This work is licensed under the Creative Commons Attribution-NonCommercial License.

To
view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.0/ or send a letter to
Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Created by Keith A. Watson, CISSP on March 1, 2005

{CLIENT ORGANIZATION}
Security Assessment Report

January 18, 2024

Report Prepared by:

{YOUR NAME}, {YOUR CREDENTIALS}
{YOUR EMAIL ADDRESS}
{YOUR PHONE NUMBER}

{YOUR ORGANIZATION}
{YOUR MAILING ADDRESS}

The information contained within this report is considered

proprietary and confidential to the {CLIENT ORGANIZATION}.
Inappropriate and unauthorized disclosure of this report or portions
of it could result in significant damage or loss to the {CLIENT
ORGANIZATION}. This report should be distributed to
individuals on a Need-to-Know basis only. Paper copies should be
locked up when not in use. Electronic copies should be stored
offline and protected appropriately.

Confidential and Proprietary Information: Need to Know

 {CLIENT ORGANIZATION}

EXECUTIVE SUMMARY 5
Top-Ten List 5
1. Information Security Policy 5
2. {Security Issue #2} 5
3. {Security Issue #3} 5
4. {Security Issue #4} 5
5. {Security Issue #5} 5
6. {Security Issue #6} 6
7. {Security Issue #7} 6
8. {Security Issue #8} 6
9. {Security Issue #9} 6
10. {Security Issue #10} 6

INTRODUCTION 7
Scope 7
Project Scope 7
In Scope 7
Out of Scope 7

Site Activities Schedule 7

First Day 7
Second Day 7
Third Day 7

BACKGROUND INFORMATION 8
{CLIENT ORGANIZATION} 8

ASSET IDENTIFICATION 9
Assets of the {CLIENT ORGANIZATION} 9

THREAT ASSESSMENT 9
Threats to the {CLIENT ORGANIZATION} 9

LAWS, REGULATIONS AND POLICY 10

Federal Law and Regulation 10

{CLIENT ORGANIZATION} Policy 10

Vulnerabilities 10
The {CLIENT ORGANIZATION} has no information security policy 10
{State the Vulnerability} 10

Confidential and Proprietary Information: Need to Know

Page 2
 Security Assessment Report

PERSONNEL 11
Management 11

Operations 11

Development 11

Vulnerabilities 11
There is no information security officer 11
{State the Vulnerability} 11

NETWORK SECURITY 12
Vulnerabilities 12
The {CLIENT ORGANIZATION} systems are not protected by a network firewall 12
{State the Vulnerability} 13

SYSTEM SECURITY 13
Vulnerabilities 13
Users can install unsafe software 13
{State the Vulnerability} 14

APPLICATION SECURITY 14
Vulnerabilities 14
Sensitive information within the database is not encrypted 14
{State the Vulnerability} 14

OPERATIONAL SECURITY 15
Vulnerabilities 15
There is no standard for security management 15
{State the Vulnerability} 15

PHYSICAL SECURITY 15
Vulnerabilities 15
Building Vulnerabilities 16
Several key doors within the building are unlocked or can be forced open 16
{State the Vulnerability} 16
Security Perimeter Vulnerabilities 16
There is no entryway access control system 16
{State the Vulnerability} 17
Server Area Vulnerabilities 17
The backup media are not protected from fire, theft, or damage 17
{State the Vulnerability} 17

SUMMARY 18
Confidential and Proprietary Information: Need to Know
Page 3
 {CLIENT ORGANIZATION}

Action Plan 18

References 18

Confidential and Proprietary Information: Need to Know

Page 4
 Security Assessment Report

Executive Summary
Briefly describe the activities of the assessment.
Talk about the importance of information security at the client organization.
Discuss security efforts that the organization has under taken.
Highlight three major security issues discovered that could significantly impact the operations of
the organization.

Top-Ten List
A top-ten list is used to highlight the ten most urgent issues discovered during an assessment.
Clients unfamiliar with security may be overwhelmed by a long list of problems. Putting the
major issues together may allow the client to easily focus efforts on these problems first.

