AE: Multiple Mitigation controls per risk

Similar Messages

• Multiple mitigating controls assigned to one risk

  Hello experts. We are using GRC compliance calibrator 5.3. We are just starting to implement mitigating controls. The problem we have is we have multiple mitigating controls per risk. Some risks have one control and some have two or three. When we run our risk analysis the resulting report only shows the first mitigating control it finds.
  Just wondering if anyone else has this situation. I wanted to check here before I created a message with SAP.
  Thanks
  Dave

  Dave,
     I think this is how the functionality is. You will have to open a CSS message with SAP.
  Regards,
  Alpesh

• Multiple mitigation controls assignment through CUP

  Dear All,
  We have implemented CUP 5.3 and under SP9.
  We have multiple controls addressing same risk where in we are supposed to assign multiple controls to the users. When the manager is assigning multple controls, the old one is getting replaced with the new one for the same risk.
  Is there any configuration change to be made to assign multiple mitigation controls to the same user for the same risk using CUP.
  Thanks and Best Regards,
  Srihari.K

  Ben,
     This is how CUP works. There is no configuration which allows you to ignore SOD violaton even if there is mitigation. You will have to live with this for now.
  Regards,
  Alpesh

• Implementing Mitigation Control IDs

  Hi,
  We are planning to implement mitigation control ids in GRC. Currently we are only having 1 mitigation control id and all the users are mitigated into this id.
  Now, the plan is to include the mitigation control advise/comments by the SOD approvers into the GRC and thus by introducing multiple mitigation control id we could achieve this.
  In our system users are mapped as per the Business Unit and we have around 25-30 business units. so each BU is have a seprate mitigation control approval (SOD Approver).
  We have around 150 Risk IDs.
  We are not able to understand how to design mitigation control IDs in such case? Is it a best practice to create mitigation control ID for each Risk ID in the system (May be we can group similar Risk IDs)? Your help is appreciated.
  Thanks,
  Umesh

  Hi Umesh,
  No, for 1 Mitigation COntrol there are serveral Monitors and users who are mitigated are added to only 1 mitigation control id.
  Which means you have multiple people monitoring every risk in your system. Does all of the monitors belong to the same functional group?? If yes, what happens if there is a risk in other functional groups? How they can identify and monitor it??
  If no, why a FI functional group monitor, needs to monitor the risk related to other groups?
  Can you pls explain more on primary and secondary functions?
  If the risk is related to one functional area only, the respective functional area will own it. If it is a cross functional risk, then it will be owned by both the functional area managers, which is often referred as primary and secondary functions.
    and what are the disadvantage of creating 1 mitigation control id for each risk (may be grouping some risks) considering the fact that we have 25 business units.
  It is just like giving 1 coke with 100 straws while you still have a stock in your refrigerator
  Regards,
  Raghu

• Validity period mitigating control

  Hi,
  I checked this forum but didn't find any helpful thread for my question. We are using GRC version 5.3. Is there any SAP report or tables available that would show history of mitigating controls per user? In running the Compliance Calibrator for a user, SOD issues were present that we didn't expect because we thought existing mitigating controls were applied and that we were  regularly monitoring this user for the associated risks. We thought that the problem might be that the validity period might have expired, but our corporate security group currently doesn't even show the mitigating control for the user. I wanted to look at the history of the mitigating control for the user to see if I could validate their claim.
  Thanks,
  John

  Hi,
  First of all, there's a special forum for GRC: "Governance, Risk and Compliance".
  Check under RAR-> configuration tab:
  Default expiration time for mitigating controls (in days) 
  When assigning a mitigating control to a risk, you must specify the validity period of the controlIf the End Date is left blank, the value in this option is used to calculate the end date of the validity period; the default value is 365 (days)
  Check also under CUP->configuration->mitigation.
  You'll be able to find the documentation for this configuration parameters in the corresponding Config Guide.
  Regarding Mitigation controls per user, I guess you can just check RAR -> Mitigation tab.
  Cheers,
  Diego.

• Mitigation Control Owner instead of Risk Owner.

