Which of the following is a PRIMARY benefit of using a formalized security testing report format and structure?
A. Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken
B. Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability
C. Management teams will understand the testing objectives and reputational risk to the organization
D. Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels
I think “A” is the executive summary.
Senior management does not need to understand detailed skills.
They need information about their business risks and need to understand the issues they need to make decisions about.
The Executive Summary is a concise, clear report to be produced after testing is complete.
I am a penetration tester, and I have prepared an executive summary for senior management and a detailed report for management engineers as results reporting materials.
A detailed report for administrative technicians is long enough to be omitted, but the main purpose is to be described in “D”.
I can’t find the source of this answer… Why A is not incorrect, or Why D is best answer.
I would appreciate if someone give the explanation.