The list below contains the “top ten” findings, weaknesses, or vulnerabilities discovered during
the site security assessment. Some of the issues listed here are coalesced from more than one
section of the assessment report findings. Additional information about each is provided
elsewhere in the report.
It is recommended that these be evaluated and addressed as soon as possible. These should be
considered significant and may impact the operations of the {CLIENT ORGANIZATION}.

1. Information Security Policy

An information security policy is the primary guide for the implementation of all security
measures. There is no formal policy specific to the {CLIENT ORGANIZATION}.
Recommendation: Develop an information security policy that specifically addresses the needs
of the {CLIENT ORGANIZATION} and its mission. Use that policy as a basis for an effective
security program.

2. {Security Issue #2}

{Brief description of Security Issue #2}
Recommendation: {Brief list of recommendations for Security Issue #2}

3. {Security Issue #3}

{Brief description of Security Issue #3}
Recommendation: {Brief list of recommendations for Security Issue #3}

4. {Security Issue #4}

{Brief description of Security Issue #4}
Recommendation: {Brief list of recommendations for Security Issue #4}

Confidential and Proprietary Information: Need to Know

Page 5
 {CLIENT ORGANIZATION}

5. {Security Issue #5}

{Brief description of Security Issue #5}
Recommendation: {Brief list of recommendations for Security Issue #5}

6. {Security Issue #6}

{Brief description of Security Issue #6}
Recommendation: {Brief list of recommendations for Security Issue #6}

7. {Security Issue #7}

{Brief description of Security Issue #7}
Recommendation: {Brief list of recommendations for Security Issue #7}

8. {Security Issue #8}

{Brief description of Security Issue #8}
Recommendation: {Brief list of recommendations for Security Issue #8}

9. {Security Issue #9}

{Brief description of Security Issue #9}
Recommendation: {Brief list of recommendations for Security Issue #9}

10. {Security Issue #10}

{Brief description of Security Issue #10}
Recommendation: {Brief list of recommendations for Security Issue #10}

Confidential and Proprietary Information: Need to Know

Page 6
 Security Assessment Report

Introduction
Provide an overview of the report.

Scope
The scope is the boundaries of the project. It is used to describe the on-site activities.

Project Scope

In Scope
The following activities are within the scope of this project:
 Interviews with key staff members in charge of policy, administration, day-to-
day operations, system administration, network management, and facilities
management.
 A Visual Walk Through of the facilities with administrative and facilities
personnel to assess physical security.
 A series of Network Scans to enumerate addressable devices and to assess each
systems available network services. (These Scans will be conducted from within
each center’s network and from the outside.)
 A configuration and security assessment of at most ten key systems at each
center.

Out of Scope
The following activities are NOT part of this security assessment:
 Penetration Testing of systems, networks, buildings, laboratories or facilities.
 Social Engineering to acquire sensitive information from staff members.
 Testing Disaster Recovery Plans, Business Continuity Plans, or Emergency
Response Plans.

Site Activities Schedule

List the site activities.

First Day

Second Day

Third Day

Confidential and Proprietary Information: Need to Know

Page 7
 {CLIENT ORGANIZATION}

Background Information
Use this section to talk about any relevant background information.

{CLIENT ORGANIZATION}
Describe the client organization.

Confidential and Proprietary Information: Need to Know

Page 8
 Security Assessment Report

Asset Identification
Describe the process of asset identification.

Assets of the {CLIENT ORGANIZATION}

The following lists document some of the {CLIENT ORGANIZATION} tangible and intangible
assets. It should not be considered a complete and detailed list but should be used as a basis for
further thought and discussion to identify assets.

Tangible Assets
 {List tangible assets.}

Intangible Assets
 {List intangible assets.}

Each item on these lists also has value associated with it. Each item’s relative value changes over
time. In order to determine the current value, it is often best to think in terms of recovery costs.
What would it cost to restore or replace this asset in terms of time, effort, and money?

Threat Assessment
Describe the process of threat assessment.

Threats to the {CLIENT ORGANIZATION}

The following lists document some of the known threats to the {CLIENT ORGANIZATION}. It
should not be considered a complete and detailed list but should be used to as a basis for further
thought and discussion to identify threats.

