Domain 6 of 8 · Chapter 4 of 5

Test Output & Reporting

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • From raw output to a validated, risk-ranked finding
  • The remediation lifecycle: report, track, retest, or accept
  • Ethical and responsible disclosure
  • Exam-pattern recognition

Reading a test result: the four outcomes

OutcomeTool saysRealityRisk of trusting it
True positiveVulnerability presentVulnerability is presentNone, a real finding to remediate
False positiveVulnerability presentNo vulnerabilityWasted remediation effort; erodes trust in the report
False negativeNothing wrongVulnerability is presentHighest, a real exposure ships unreported and unfixed
True negativeNothing wrongNo vulnerabilityNone, correctly clean

Cheat sheet

  • Every test alert is one of four outcomes; the false negative is the dangerous one
  • Validate an alert into a true positive before it becomes a reported finding
  • No single tool gives the complete picture, so correlate multiple techniques
  • Rank findings by business risk, not by the tool's raw severity score
  • Report at two altitudes: an executive risk summary and a technical detail section
  • The security assessment report (SAR) records each finding, its evidence, and a recommendation
  • Track every open finding to closure on a POA&M
  • Retest after remediation to confirm the fix actually closed the finding
  • The risk owner accepts residual risk, not the assessor or administrator
  • An exception must be documented, time-bounded, and revisited at expiry
  • Use a compensating control when the primary fix is not feasible
  • Coordinated disclosure: notify the vendor first, allow an embargo, then go public
  • Full disclosure is the risky extreme; the embargo is reasonable, not unlimited
  • A published vulnerability disclosure policy operationalizes the ethical duty
  • Reporting silence about a third-party flaw is as wrong as a reckless public dump
  • Use CVSS Environmental metrics to tailor severity to your environment

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment Whitepaper
  2. NIST Computer Security Resource Center, Glossary: CVSS (Common Vulnerability Scoring System) Whitepaper
  3. NIST SP 800-53A Rev 5, Assessing Security and Privacy Controls in Information Systems and Organizations Whitepaper
  4. NIST SP 800-37 Rev 2, Risk Management Framework for Information Systems and Organizations Whitepaper
  5. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems Whitepaper
  6. NIST SP 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines Whitepaper