HR as asset and risk owner of SA
Could you elaborate a little bit more on this one?
How HR is asset and risk owner of SA, and the threat is social engineering.
Assign topic to the user
Please note that the System Administrator role is performed by a person, so it is logical that this “asset” should be owned by the head of an area that is responsible for managing human resources, the HR manager.
Regarding risk ownership, please note that since the identified vulnerability is related to knowledge and/or awareness, the HR area is the one that can properly treat this vulnerability (by means of training and awareness activities) and reduce the risk.
As for social engineering, this hacking technique aims at people that can be easily deceived to give information or execute insecure activities, like those with an inadequate level of knowledge and /or awareness of information security practices.
For further information about asset and risk ownership, please read:
- Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
Comment as guest or Sign in
Sep 19, 2022