What are the tangible deliverables of the security assessment?

Learn what standard deliverables are for a security site assessment and how to tailor them to the expected audience.

Published: 19 May 2008

About the author

Joel Scambray has held diverse roles in information security over a dozen years, including co-author of Hacking Exposed: Windows and Hacking Exposed: Web Applications, senior director of security at Microsoft, co-founder of security technology and service company Foundstone, senior security consultant for Ernst & Young and internationally recognized speaker in both public and private forums. Listen to the supplemental podcast with Joel for more information on security site assessments.

The standard deliverable is typically a written report comprised of an executive summary, description of assessment methodology, findings with associated risk rankings, recommendations and supporting appendices. It's always good to discuss the intended audience of any deliverables, to clarify expectations of different constituencies as appropriate (executive, management, technical staff, etc.). If time and materials is specified as the sole deliverable (such as in staff augmentation engagements), then this should be specified along with mechanisms to determine customer satisfaction in the absence of tangible deliverables.

What are the tangible deliverables of the security assessment?

Learn what standard deliverables are for a security site assessment and how to tailor them to the expected audience.

Dig Deeper on MSP business strategy

How to conduct a cyber-war gaming exercise

T-Mobile breach exposes data for more than 40M people

How to harden Docker images to enhance security

SolarWinds fallout has enterprise CISOs on edge