Skip to Content
0

GRC Access Request is going to mitigation owner for existing mitigated/approved risks

Jul 14, 2017 at 11:08 AM

99

avatar image
Former Member

Hi all,

We have an issue where GRC access request is going to mitigation owner for already mitigated risks.

Our workflow design: BASIS raises access request (auto risk analysis) -> Role Owner -> Mitigation Owner -> User Manager -> Auto Provisioning

GRC Access Request was raised for a user for additional roles. It was observed that the request went to mitigation owner for the risk which was already mitigated.

We expect that if the risks are already mitigated and in validity period then access request should not seek approval for same risk. Mitigation approval should only be requested for unmitigated risk.

Looking for help here. Thanks!

Regards,

Piyush.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

5 Answers

avatar image
Former Member Jul 14, 2017 at 07:25 PM
0

Just to provide more description to the issue:

I raised an access request for additional roles for user 'A', who already has a mitigated SOD conflict 'R1'.

Now the additional role is popping up new SOD risk 'R2'. When the request comes to admin, he applies mitigation for the new risk 'R2'.

After that the request is routed to mitigation owner stage, the request goes to both the mitigation owners (R1 & R2) for approval.

Is this standard? My assumption is if the risk is already mitigated, request should not go to mitigation owner for that particular risk for approval.

Ideally in my case, request should have only gone to mitigation owner corresponding to unmitigated risk 'R2'.

I don't have access to the system now, will submit screenshots and details in next post.

Regards,

Piyush.

Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi Piyush,

Do not show already mitigated risks in the risk analysis report so that when admin receives the request they will see only unmitigated risks and can take action on them accordingly.

Usually it is advised that mitigated risks also shown so that the approver (admin or compliance approver) are aware of the violations which are already mitigated. In this case you need to train your admin to select only those lineitems in the risk analysis report without controls and then submit for mitigating control owners approval.

Regards,

Madhu

0
avatar image
Former Member Jul 17, 2017 at 05:18 AM
0

Looking for help. Thanks!

Share
10 |10000 characters needed characters left characters exceeded
Yashasvi Sanvaliya Jul 17, 2017 at 06:48 AM
0

Hello Piyush,

As stated by Madhu, you can uncheck "include mitigated risks" so that already mitigated risks would not come up. If you require the mitigated risks to be displayed as well, Administrators have to make right selections while submitting mitigation control assignment request.

The control assignment request might be getting triggered for validity change.Also, please also check if Rule IDs are different for risk is question.

Kind regards,

Yashasvi

Show 4 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Yashasvi, Hi Madhu,

Thanks for the input!

I tried the option as stated by you, even deactivated SPRO (1030 = NO) config to include mitigated risk. But still the request goes to mitigation owner for already mitigated risk.

Regards,

Piyush.

0
Former Member

One more observation - When an additional access request is raised, which doesn't lead to any new SOD conflict, then the request doesn't route to SOD path and no approval for previously mitigated risk is required. This is working as expected.

Only when the additional access request has new risk, workflow routes to SOD path and it seeks approval from mitigation owner for both new unmitigated and existing mitigated risks.

0
Former Member
Observation on checking further:Our SOD path: BASIS raises access request (auto risk analysis) -> Role Owner -> BASIS applies mitigation -> Mitigation Owner -> User Manager -> Auto Provisioning
  1. At security stage for BASIS to apply mitigation, option ‘Include mitigated risks’ needs to be always selected, else request doesn’t recognizes the mitigation owner for the controls.
  2. If BASIS choose ‘Include mitigated risks’ while mitigating, then requests routes to mitigation owner for both existing mitigated risks and new unmitigated risks.
0

Hello Piyush,

Its upto BASIS on what risks are to be mitigated. When you try to mitigate risks, select only new risks.

PS: there is possibility that the new access also has the existing Risk, so it is showing up in analysis. Also, please check the control assignment request might be triggering for validity changes,

Kind regards,

Yashasvi

0
Yashasvi Sanvaliya Jul 14, 2017 at 12:55 PM
0

Hello Piyush,

Please share details of routing rule, and audit log. Screen shots will help analysing the issue.

Kind regards,

Yashasvi

Share
10 |10000 characters needed characters left characters exceeded
Ramesh Vithanala Sep 18, 2017 at 07:15 PM
0

Hi Piyush,

Do you have any Cross System SOD's that are not mitigated?

Thanks

Ramesh

Share
10 |10000 characters needed characters left characters exceeded