on 05-13-2009 7:58 AM
Hi,
We are working on GRC CC 5.3.Could you please refer some of step by step procedure documents for creating new RULES and MITIGATION COUNTROLS.
Thanks & Regards,
KKRao.
Hi rao,
As far as my knowledge goes we are creating mitigation control for risk and rules.
we are not creating rules for mitigation control.
Regards,
Sudip.
Edited by: Sudip Saha on May 13, 2009 1:49 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi KK,
Frank is right, it is not just technicla steps but clear understanding of what you want to mitigate.
I assume that-
1. You have a defined rulebook.
2. you have created all risks and rules are generated.
3. You have run risk analysis in your system.
4. You have now list of risks exposure in your system and your business people have to get a look on that and to decide what is to be removed and what they must retain to run business.
5. You have remediated all authorizations whic hare not neccessary at all.
Now you have list of mitigations.
You may do it at two levels-
First you need to clean all roles. Mitigate them.
Second user level-If user is getting violations via two roles, you need to decide whether you want ot keep them or not.
If not, then you will have to remove one/more roles.
If you want to keep, then you have to mitigate them.
Regards-Sabita
Mitigation procedure-
1. Create a naming convention which clearely states mitigation nature-e.g. which module it belongs to role and risks.
1. Create mitigation control and associate approver, monitor, risks to them,.
2. Mitigate Roles using contorls specifying which risks you want ot omitigate.
Same procedure for user mitigation.
Hi KK,
1. To mitigate a user, Create a mitigation control(naming convention should convey the nature of risk, module of user etc.)
2. Go to RAR-Mitigation-Mitigating controls-Create.
3. Goto RAR-Mitigation-Mitigated users-Search created mit. control-Add-Put Control ID, search User name by system, Risk ID, Monitor ID and save.
Regards,
Sabita
Regarding #1 in Sabita's reply
"Create a mitigation control(naming convention should convey the nature of risk, module of user etc.)"
Does anyone have any recommendations or best practices about naming conventions for Mitigation Controls (MCs) ? We are trying to use SAP ruleset with as few changes as possible. Previously with our simplistic custom ruleset we tied MC to risks one-to-one, and named our MCs ZMC01 (for risk Z001), ZMC02 (for Z002), etc. With SAP ruleset, I don't know there's a reason to use the Z* namespace. And there may be one-to-many relationships....e.g. same MC for risk P033 as for P037. So maybe we should just use the "odometer" approach as used for functions and risks....e.g. P001 is 1st MC defined in "Procure to Pay", applied to risks P033 and P037; S001 is the first MC defined in "Order to Cash", applied to risks S015 and S028. Anyone have any experiences to share on this topic?
TIA,
hb
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.