Natural Threats
 {List Natural Threats.}

Intentional Threats
 {List Intentional Threats.}

Unintentional Threats
 {List Unintentional Threats.}

Confidential and Proprietary Information: Need to Know

Page 9
 {CLIENT ORGANIZATION}

Laws, Regulations and Policy

Talk about the role of laws, regulation, and policy on the client organization.

Federal Law and Regulation

Outline federal laws and regulation that impact the client organization.

{CLIENT ORGANIZATION} Policy

Talk about the current policy at the client organization. Describe what policy they currently have.

Vulnerabilities
Listed below are the vulnerabilities discovered during the assessment relating to law, regulation,
and policy. These are considered significant and steps should be taken to address them.

The {CLIENT ORGANIZATION} has no information security policy

Explanation
The {CLIENT ORGANIZATION} has no information security policy that is specific to
its needs and goals.
Risk
There are several risks in not having an information security policy.
 Mistakes can be made in strategic planning without a guideline for security.
 Resources may be wasted in protecting low value assets, while high value assets
go unprotected.
 Without a policy, all security measures are merely ad hoc in nature and may be
misguided.
Recommendations
 Create a policy that is in compliance with {CLIENT ORGANIZAION} security
goals.
 Periodically review and update the policy.

{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations

Confidential and Proprietary Information: Need to Know

Page 10
 Security Assessment Report

 {Provide a list of recommendations}.

Personnel
Describe the personnel at the client organization. Organize them into related groups.
In this example, we have Management, Operations, and Development.

Management
Describe the management group.

Operations
Describe the operations team.

Development
Describe the development team.

Vulnerabilities
Listed below are the staff vulnerabilities discovered during the interviews with the {CLIENT
ORGANIZATION} staff. These are considered significant and steps should be taken to address
them.

There is no information security officer

Explanation
An information security officer is responsible for the overall security for an organization.
He or she must help create security policy, enforce it, and act as the primary security
contact.
Risk
Without an information security officer, important security issues may not receive the
proper attention. The overall security of the {CLIENT ORGANIZATION} may suffer.
Recommendations
 Designate an existing employee to fill the role of information security officer, or
hire a qualified candidate for the position.
 Provide training opportunities to the information security officer.
 Encourage and support the acquisition of security certification(s).

{State the Vulnerability}

Explanation
{Explain the vulnerability.}

Confidential and Proprietary Information: Need to Know

Page 11
 {CLIENT ORGANIZATION}

Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations
 {Provide a list of recommendations}.

Network Security
Describe the state of network security at the client organization.
List public network resources and sites.
List partner connections and extranets.

Vulnerabilities
Listed below are the network security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.

The {CLIENT ORGANIZATION} systems are not protected by a

network firewall
Explanation
A firewall is a network gatekeeper. Based on a configurable set of rules, the firewall
determines which network connections to allow or deny. There are generally three types
of attacks that can be prevented (or at least slowed) using properly configured firewalls:
intrusion, denial-of-service, and information theft.
There are two types of firewalls. One type is incorporated into operating systems
(software-based). The other type consists of a networking hardware platform that protects
a group of networked systems (hardware-based).
The {CLIENT ORGANIZATION} systems are inconsistently protected by software-
based firewalls. Most of the workstations have firewall software installed and configured.
Some do not.
Risk
There are several risks in running network services without a firewall.
 Incoming network-based scans and attacks are not easily detected or prevented.
 Attackers target vulnerable network services.
 Attacks are not isolated and damage cannot be contained.
 Network probing for vulnerabilities slows system and network performance.
Recommendations
 Enable operating system firewalls where available.
 Install a hardware-based firewall.

Confidential and Proprietary Information: Need to Know

Page 12
 Security Assessment Report

 Configure firewall rule sets to be very restrictive.

{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations
 {Provide a list of recommendations}.

System Security
Describe the state of system security at the client organization.

Vulnerabilities
Listed below are the system security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them.

