June 13, 2013 - 2:51pm
#1
We are debating who should "own" social engineering risk. As is true of many things, if a risk owner is not identified, the risk, the tracking of controls, and any action plan for mitigation falls through the cracks. Some folks I have talked to have it in the IT area, however it is much more of a "people" risk. I would love to hear if your credit union has assigned the risk to IT or to another area and, if so, what that area is. Thanks!
