Although the hands-on portion of the assessment is complete, you still have a report to write. You also have data to analyze. This chapter discusses one method you can use to accomplish this. This step of the assessment is just as important as the scoping and the hands-on activities. Before you start thinking that you're going to take on this work by yourself, remember that your team can be as big an asset here as they were during the previous assessment activities.
Maybe you're thinking, "Hey, people aren't fired for being poor report writers." Maybe not, but don't expect to be promoted or praised for your technical findings if the report doesn't communicate your findings clearly. The post-assessment report should present the results of the assessment in an easily understandable and fully traceable way. The report should be comprehensive and self-contained. Because this is such an important topic, we'll spend time in this chapter discussing what should be in the final report and how you can format this document. Let's get started!
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template