11. Develop an appropriate communication to mitigate future vulnerabilities (AC 2.4)

Most organisation follow a set process to report vulnerabilities. After a vulnerability is found, a report is written outlining what issues were found and how it was addressed. This process helps IT teams in the future to choose the best and easiest fixes, keep track of patterns in vulnerabilities, and meet legal or regulatory requirements. In smaller organisations or if it's just a minor issue, updating the log file and sending an email to senior management will be enough. Every organisation has its own way of reporting, but most include these four sections: Executive Summary: This part is is the brief overview of the vulnerability and how dangerous it was to the organisation. Other things you should include is name of the vulnerability, severity, name of servers scanned, dates and times of the scan. This part should be understandable by managers and non-technical staff to get quickly get the point across without technical details. Assessment Overview: This sections should outline how and what test/s were done. You could mention details about what tools and methods were used, what part of the system/network were checked, and if you encountered any limitations. This section is a good place to show that the scans were thorough and reliable. Results: In this section, you can list all the details about each issue. Every vulnerability listed should include a description of the problem, why it matters to the organisation and how it could be harmful to the organisation, and a rating of just how severe the issue is. This section should give the IT team a clear understanding of what the vulnerabilities are and what the most pressing issue is. Mitigation Recommendations: This final section should give a clear recommendations on how to fix the problems. It should also outline the potential impact of the vulnerabilities on the organisation. This part should help with putting this report into an action plan, helping with the current vulnerabilities as well as any that will come in the future.