What are the tangible deliverables of the security assessment?

Learn what standard deliverables are for a security site assessment and how to tailor them to the expected audience.

About the author
Joel Scambray has held diverse roles in information security over a dozen years, including co-author of Hacking Exposed: Windows and Hacking Exposed: Web Applications, senior director of security at Microsoft, co-founder of security technology and service company Foundstone, senior security consultant for Ernst & Young and internationally recognized speaker in both public and private forums. Listen to the supplemental podcast with Joel for more information on security site assessments.

The standard deliverable is typically a written report comprised of an executive summary, description of assessment methodology, findings with associated risk rankings, recommendations and supporting appendices. It's always good to discuss the intended audience of any deliverables, to clarify expectations of different constituencies as appropriate (executive, management, technical staff, etc.). If time and materials is specified as the sole deliverable (such as in staff augmentation engagements), then this should be specified along with mechanisms to determine customer satisfaction in the absence of tangible deliverables.

Dig Deeper on MSP business strategy

Cloud Computing
Data Management
Business Analytics