Useful Security Reports

It’s that time of year where we like to do some spring-cleaning of our various reporting formats and structures. This includes our Vulnerability, Penetration and Risk Assessment reports. A brief survey of reports and sample reports available on the Internets reveals a wide range of depth and style of reporting formats. Everything from HTML-based reports using raw data from a Nessus scan, to reports comprised of 90% prose and a couple of pie charts thrown in for the executives.

Over the years we’ve had the privilege of working with several companies and individuals who take a strong proactive stance in using their reports. As a result, we have developed a number of reporting formats tailored to each client, enabling them to streamline their internal operations and deal with findings in an expedited manner and move on to their other tasks. This process also allows us to develop insights into how to present audit data to the customer in a form and format that is concise and comprehensive. This allows them to act without being overwhelmed.

That’s what we love to do! Our goal is to present the end customer with a report that will enable them to do their jobs more accurately and thoroughly without getting bogged down in reporting that is not conducive to their normal work flow.

So we humbly ask, you the reader, what features of security reporting formats have you found that improved your workflow? What are the most useful features you have encountered? What are the least useful? How do you use your reports? How can reports be structured to improve the remediation of specific issues? How do your executives use the reports? Are there recurring questions that are posed by your executives? How do reports build or destroy your trust in your IT or risk auditors?

Security, we’re all in it together.

As we’ve pointed out in a few previous posts the basics of infosec have not changed, and neither has the primary threat, the users of the network. Building a solid foundation of compliance to your security policies is fundemental. So how do get your users to invest in and live out your company security policies and procedures? How do you encourage them to be vigilant about security?

The best way to get people motivated is, as Neil pointed out to model good behavior yourself. But it shouldn’t stop there, you should always look for another person to encourage and teach in the ways of good security practices. And of course you should encourage them to find their own disciple. Ideally this kind of thing should be going on at a managerial and team leader level. I’ve found that people will generally rise to the level of leadership that is presented to them. You should be striving to build a culture where users invested in security and know that those around them are as well.

Education is, of course, paramount as users must know about the policies to be able to abide by them. Finding ways to educate users without drudgery can be challenging. Using the mentoring model is an excellent way to spread good security practices, it allows for a level of non-threatening accountability. Another idea is to use contests to reinforce training sessions. I’ve seen some security administrators set aside a few hundred dollars of their security budget to use as prize money throughout the year. use prizes of five to ten dollars to motivate their people to be on the look out for and report suspicious or unknown people in their buildings. The effort has greatly improved employees’ awareness of their surroundings and the benefits easily surpass the minimal cash investment by the company.