Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Analysis Reports for Managers?

Posted by ryuzaki0 on from the where's-that-universal-translator-when-you-need-it dept.

chaffed asks: "I've been tasked with translating a security analysis report for our powers that be and ultimately for our auditors. The manager's are not technically savvy, but they aren't PHBs, either. To what depth should one descend into Information Security and Technology topics? More generally, how would a technical person relate to a non-technical person? Should all technical terms be defined or just cryptic ones? What assumptions are reasonable to make about the reader (Non-Technical Managers)? What physical format should an analysis take, bulleted points or in depth discussion?"

2 of 33 comments (clear)

  1. here is what I do.... by cavtroop · · Score: 3, Interesting

    I sort the report by severity, and calculate statistics from that. the first few pages are the 10,000' view - i.e.: we have 7 systems with level 5 vulnerabilities, 38 systems with level 4, etc. etc.... Then, on the following pages, I break down the report into the nuts and bolts - that lets the managers that want just the overview to stop reading after the first few pages, and provides detail for the managers that want it. is that what you are looking for? pretty basic, actually...

    1. Re:here is what I do.... by SatanicPuppy · · Score: 2, Interesting

      Absolutely. Put in an executive summary, and you can pretty much fill the rest of the report with hardcore tech jargon. Generally I put in a summary page, then a mid-level summary that is light on the jargon, and then I just append a slimmed-down version of the raw data to the end.

      It generally meets with approval.

      --
      ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.