  Hi All,
  In a Provisioning request after Risk analysis if there is any SOD found then request needs to be forwarded to Mitigation Control Owner instead of Risk owner
  Please advice whether standard Functionality in GRC 10.1 address this requirement or it needs development.
  Thanks in Advance

  Hi Babu,
  There is no standard functionality to forward this to mitigatiion control owner.
  Even forwarding to risk owner ,you may need some customization as per SAP Note 1670504.
  Thanks,
  Mamoon

• Risk Analysis and Remediation Mitigating Control Monitoring Alerts

  Hello,
  We have configured an alert for a Mitigating Control.  The Monitor must execute the report every day (report frequency = 1) or an alert email is sent to the Risk Owner.
  The Risk Owner recieves the Alert email and the Alert is logged on the Alerts tab only for the first two days after the report is not executed by the Monitor.  Is there a setting somewhere that controls why the alert is not generated after two days?
  thanks
  Tammi

  Correction.
  The email is only sent for 2 days.  The alert is logged on the Alert Monitor tab every day.

• Risks has been removed but Mitigating Control still stays with the users?

  Hi all,
      I have a situation where after a risk has been removed from the users by removing the violating roles, however the Mitigating Control still remains tagged to the same user. Is there any efficient way of removing Mitigating Controls from users where the risks no longer exists?

  Hi Joseph, thanks for the info. My problem comes in when the user request to have the violating role removed via CUP and it so happens that the Mitigating Control assigned for the old risk still has 6 more months of validity left. It seem like there is no mechanism to auto remove this MC when the role has been removed after the request in CUP have been approved and auto-provision.
  My problem is that there might be many more of such users with redundant MC assigned to them in RAR. I can't find a way to search for such redundant MCs for cleanup. There is a possibility that when the same roles are assigned back to the users via request in CUP, these redundant MC if applicable will cause the Risk Analysis via CUP to not flag out any SoD issue.

• Mitigation control workflow for AC10

  We are configuring the Mitigation control workflow during the implementation of AC 10.
  I would like to know whether its mandatory to have the workflow for Mitigation approver and monitor. As per the implementation team there is no requirement for them as this is not covered during the rampup.  But I think this should be mandatory to have the mitigation approval worflow so all the mitigation risk should be approved before mitigating. Otherwise, security admin can mitigate any risk and complete the request.
  Please advice.

  Hi,
  Yes. It will be a manual process. In some of the organizations, risks identification and mitigation will be performed manually by the Business process owners, which means in reality there will not be any risks that pop-up in CUP or RAR since they are already mitigated for the user.
  If you don't want to enable the mitigation process in the workflow, you have to do it and record the evidences manually.
  Hope this answers.
  Regards,
  Raghu

• CC: Entering Mitigation Controls

  Hi ,
  I am entering mitigation controls in CC and am noticing 2 issues
  1) I cannot blanket mitigate a selection of users. Blanket mitigation only seems to apply if I want to mitigate all users. Is there any way to add 10 select users to a mitigation control by selecting the 10 users, rather than having to specify risk, validity dates etc. for all 10?
  2) I have noticed in SAP documentation that * should be entered after the risk ID e,g, P005*. Why should this be entered. This does not default when setting up the mitigation control and if I forget to do it, I have to delete the mitigation entry for the user and recreate. Can anybody advise why * must be entered and if there is a way to default *
  Thanks,
  Gary

  Gary,
  1)  No there is no way to select 10 individual users without creating a line item for each one.  Unless they all get the access from the same Role.  If that was the case you could just create the mitigating control for that role and anyone that would have the conflict via that Role would not appear in your risk reports.
  2)  The reason you have to enter * in the mitigating controls is so that all risk ID's are mitigated by your rule.  For example short risk ID P033 is made up of multiple long risk ID's based on each transactional combination i.e. P03300101 for ME21,ME51, P03300201 for ME21N,ME51, P03300301 for ME22,ME51, P03300401 for ME22N,ME51.
  So to cover all possible transaction combinations with a mitigating control you need to enter it for P033*.  This would also allow you to enter a mitigating control for only long risk id P03300101 it your mitigating control only covered users with access to ME21 and ME51.
  Hope that helps.
  Matt.

• Uploading mitigating controls - UAT to production system

  Dear gurus
  Before i place the issue i would like to give some background: In the Production system of Complaince calibrator we have 3 systems assigned Production, UAT and Develeopment. We are the implementation team and are not authorised to assign the mitigating controls for users in production system , therefore before going live we have assigned the mitigating controls to same set of users in UAT system in the production system of compliance calibrator. Now the region has gone live and the same set of mitigating controls needs to be assigned to same set of users with same risks to production system users.
  Issue: Now there are over 100 users and its not feasible for us to manually once again assign the same mitigating controls to the users. is there a posiibility to automate this assignment or will we have to do it manually. In case we can automate then how? in case we have to manually do it what is the best way to cover the users faster.
  Thanks in advance
  Vani

  Thanks Frank, Would you advise which would be the better editor?
  Hi Alpesh,
  If i understand correct, you mean to say that its the same table, since its the same RAR production system, but currently while adding the mitigations I would have chosen the users as mentioned in UAT system that is attached to RAR production, but how do I make it as production system? If i go by what you say, I should add the user ids as per the production backend system in the same tabel and then it will automatically pick it while running reports for production users, is that correct?

