The results of the penetration test will be provided to
            management for follow-up and review.

            There are many useful tools that a risk manager can use when
            monitoring risk. These include free reports from anti-virus and
            security companies, including (but not limited to) Microsoft,
            SANS, Symantec, F-Secure, McAfee, and Trend Micro. Other
            data, such as the Verizon Data Breach Investigations report, are
            issued annually. They provide a review of risk and exposure
            factors and may assist in developing and presenting a risk
            management solution to management. Other sources of
            information on incidents and risks come from government
            sources such as local or national CIRTs (Computer Incident
            Response Teams) and not-for-profit organizations.


            Reporting on Risk

            There are several ways that risk should be reported to the
            organization. Senior management should receive scheduled
            reports on the current risk levels of the organization and the
            status of risk mitigation efforts. These reports are often non-
            technical and may indicate whether the organization is
            compliant with international standards or best practices. Quite
            often, such statements are more of a summary with key points
            than a detailed description of the risk program and assessments.
            Penetration tests and vulnerability assessments are usually more
            technical and detailed. These reports are provided to IT staff and
            management with details of the findings so that necessary
            changes to control configuration and placement can be made.
            Audit reports are a standard method of communicating risk and
            control effectiveness to management. Audit reports usually
            contain two sections - an executive summary that provides a