Lesson 18 - Summarizing Report Components

Question 1

What is the term of people not directly involved with the client but who may still be involved. Providers, investors, regulators and similar entities

Answer 1

Third Party Stakeholders

Question 2

What is the process of assigning values to the identified risk referred to:

Also what is the scoring system that is published by NIST called

Answer 2

Risk Rating

Common Vulnerability Scoring System (CVSS)

Question 3

What is the process of adjusting the final ratings of vulnerabilities to the client needs

Answer 3

Risk Prioritization

Question 4

What is the post-activity that identifies organizational risk and determines their effect on ongoing, mission critical operations

Answer 4

Business Impact Analysis (BIA

Question 5

Describe the difference between a metric and measures

Answer 5

Metrics are quantifiable measurements of results or processes and can be expressed on a scale say from 1 to 10.

Measures are specific datapoints that contribute to a metrics

Question 6

Outline a typical and recommended format for the delivery of the PenTest

Answer 6

Executive summary
Scope details
Methodology
Attack narrative
Findings
Risk rating
Risk prioritization
Metrics and measures
Remediation
Conclusion
Appendix or supporting evidence