Security Risk Assessment Reporting

Clear and effective security risk assessment reporting requires that the contents of the report be perceived as accurate, non-threatening, relevant, and unambiguous. Each of these aspects of a quality report is discussed in this chapter. Security risk assessment reports are especially difficult to create because they are based on technical information that needs to reach both managerial and technical audiences. The main body of the report should provide almost all of the information gathered during the assessment process. The team leader should be careful to ensure that the final report contains only those corrections from the draft that have been discussed with the customer. This point is important and deserves clarification. It is recommended that the final security risk assessment report be presented to the organization’s senior management. The final phase of the security risk assessment is to ensure that the organization creates an action plan that addresses all security risks identified in the final report.