Users can install unsafe software

Explanation
Since users have privileged access to their workstations, they are free to install software
that can impact the operations at the {CLIENT ORGANIZATION}. Most of this
software is freely available from the Internet. Unsafe software is any software that
impedes the productivity of the staff, collects information on the user or the {CLIENT
ORGANIZATION} network environment, launches attacks or probes internal systems.
Risk
There are several risks in allowing users to install unsafe software.
 The software may contain a virus, worm, or some other dangerous electronic
threat.
 The software may be a “Trojan Horse” to fool users.
 The software may capture, disclose, delete, or modify sensitive data.
 The software may impact system performance and user productivity.
 Significant time may be wasted attempting to remove software.
Recommendations
The operations team should
 Remove user privileges to install software.
 Remove unsafe software from workstations. Reinstall systems as needed.

Confidential and Proprietary Information: Need to Know

Page 13
 {CLIENT ORGANIZATION}

 Establish a process for the evaluation and installation of new software.

{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations
 {Provide a list of recommendations}.

Application Security
Describe the state of application security at the client organization.

Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.

Sensitive information within the database is not encrypted

Explanation
Sensitive information in databases can be encrypted to protect confidentiality. If an
attacker gets unauthorized access to the database, sensitive information still cannot be
read.
Risk
If an attacker gains access to the database, sensitive information stored in the database
can be viewed and modified.
Recommendations
 Examine changes required to support encrypted database tables.
 Modify web and database software to work with encrypted data.
 Safely store and protect the encryption keys.

{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}

Confidential and Proprietary Information: Need to Know

Page 14
 Security Assessment Report

Recommendations
 {Provide a list of recommendations}.

Operational Security
Describe the state of operational security at the client organization.

Vulnerabilities
Listed below are the application security vulnerabilities discovered during the assessment. These
are considered significant and steps should be taken to address them.

There is no standard for security management

Explanation
A security standard is a document that defines and describes the process of security
management for an organization.
Risk
Without a guideline for security practices, those responsible for security may not apply
adequate controls consistently throughout the {CLIENT ORGANIZATION}.
Recommendations
 Evaluate existing security standards such as ISO 17799.
 Modify an existing standard for use within the {CLIENT ORGANIZATION}.
 Inform and train personnel on use of the standard.
 Audit information systems and procedures to ensure compliance.

{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations
 {Provide a list of recommendations}.

Physical Security
Describe the state of operational security at the client organization.
Specifically, list the building, security perimeter, and server room vulnerabilities.

Confidential and Proprietary Information: Need to Know

Page 15
 {CLIENT ORGANIZATION}

Vulnerabilities
Listed below are the physical security vulnerabilities discovered during the assessment. These are
considered significant and steps should be taken to address them. The list is divided into a list of
vulnerabilities that relate to the building, the security perimeter, and the server rooms. The
building group contains vulnerabilities within the {CLIENT ORGANIZATION} office. The
security perimeter group includes the exterior office windows, doors, alarm system, and the
surrounding area. The server room are specific to rooms containing server equipment.

Building Vulnerabilities

Several key doors within the building are unlocked or can be forced
open
Explanation
There are several important doors in the interior {CLIENT ORGANIZATION} office
area that are normally unlocked or can be forced open even when locked. The door to the
utility room is a hollow core wooden door with no lock. The utility room contains the
wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system
box. The room containing the modem pool is normally open and unlocked. The system
administrator’s office containing the office file and web server is usually unlocked and
open.
Risk
These doors protect valuable assets of the {CLIENT ORGANIZATION}. A determined
attacker, thief, or disgruntled employee could get through these important doors with
minimal effort to steal and/or destroy.
Recommendations
 Replace current doors with stronger fire doors.
 Replace existing door hardware with high security locks.
 Weld exterior hinge pins in place.

{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations
 {Provide a list of recommendations}.

