Problem solve Get help with specific problems with your technologies, process and projects.

Six steps to a great information security risk assessment report

Reporting the results of a risk assessment can be tricky. One wrong step can dilute all your hard work. Here are six steps in the right direction.

Security solution providers perform a valuable service for their customers by assessing their network and system...

security. But conducting the assessment is often the easy part.

Your work is of little value if your assessment results report does not convince the customer to act on your recommendations. You must write and present your customer with an information security risk assessment report that is understandable and acceptable to both technical staff and management.

This tip offers six steps to help you deliver valuable results to your customer, results that will make them contact you for reassessments in the future.

1.  Provide more than one report: You’ll need to write a detailed technical report for your customer’s technical staff and an overview report for your customer’s management staff. You also need to deliver two corresponding presentations along with the reports.

2.  Deliver your assessment results to the technical staff before the management staff: Give a presentation covering the major points at the same time you deliver the more detailed, written security risk assessment report. To ease acceptance of your message, begin the presentation and the report by focusing on the positive areas where the proper steps are being taken for security. If you begin by listing the problems you have uncovered, you will build up resistance.

Don’t present to management first. It’s the technical staff that you will depend on to implement the changes.

Then move on to describe the problems you’ve identified. Emphasize that the problems were discovered because you are dedicated to keeping up to date on the latest security issues, such as the latest hacker techniques or changes to PCI and HIPAA. Explain that you were consulted because of this expertise and you understand the customer’s technical staff does not have the time or resources to find subtle security gaps and follow the latest hacker developments.

3.  In the technical presentation and report, prioritize items by severity and time to repair: Some issues must be dealt with right away, i.e. a failure to follow HIPAA regulations can result in an expensive lawsuit. Other problems can be dealt with quickly, such as a firewall configuration error that can be fixed with a few typed commands. Encourage the technical staff to immediately address both the problems that are quick to fix and those that present the greatest risk.

4.  Schedule a management presentation shortly after your presentation to the technical staff: Don’t present to management first. You will depend on the technical staff to implement the changes; don’t blind side them by going to management first. Just be sure to set the schedule for the management presentation before giving the technical presentation. Management should not hear the results were given to the technical staff without knowing the time and date when they will receive a presentation and report.

5.  Offer separate, customized reports for management and technical staff: The management presentation should contain less detail than the technical presentation and report. Again, begin with the positives. Follow with the types of problems you’ve found, but don’t elaborate on the details. Management must understand the key issues, the types of attacks that may occur if no action is taken and the implications. Emphasize the areas where management can assist; e.g., hiring additional staff with specialized skills, providing staff training in specialized areas (such as how to avoid coding practices that open vulnerabilities), implementing new software tools or conducting periodic Web penetration tests.

6.  Place a financial value on the recommendations you are making: In your reports to both the technical staff and management, be sure to stress the costs -- financial and reputation -- that could incur as a result of a publicized security breach.

In many cases, your information security risk assessment report will contain bad news, i.e. the customer’s network is extremely vulnerable to attack or has already been attacked. Be ready to change your approach in the unlikely case that the bad news is due to incompetence of the technical management or the staff as a whole.

There is no point in presenting a detailed report to a staff unable to carry out the recommendations. If you plan to recommend replacing the technical department manager, the best approach may be to first approach his/her manager one-on-one rather than standing in front of a group of technical staff or management and recommending an individual be terminated. Similarly, if the problem is understaffing or budget constraints, you may want to go to management first.

Systems and networks change. New equipment and new software can bring new vulnerabilities. A one-time assessment will not catch future problems. Periodic assessments are necessary, and only a dedicated security specialist can provide the level of service required. If you’ve provided a thorough, thoughtful and sensitive report and presentation to your customer’s technical and management staff, it is very likely they will hire you to return for periodic reassessments in the future.

About the author:
David B. Jacobs of The Jacobs Group has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.

Dig Deeper on MSPs and cybersecurity