left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

Risk Register question

  Quote
Guest
Guest user Created:   May 30, 2022 Last commented:   May 30, 2022

Risk Register question

On the other hand, and still in reference to the Risk Register, we question if it is reasonable to consider the 'vulnerability' weak password in the Asset-Human Resources (top management, employees, etc.), rather than in the more obvious Asset-IT and communication equipment (desktop computers, mobile devices, etc.)? This, in the sense that our people set their passwords, are expected to comply with the password construction guidelines/Password Policy; and at the end, it can be through their following of the rules that this can be assessed. We are not certain if this approach makes sense, is viable.

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 30, 2022

Since you are considering the weak password vulnerability to be related to people's behavior, then it makes sense to consider it for Human-related assets in this case, but please note that you can also have situations where this vulnerability can also be defined for IT equipment.

For example, some equipment only allows pin numbers as passwords, or it is not possible to enforce password rules o them, then in this case you can also define weak passwords as a vulnerability for IT equipment. You can use only one of these two vulnerabilities, or you can use both if they are all applicable.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 30, 2022

May 30, 2022

Suggested Topics