A vulnerability assessment is a comprehensive review of your information system, designed to identify weaknesses causing risk for your organization. Vulnerability assessments are essential in order to proactively prevent attacks and stay in compliance with regulatory requirements. The end result of a vulnerability assessment is a report that you can use as a roadmap for improvement. Additionally, the assessment report can also be used to demonstrate to stakeholders, such as your leadership, regulatory agencies, or a cyber insurance provider, that you’re aware of and are actively addressing the vulnerabilities in your environment.
What is in a Vulnerability Assessment Report?
To answer what goes into a vulnerability assessment report, you first need to understand exactly what a vulnerability assessment is. A vulnerability assessment is different than penetration testing. Pen testing goes further than identifying vulnerabilities, actually attempting to exploit vulnerabilities. It’s a good idea to conduct penetration testing as it provides additional context and can find things that scans miss, not to mention it may be required of you under PSI DSS requirements, but that can be a separate report. A vulnerability assessment focuses more on the automated review of your environment through your scanning tools.
If you have good vulnerability management tools in place, the meat of the report will come from the vulnerability scanner. It should provide you with the name of the vulnerability, date of discovery, CVSS score, a description of the vulnerability and the systems impacted, and a POC (proof of concept) of the vulnerability. If any of those are not provided, you should certainly add them in.
You will then want to augment the vulnerability scanner’s report with some analysis to provide context to the report. Here are some of the key sections your report should have:
- Executive Summary: An executive summary at the beginning of the report should provide the high-level takeaways, such as the total number of vulnerabilities and the number of high-severity vulnerabilities in your system. It should describe the overall risk that these vulnerabilities pose to your organization and indicate the next steps for prioritizing these vulnerabilities.
- Assessment Overview: In this section, you should provide background on the methodology used, including tools, the scope of the testing, and duration, including the timeframe since the last scan.
- Results: This is the most important part of the report, where the vulnerabilities are reviewed and described. You should list them in a logical order, likely by their severity, but it could also be by system, such as application vulnerabilities or network vulnerabilities.
- Remediation Recommendations: Here is where you indicate the actions that should be taken as a result of this report. Which vulnerabilities can be remediated, and how should they be prioritized? Are there other controls that can be put in place to mitigate the impact of these vulnerabilities? Are there some that will not be addressed at this time because of the low risk they pose?
Tailoring Your Report for Your Audience
Vulnerability assessment reports can be used for a number of different purposes, which means you might have a few different audiences for your report. The Board of Directors will not need as detailed a report as your IT team, so you should create versions of your report accordingly, highlighting the information that matters to that particular audience.
- Board/Leadership: Your BOD and CEO are likely not going to know what SQL injection is or what CVE stands for. When reporting vulnerability to your leadership, you should focus on something that they do understand and care about — risk. Develop a quantitative way to measure risk and report on that metric consistently over time. This will be much more meaningful than telling the board your number of open vulnerabilities, as they lack the context to know how that number actually impacts the business. Show them where your risk is right now, where you intend to go, and how you intend to get there. They will want to see that there is a plan in place for lowering the risk that you have presented to them.
- IT Team: The IT team will need the nitty-gritty details because they will be involved in the remediation of these issues. Two of the most important pieces of information to include here are the actions for remediation and the priority of the vulnerabilities so they know when and how these issues should be fixed.
Why is a Vulnerability Assessment Report Essential?
- Roadmap for Remediation: The most important and obvious use for your vulnerability assessment report is to provide your team with a plan for remediation. Without it, the team members responsible for implementation of the remediation actions will not have a clear directive for the prioritization of vulnerabilities.
- Compliance: PCI DSS 11.2 requires organizations that process transactions and/or store credit card information to complete internal and external vulnerability scans every three months, as well as after any significant network changes. The external scans must be conducted by an Approved Scan Vendor (ASV), a vendor approved by the PCI council. The internal scans can be conducted in-house using scanning tools. How you demonstrate compliance depends on the size of your business. You may be able to complete a self-assessment questionnaire (SAQ), but if your business processes more than 6 million credit card transactions a year, you will need to be audited by a qualified security assessor approved by the PCI council. Regardless of which category you fall into, having a vulnerability assessment completed will help you demonstrate that you’re in compliance with this and other regulations.
- Benchmark of Progress: Your leadership team will appreciate the report as it keeps them in the loop on the business’s risk, but the report can also serve as a benchmark for your own security team to measure success. New vulnerabilities are constantly being discovered, which can feel like a game of whack-a-mole, but your vulnerability assessment reports can demonstrate that progress is being made in the time to remediation and overall risk metrics.
- Insurance: Cyber insurance premiums can be extremely pricy these days as insurers take notice of the increasing costs of ransomware attacks and data breaches. One way to secure a lower premium is by demonstrating to your insurer that you are taking the steps necessary to monitor and address risks. A vulnerability assessment report is one such tool that shows prioritization of security concerns in your environment. Learn more about lowering your cyber insurance premium in RH-ISAC’s podcast episode, Cybersecurity Legislation & Lowering Your Cyber Insurance Premium.
Are you interested in collaborating with other security professionals to improve your vulnerability management program? RH-ISAC members can join RH-ISAC’s vulnerability management working group to participate in vulnerability management discussions and exchange of best practices. Learn more about RH-ISAC membership.