cancel
Showing results for 
Search instead for 
Did you mean: 

How to create RULES and MITIGATION COUNTROLS in GRC 5.3

Former Member
0 Kudos

Hi,

We are working on GRC CC 5.3.Could you please refer some of step by step procedure documents for creating new RULES and MITIGATION COUNTROLS.

Thanks & Regards,

KKRao.

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi rao,

As far as my knowledge goes we are creating mitigation control for risk and rules.

we are not creating rules for mitigation control.

Regards,

Sudip.

Edited by: Sudip Saha on May 13, 2009 1:49 PM

Former Member
0 Kudos

Hi Sudip,

Yes, we need the procedures for creating mitigation control for risk and rules and Procedure for creating mitigations.

Regards,

KKRao.

koehntopp
Product and Topic Expert
Product and Topic Expert
0 Kudos

There is really more to this than just the technical process.

I would suggest to visit a SAP Training to get the full picture (GRC300), otherwise you might not be able to make full use of your system.

Former Member
0 Kudos

Hi KK,

Frank is right, it is not just technicla steps but clear understanding of what you want to mitigate.

I assume that-

1. You have a defined rulebook.

2. you have created all risks and rules are generated.

3. You have run risk analysis in your system.

4. You have now list of risks exposure in your system and your business people have to get a look on that and to decide what is to be removed and what they must retain to run business.

5. You have remediated all authorizations whic hare not neccessary at all.

Now you have list of mitigations.

You may do it at two levels-

First you need to clean all roles. Mitigate them.

Second user level-If user is getting violations via two roles, you need to decide whether you want ot keep them or not.

If not, then you will have to remove one/more roles.

If you want to keep, then you have to mitigate them.

Regards-Sabita

Mitigation procedure-

1. Create a naming convention which clearely states mitigation nature-e.g. which module it belongs to role and risks.

1. Create mitigation control and associate approver, monitor, risks to them,.

2. Mitigate Roles using contorls specifying which risks you want ot omitigate.

Same procedure for user mitigation.

Former Member
0 Kudos

Hi Sabita,

Thanks for your information.

Regards,

KKRao.

Former Member
0 Kudos

Hi Sabita,

Can you please send same procedure links for user mitigation.

Regards,

KKRao.

Former Member
0 Kudos

Hi KK,

1. To mitigate a user, Create a mitigation control(naming convention should convey the nature of risk, module of user etc.)

2. Go to RAR-Mitigation-Mitigating controls-Create.

3. Goto RAR-Mitigation-Mitigated users-Search created mit. control-Add-Put Control ID, search User name by system, Risk ID, Monitor ID and save.

Regards,

Sabita

Former Member
0 Kudos

Thanks for your reply.

Regards,

KKRao.

Former Member
0 Kudos

Regarding #1 in Sabita's reply

"Create a mitigation control(naming convention should convey the nature of risk, module of user etc.)"

Does anyone have any recommendations or best practices about naming conventions for Mitigation Controls (MCs) ? We are trying to use SAP ruleset with as few changes as possible. Previously with our simplistic custom ruleset we tied MC to risks one-to-one, and named our MCs ZMC01 (for risk Z001), ZMC02 (for Z002), etc. With SAP ruleset, I don't know there's a reason to use the Z* namespace. And there may be one-to-many relationships....e.g. same MC for risk P033 as for P037. So maybe we should just use the "odometer" approach as used for functions and risks....e.g. P001 is 1st MC defined in "Procure to Pay", applied to risks P033 and P037; S001 is the first MC defined in "Order to Cash", applied to risks S015 and S028. Anyone have any experiences to share on this topic?

TIA,

hb

Former Member
0 Kudos

Hello Sabita;

Would you know how to mitigate for many diff users by uploading some files or via some script we have lot of users to be mitigated on a daily basis we cannot do one by one

Regards

Ayaz