Final Report and Project Close

Step 1: Compile the final assessment report

Bring everything together into a single report. The report has five sections, each serving a specific audience:

1. Executive summary -- for Fatima and the board. Two pages maximum. The insurance finding, what the assessment discovered, what was done about it, and what remains. No technical jargon. Costs and timeline front and center.

2. Compliance evidence -- for the insurance company. The original finding ("insufficient segmentation"), the assessment methodology, the specific segmentation controls implemented, and the verification evidence (lateral movement test results proving the controls work).

3. Technical findings -- for Ahmed and the IT team. Every finding from the assessment with evidence: connectivity matrix, segmentation architecture, firewall rules, detection rules, lateral movement test logs. Implementation-ready detail.

4. Remediation plan -- the prioritised plan from Unit 8 with costs and timeline, including the compliance minimum and the full recommendation.

5. Network architecture documentation -- the reference documentation from Unit 8, included as an appendix so the report is self-contained.

Step 2: Deliver the report to Fatima

Send the report through the living client interface.

Fatima will read the executive summary first. She is looking for three things: does this satisfy the insurance company? What does it cost? What is the timeline?

She will ask follow-up questions. Some will be about the technical findings, translated into her terms. Some will be about the physical safety implications -- can someone unlock doors? Can someone turn off the air conditioning? She needs to understand the risk in terms of her buildings and her tenants.

Answer in her language. "The segmentation prevents someone on the tenant Wi-Fi from reaching the system that controls your HVAC and fire suppression" is more useful to her than "network zones implement default-deny with iptables FORWARD chain DROP policy."

Step 3: Address follow-up questions

Fatima may press on specific areas:

• The Al Wakra building: Is it safe right now? The compensating control provides monitoring, but the underlying authentication gap remains. The risk is documented and the upgrade is recommended.
• The vendor access question: She asked about this in Unit 6 and will ask again. She wants to know whether a follow-up engagement for vendor access policy development makes sense. It does -- and it is a separate scope.
• Board presentation: She wants to walk into the board meeting with options. The compliance minimum satisfies the insurance company. The full recommendation addresses all findings. Both have costs attached.

She will thank you for distinguishing the compliance minimum from the full recommendation. "That gives me two options for the board."

Step 4: Write the project README

Document the project in a README at the root of the repository. Include:

• Project scope: Network segmentation assessment for Maskan Properties, 12 buildings across Doha and Al Wakra
• Client: Fatima Al-Sulaiti, COO
• Assessment type: Network segmentation and defense-in-depth
• Key findings: Connectivity matrix results, segmentation architecture, legacy system exception, third-party VPN risk, shared fiber infrastructure
• Key deliverables: Segmentation design, firewall rules, detection rules, remediation plan, architecture documentation
• Status: Assessment complete. Remediation plan delivered with compliance minimum and full recommendation.

Step 5: Push to GitHub

Review your commit history. The progression should tell the story of the assessment:

git log --oneline

The commits should show logical progression from setup through assessment, segmentation, hardening, testing, and reporting. If the history is messy, consider organizing it.

Push the completed project:

git push origin main

The project is complete. You assessed network segmentation across a multi-building property management network, designed and implemented defense-in-depth architecture, verified it by attempting the same attacks you executed in previous projects, handled a legacy system exception, assessed third-party access risk, and delivered a remediation plan for three audiences with costs and timeline.