Final answer:
In writing a report of findings post-penetration test, one should include detailed recommendations and advice on when follow-up penetration tests should be conducted, which is covered by a risk assessment. This includes suggestions for remedial actions and scheduling future tests to ensure continuous security.
Step-by-step explanation:
When creating a written report of findings after completing a penetration test, it's crucial to include detailed recommendations for the client. This includes not only the immediate next steps they should take to remedy any vulnerabilities you've discovered but also your professional advice regarding the timing of future tests. The correct answer to the question is b) Risk assessment. The report should cover all aspects found in a thorough risk assessment - the potential threats to the system, their possible impact, and how frequently the organization should perform new penetration tests to ensure sustained security.
Recommendations in the Written Report
Recommendations are a key element of the report because they empower the client with knowledge and an action plan. Typically, these would include improvements to the security policy, implementation of new security controls, or any necessary changes to their existing security plan. Adding when to conduct follow-up tests is part of ensuring that the security measures remain effective over time and that new vulnerabilities are not exploited.
Frequency of Follow-up Penetration Tests
While the exact frequency can vary depending on the client's industry, size, and specific risk profile, general guidance could range anywhere from annually to after any significant changes to the IT infrastructure. This is a vital part of the overall security plan and should be carefully considered based on the risk assessment conducted.