One of the primary reasons many organizations are looking to have a penetration test performed is because someone they want to do business with wants some assurance that they are secure. So in the interest of forming this new business relationship, they’ll go out to try and get a penetration test performed as soon as possible. The next logical question is how do you prove to that third party that you’ve had this done? How do you avoid sharing some of your security-related “dirty laundry” in the process? Or maybe you just aren’t comfortable sharing any sensitive information related to your security posture because this is only a prospective client. Well our answer to all of those questions is a Certification Memo.
We’ve covered our standard deliverables here, which include an Executive Summary Report and a Technical Findings Report. If the Executive Summary Report is a 10,000 ft. view of your organization’s security, a certification memo is the 50,000 ft. view. This one page memo-style document is intended to:
- Prove that you’ve had penetration testing performed,
- Detail the scope of the penetration testing, and
- Provide a high-level summary of how you performed.
This is all accomplished without disclosing any sensitive information regarding your organizations assets or specific vulnerabilities associated with them. You should be able to provide this to any third-party (or even post it on your public website) and have no fear that you are disclosing anything sensitive in nature. We also include our contact information in the document so we can be contacted directly, in case a third-party should have any questions about the scope of the assessment, the activities we performed, or our methodologies for testing.
We can provide this additional deliverable with any type of penetration testing, so let us know if it’s something you need. Additionally, many times organizations will want to complete a retest after they’ve had a chance to remediate discovered vulnerabilities, prior to receiving a Certification Memo. That’s not a problem at all and is something we actually recommend. Not only to increase your security posture but also to show that you take security seriously, and are making efforts to improve over time.