The management report is generally designed to cover the issues, including regulatory and compliance measurement, in terms of target security posture. Practically, it should extend the executive report with a number of sections that may interest Human Resources (HR) and other management people, and assist in their legal proceedings. The following are key parts that may provide you with a valuable foundation for the creation of such a report:

• Compliance achievement: This contains a list of known standards, and maps each of its sections or subsections with the current security disposition. It should highlight any regulatory violations that occurred, and that might inadvertently expose the target infrastructure and pose serious threats.
• Testing methodology: This should be described briefly and should contain sufficient details to help the management people understand the penetration testing life cycle.
• Assumptions and limitations: This highlights the known factors that may have prevented the penetration tester from reaching a particular objective.
• Change management: This is sometimes considered a part of the remediation process; however, it is mainly targeted toward the strategic methods and procedures that handle all the changes in a controlled IT environment. The suggestions and recommendations that evolve from security assessment should remain consistent with any change in the procedures, in order to minimize the impact of an unexpected event upon the service.
• Configuration management: This focuses on the consistency of the functional operation and performance of a system. In the context of system security, it follows any change that may have been introduced to the target environment (hardware, software, physical attributes, and others). These configuration changes should be monitored and controlled to maintain the system configuration state.

As a responsible and knowledgeable penetration tester, it is your duty to clarify any management terms before you proceed with the penetration testing life cycle. This exercise definitely involves one-to-one conversations and agreements on target-specific assessment criteria, such as what kind of compliance or standard frameworks have to be evaluated, any restrictions in place while following a particular test path, whether or not the changes suggested are sustainable in the target environment, and whether or not the current system state will be affected if any configuration changes are introduced. These factors all jointly establish a management view of the current security state in a target environment, and provide suggestions and recommendations following the technical security assessment.