it's now time to document the results in an official report. The final report is designed to be read by senior management. Its purpose is to help them make operational, technical, and managerial changes. The report should describe threats and vulnerabilities and provide recommendations for controls to reduce risk. The finished document should not read like an audit or investigational report, because that is not what it is. An assessment is a systematic, analytical methodology to assessing vulnerabilities. It is not looking for wrongdoing or to hold individuals accountable for specific actions.

To document your findings and propose solutions, make sure to give those who will be reading the report enough information to make a decision and take action. Writers with a traditional, scientific background often write very precisely, whereas those from other backgrounds sometimes have a more fluid style. No matter what your background is, establish a style that is concise in its approach but allows for more descriptive paragraphs when needed. The last thing you want is for your assessment to not be taken seriously because of a problem with the written report. Common documentation problems include the following:

• Information is hard to scan and grasp quickly.
• Organization is poor or cumbersome.
• Logic leading to conclusions is unclear.
• Conclusions and recommendations are not spelled out.
• Document focus is unclear.
• Sentences are poorly constructed.
• Word choice is imprecise.
• Too much jargon is used.
• Document is poorly constructed.
• Documents are too long.

Avoiding these pitfalls will help ensure that your report gets the time and consideration it deserves. You goal is to communicate effectively the knowledge and information that you have gained by performing this assessment. From a technical context, this report has two major goals:

• It clarifies your findings for the reader.
• It conveys critical information.