Because pen test reports contain highly detailed information about the areas that are vulnerable to attack, you and the client will both need to take precautions to prevent the reports from falling into the wrong hands. If possible, store the reports on a secure server and don't pass the report via external drives. Within the client organization, the file system should be secured so that only the appropriate personnel are able to view the details of the full report. There are likely some parts of the report that need to be made available to additional personnel. For this reason, consider storing reports in repositories where pieces and parts of the report can be secured with varying levels of access.

In addition to access control, encrypting the reports in storage will go a long way toward making sure unauthorized parties cannot read them and glean sensitive data. You also need to determine how long to store the report for in order to minimize the risk it poses. Discuss with the client the expected storage time for the report.

To help maintain document control of stored reports, you should consider implementing the following components in the reports.

Component

Description

Cover page

The cover page typically includes the name of the report, the version and date, the author (either the name of the person or the organization that is conducting the testing), and target organization name.

Document properties

This might be just in the electronic version of the document, or it might be printed as a table in the document. In either case, it typically includes the document title, version number, author of the report, and date of the last revision. It might also include other fields such as the names of the pen test team members, names of those who have accessed and viewed the report, approver name if stored in a system that allows documents to be approved or rejected (such as SharePoint), and document classification information (as determined by the testers or target organization as defined in the SOW).

Version control

This is typically implemented as a table to track changes made to the report. The tracked information includes a description of any changes that are made, who made the changes, the date of the change, and the updated version number (it might be a full version increment or a "point" version, again based on the terms defined in the SOW).