Analyze Test Output and Generate a Report

Security experts must be able to analyze log and test data, and report this information in meaningful ways, to senior management teams so they are alert of possible risks or harm, and make informed security decisions.

Organizations usually have different levels of management. Security professionals need to be able to provide appropriate reports for each of these different levels of management.

For senior executives, vulnerability scan data would be rolled up into meaningful business metrics and key risk indicators to inform senior management of any appreciable changes in risk levels.

The type of auditing being performed can also determine the type of reports that must be used.

In addition to all this, an information security professional must know the meaning of data and transforming them for various purposes and different audiences. In this case, he has been able to articulate the need for resources – professionally. The advantage of this is that it will be easier for him to get the necessary funding for the tools as well as the additional staff.

[rev_slider alias=”Advertisement-1″ /]

SOC Reports

American Statement on Standards for Attestation Engagements (SSAE) 16 audit requires a Service Organization Control (SOC) report. There are four types of SOC reports:

SOC 1 Type 1: This report outlines the findings of an audit, as well as the fullness and accuracy of the documented controls, systems and facilities.

SOC 1 Type 2: This report includes the Type 1 report, along with information about the effectiveness of the procedures and controls in place for the close future.

SOC 2: This report includes the testing results of an audit. These reports can play an important role in:

  • Vendor management programs
  • Oversight of the organization
  • Regulatory oversight
  • Internal corporate governance and risk management processes

SOC 3: These reports can be distributed or published freely. SOC3 report provides general audit results with a datacenter certification level. These reports are intended for users or clients requiring the assurance of control security, integrity & confidentiality of processes and availability.

Go CISSP’s Home