[38] Reporting
By:
Your Name
|
๐ Topic: Topic Name
Domain: Dx โ Domain Name
Tags: #cissp
๐งพ Definition
Reporting is done by only ethical hackers, others can do exploit, recon and other things.
title: “[03] CISSP Cheatsheet - Security Reporting and Communication” date: 2026-07-05 authors:
- Your Name
By:
Your Name
|
๐ Topic: Security Reporting and Communication
Domain: D1 โ Security and Risk Management
Tags: #cissp #reporting #governance
๐งพ Definition
Security reporting encompasses incident reports, executive dashboards, compliance reporting, and communications to stakeholders that summarize security posture, incidents, and risk metrics.
๐ Key Points
- Tailor reports to the audience: executives need KPI summaries; technical teams need actionable details.
- Timeliness and accuracy are critical during incident communication; designate a spokesperson and follow communication plans.
- Maintain evidence and timelines for legal and compliance purposes.
โ ๏ธ CISSP Insight
- CISSP focuses on the governance role: reporting supports decision-making, accountability, and regulatory requirements.
โ๏ธ Key Difference / Trap
- Operational vs Executive reporting
- Operational = technical detail for remediation
- Executive = concise risk and impact summaries
- Trap: Sharing sensitive forensic details externally without legal review.
๐๏ธ Example
During an incident, the incident lead produces a technical incident report for the IR team and an executive summary for leadership that includes impact, actions taken, and next steps.
๐ References
- NIST SP 800-61 โ Computer Security Incident Handling Guide
- ISO/IEC 27001:2022 reporting and audit controls
- Internal reporting policies and regulatory guidance
๐ Quick Recall
- Reports must be accurate, audience-specific, and legally vetted