Vulnerability Assessment Report
Maria Sosa is depending on you, the chief information security officer at your organization, to provide her and other executive-level stockholders with a final vulnerability assessment report. Using this template, this thorough report should be presented with your findings and recommendations.
- Overview (introduction and purpose) (one-page report)
- Include mission-critical aspects of current organizational processes:
- personnel
- physical security
- network security
- cybersecurity
- Include mission-critical aspects of current organizational processes:
- Scope of Work (one-page report)
- Include identified security threats, risks, and vulnerabilities within the organization from the preliminary classification of mission-critical aspects.
- Prepare for the assessment by creating a comprehensive list of security needs based on findings from the previous step. This list should identify threats, risks, and vulnerabilities to achieve a holistic view of the risk across the entity.
- Combine the overview from the previous step with the list of security needs into a one-page SoW report. A Scope of Work (SoW) which is the key element to any project and important to learn. It should be filed as supplementary documentation for purposes of evaluating execution and directional purposes of meeting milestones of a multiphase comprehensive project plan within the vulnerability assessment. The scope of work will be the first section of the final vulnerability assessment report.
- Work Breakdown Structure (spreadsheet of the details below)
- Include key elements that need to be tested and analyzed:
- internal threats
- external threats
- existing security measures
- compliance requirements
- Include key elements that need to be tested and analyzed:
- Develop a comprehensive work breakdown structure (WBS). This breakdown provides more detail, so you will need to devise examples of procedures you might recommend to your organization. Some examples include a penetration test, baseline analysis, or system logging.
- Using a spreadsheet, create the comprehensive work breakdown structure, including key elements that must be tested and analyzed. Organize the spreadsheet using the elements identified in the SoW from the previous steps and the following:
- internal threats: personnel, policies, procedures
- external threats: systems, connectivity, databases
- existing security measures: software, hardware, telecommunications, cloud resources
- compliance requirements: legal aspects (federal, state, and local), contractual demands up and down the supply chain
- Note the security threats and vulnerabilities.
- Threats and Vulnerabilities Report (two page report)
- Explanation of threats and vulnerabilities
- Explain the security threats and vulnerabilities included in the plan. In the explanations, consider relevant concepts such as the threat modeling process and third-party outsourcing issues. Include system and application security threats and vulnerabilities. Reference aspects that are not being included. Note that you would need to obtain management agreement with the initial analysis of mission-critical components to be included in the assessment. This phase includes management input into the prioritization process of all risks from internal and external sources. This information will be used in the following steps to develop the threats and vulnerabilities report.
- Classifications of threats and vulnerabilities
- Company demands, management input, compliance requirements, and industry probability of exploitation are all considerations when classifying the risk of threats and vulnerabilities. Based on these considerations for the midsize government contracting group, further clarify the vulnerabilities you have itemized. Explain why each is a vulnerability, as well as why that particular vulnerability is relevant to the overall assessment. Consider continuous monitoring issues as you work through the classification. Use the threat and vulnerability explanations from the previous step and risk classifications from this step to develop the threats and vulnerabilities report.
- Prioritizations of threats and vulnerabilities
- Now prioritize them using a reasonable approach as explained in the project plan. As you prioritize the identified threats and vulnerabilities, you will need to:
- include both internal and external sources
- consider assessment of exposure to outages
- consider information resource valuation
- indicate which approach you are using and justify your choice
- Use this information, along with the threat vulnerabilities explanations and risk classifications from the previous steps, to develop the threats and vulnerabilities report.
- Now prioritize them using a reasonable approach as explained in the project plan. As you prioritize the identified threats and vulnerabilities, you will need to:
- Compose a two page report regarding specific threats and vulnerabilities of the technical aspects of the environment.
- Explanation of threats and vulnerabilities
- Lessons Learned Report (two page report)
- Record any lessons that you have learned that may be beneficial in the future.
- Issues that may be addressed include whether nontechnical factors should be considered during the vulnerability assessment, the point at which the assessment is complete, next steps, and any other issues that you noticed throughout.
- Based on the work done and research accomplished, consider what you have learned so far. Build upon the findings recorded in the previous step to write a lessons learned report.
- Is a vulnerability assessment a technical undertaking only, or should it consider other factors? When is the assessment complete? What are the “next steps” based on your assessment? These are some examples of issues that should be addressed.
- Include:
- reviewed and recorded findings
- consider the report’s approach including:
- factors
- assessment completion
- next steps
- other issues to address
- Network Analysis Tools Report (one page report à include as Appendix A)
- Analyze how network analysis tools are employed to identify vulnerabilities. Earlier in the project, as you developed the comprehensive project plan, you should have read about tools and techniques available for vulnerability assessment activities. Research the tools relevant to the project plan and provide a cogent analysis of which tool or tools to recommend for this project. Consider threat remediation and make special note of tools used to identify software communications vulnerabilities.
- Include comprehensive recommendations of all components within each key element that should be tested and analyzed:
- internal threats
- external threats
- existing security measures
- compliance requirements
- Vulnerability Assessment Matrix (create a one-page matrix using template as seen below: –include as Appendix B)
- Assess vulnerabilities of your organization