Interpreting results from security assessments
When we're looking at the results from security assessments, there are two types, similar to how we split the third-party assessments in the previous section. These two types are technical assessments and Risk Management and Governance assessments.
Both types of reports will generally try to quantify the level of risk posed by each of the vulnerabilities found by assigning a score (either 1-5, 1-10, or some other scale) to them. It's important that you consider the value of your assets from your risk assessment proceedings, as sometimes a vulnerability could be seen as highly exploitable, but perhaps isn't worth mitigating, because it wouldn't stand to protect anything of value. In other words, the level of risk that's presented is below the risk acceptance level.
Often, the technical reports will include a narrative of how the penetration test was undertaken on a step-by-step basis, with screenshots,...