This is it; this section is where you should clearly state your conclusions. Although this is certainly the place to list what's wrong and what needs to be fixed, you'll also want to discuss what works and what is being done right. What are your findings and what is the organization's overall level of security? You will be making the conclusions; however, it will be up to those responsible for the systems to determine what to implement. Because money is always an issue, you should recommend several options. If the best solution isn't feasible because of the budget, the organization can implement other stop-gap solutions to improve the situation from its current state.
If necessary, include an appendix that lists the tests that were performed and their results. If it's a large amount of detailed data, you may want only to reference it here and supply those details by including a CD with the original data files.
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template