Statement of Work

This section of the report should address the "what" and "how" of the assessment. You will want to review the final scope of the assessment. No matter how it started, there is always the possibility that during the assessment some project creep occurred.

Describe what systems or networks were examined, what they are used for, and how they were examined. Was only a level I assessment performed in which documentation was reviewed? Was a level II assessment performed, with some scanning and hands-on testing? Or was a level III assessment performed with in-depth penetration testing? You will want to list all these details here. Include such things as the types of policies that were reviewed, the number of servers and workstations examined, and the hardware platform, software, firewalls, and other items that help list and specify what exactly was tested and how. Any of these systems or devices that connect externally should be described, as should the security levels related to this connection.

Discuss which individuals performed which tests. What equipment and methods were used to perform these tests? Most likely there were system demonstrations and interviews. This information should also be mentioned. Stick to numbers and systems here. An assessment is not an audit, so individuals shouldn't be mentioned.