It’s that time of year where we like to do some spring-cleaning of our various reporting formats and structures. This includes our Vulnerability, Penetration and Risk Assessment reports. A brief survey of reports and sample reports available on the Internets reveals a wide range of depth and style of reporting formats. Everything from HTML-based reports using raw data from a Nessus scan, to reports comprised of 90% prose and a couple of pie charts thrown in for the executives.

Over the years we’ve had the privilege of working with several companies and individuals who take a strong proactive stance in using their reports. As a result, we have developed a number of reporting formats tailored to each client, enabling them to streamline their internal operations and deal with findings in an expedited manner and move on to their other tasks. This process also allows us to develop insights into how to present audit data to the customer in a form and format that is concise and comprehensive. This allows them to act without being overwhelmed.

That’s what we love to do! Our goal is to present the end customer with a report that will enable them to do their jobs more accurately and thoroughly without getting bogged down in reporting that is not conducive to their normal work flow.

So we humbly ask, you the reader, what features of security reporting formats have you found that improved your workflow? What are the most useful features you have encountered? What are the least useful? How do you use your reports? How can reports be structured to improve the remediation of specific issues? How do your executives use the reports? Are there recurring questions that are posed by your executives? How do reports build or destroy your trust in your IT or risk auditors?