Confidential and Proprietary Information: Need to Know

Page 16
 Security Assessment Report

Security Perimeter Vulnerabilities

There is no entryway access control system

Explanation
An entryway access control system limits physical access to a secure area to authorized
personnel with the correct PIN number or access card. These systems have either a
control panel where a correct PIN number must be entered before entry is allowed or a
unique access card (contact or contactless) for each person to enter. Advanced systems
provide log information each time personnel enter the secure area.
Risk
There are several risks in not having an entryway access control system.
 Unauthorized people can enter secure areas unescorted.
 There is no record of personnel entries into secure areas.
 It is not possible to disable access for a specific person.
Recommendations
 Evaluate available and suitable entryway access systems.
 Develop appropriate procedures for assigning and removing access.
 Install an appropriate system and assign access rights.

{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations
 {Provide a list of recommendations}.

Server Area Vulnerabilities

The backup media are not protected from fire, theft, or damage
Explanation
The backup media are stored near the backup system on an open shelf in the server area.
The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a
fire. If a system or data must be recovered, the media may not be available or functional
when needed.
Risk

Confidential and Proprietary Information: Need to Know

Page 17
 {CLIENT ORGANIZATION}

The operation of the {CLIENT ORGANIZATION} can be impacted if the backup media
are not available due to theft, damage, or fire.
Recommendations
 Purchase and install a lockable, fireproof media safe. Secure it to the floor and/or
wall.

{State the Vulnerability}

Explanation
{Explain the vulnerability.}
Risk
There are several risks in not having {this vulnerability}.
 {Provide a list of risks.}
Recommendations
 {Provide a list of recommendations}.

Summary
Summarize the report findings.

Action Plan
Provide an action plan that lists steps to be taken to improve security at the client organization.

References
Anderson, R. Security Engineering: A Guide to Building Dependable Distributed Systems.
Indianapolis: John Wiley & Sons, 2001.
Archer, Tom and Whitechapel. Andrew. Inside C#. Redmond: Microsoft Press, 2002.
Deraison, Renaud. The Nessus Security Scanner. http://www.nessus.com/
Garfinkel, Simson, Spafford, Eugene H., and Schwartz Alan. Practical Unix & Internet Security,
3rd Edition. Sebastapol: O’Reilly, 2003.
Gordon, Lawrence, Loeb, Martin, Lucyshyn, William and Richardson, Robert. “2004 CSI/FBI
Computer Crime and Security Survey,” San Francisco: Computer Security Institute, 2004.
International Standards Organization, International Electrotechnical Commission. Information
technology — Code of practice for information security management. ISO/IEC 17799:2000(E).
Switzerland: ISO/IEC, 2001.
Open Web Application Security Project. “The Ten Most Critical Web Application Security
Vulnerabilities – 2004 Update.” OWASP, 2004. http://www.wasp.org/documentation/topten.html
Peltier, Thomas R. Information Security Risk Analysis. Boca Raton: CRC Press, 2001.
Public Law No. 100-235. The Computer Security Act of 1987.

Confidential and Proprietary Information: Need to Know

Page 18
 Security Assessment Report

Stoneburner, Gary, Goguen, Alice, and Feringa, Alexis. “Risk Management Guide for
Information Technology Systems.” NIST Special Publication 800-30. National Institute of
Standards and Technology, 2001.
Stoneburner, Gary, Hayden, Clark, and Feringa, Alexis. “Engineering Principles for Information
Technology Security (A Baseline for Achieving Security).” NIST Special Publication 800-27 Rev
A. National Institute of Standards and Technology, 2004.
Swiderski, Frank and Snyder, Window. Threat Modeling. Redmond: Microsoft Press, 2004.
United States Department of Agriculture. “USDA Information Systems Security Policy.” USDA
3140-001. Washington: USDA, 1996.
Viega, John and McGraw, Gary. Building Secure Software. Indianapolis: Addison-Wesley, 2002.
Wood, Charles C., Banks, William W., Guarro, Sergio B., Garcia, Abel A., Hampel, Victor E.,
and Sartorio, Henry P. Computer Security. New York: Wiley, 1987.
Zwicky, Elizabeth D., Cooper, Simon, and Chapman, D. Brent. Building Internet Firewalls, 2nd
Edition. Sebastapol: O’Reilly, 2000.

Confidential and Proprietary Information: Need to Know

Page 19