First at all, thank you very much for your help. It is helping me to understand how to do things in a better and simpler way.
Q1 – HR department has most of systems they use externalized with 3rd parties. These covers our official web site, personnel information, Payroll and other tools. The 3rd parties do the technical management, and our HR use the systems maintaining the information. My guess is that these systems aren’t assets we need to protect, because are out of our control, but the information belong to us.
How should treat this case in terms of assets, risk assessments and controls?