• Detect obsolete mitigating control assignments?

  Hello,
  What report/s would you use to detect obsolete mitigating control assignments?
  The scenario is: A user has been assigned a mitigating control, let's say during the CUP workflow, to mitigate a certain risk that came with a certain role. Later, that role is removed from the user. Now the user is in the scope of a mitigating control. However, the user is not even subject to the risk in question anymore.
  Which way (periodically?) could you detect these cases and clean up the mitigating control assignments?
  Thanks and regards
  Patrick

  Hey,
  My experience of cleaning up controls has not been very straight forward.
  I have had to perform various risk analysis reports and look up a list of user accounts that have been marked as "Expired" etc.
  It can be slightly more difficult  if, like many organisations, you decide to assign a control with a infinite validity period (i.e. 12.12.9999).
  The Business and Internal Control team need to be very proactive about regularly monitoring the controls and reviewing the assignments. This is one reason why I strongly recommend that controls are only assigned for a set period (i.e. 365 days/1 year), so a compulsory review takes place by the control owners/business on a regular basis. This makes the controls much more affective, robust and fit for purpose.
  Happy to hear other's opinions and ideas.

• Workaround for non-SAP mitigating control reminders

  Dear all,
  Our business users would like to document mitigating controls in RAR 5.3 regardless of whether they are connected with an SAP report. They would also like to receive email reminders for those controls.
  Unfortunately, the frequency of the control can only be defined per connected SAP report and reminders will only be sent for controls if the SAP report has not been executed.
  Have you been exposed with a similar requirement? It seems like a natural thing to ask from a business perspective. RAR 5.3, however, is not designed in that way.
  Have you come up with any feasible workarounds for this?
  My current approach would be to create a dummy Z-report per SAP system (such as Z_MANUAL_MITCTRL) that control monitors have to call once to confirm the execution of their control.
  Cheers and best regards
  Patrick

  Hello,
  Regarding your question, in fact this is dependant on how your UME (User Management Engine) is configured on your WAS (Web Application Server). If the UME is connected to your R/3 back-end then the user need to have a R/3 account to connect to CC, otherwise if your UME is "independant" then you just need to create an account in the UME.
  Regards,
  Jérôme.

• How to include multiple attachment control's in single info-path form

  Hello Everyone,
  I am using SharePoint online with info-path form 2013. for one sharepoint list form i would like to include multiple attachment control's. please suggest a possible solution.

  Hi Venkat,
  Per my knowledge, when we edit the list form in InfoPath, the attachment control cannot be accessed.
  And  InfoPath form templates of types (compatibility) "SharePoint List Form" and "Workflow Form" are by Microsoft design (or under-mis-design) locked, non-modifiable and do not permit client custom code (from InfoPath
  Designer in VSTA, Visual Studio for Applications).
  So we cannot add more attachment control in InfoPath form for SharePoint list.
  As a workaround, I recommend to use Multiple line of text field to store the attachments instead.
  Best regards,
  Victoria
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• CUP-5.3-SP13-Mitigation Controls by rol/users

  Hi all!
  Since RAR consider mitigations contros both by rol and users, If I have the role ZROL1 mitigated for the ID risk P001* then, would be able CUP to consider this mitigation control even when CUP is managing users?
  I mean, if ZROL1 has a mitigation control, would appear at the request the ID risk whenever I add this role to a user?
  Many thanks in advance! any help would be welcomed.
  Margarita.

  Hi Margarita,
  If you want it will consider the role level mitigation controls. So in the request risk violation will not be shown.
  For this u need check the option, consider mitigation control in CUP. Configuration-> Risk anlsysis.
  Also in RAR following things needs to be done.
  RAR Configuration->Risk analysis-> Defaults values.
  Exclude mitigated Risk as yes.
  RAR Configuration-> Risk Analysis ->Additional options
  Include Role/Profile Mitigating Controls in User Analysis  as yes.
  If above values are defined as No. than Risk Voilation will be shown in the request.
  Kind Regards,
  Srinivasan