Implementing Mitigation Control IDs

Hi,
We are planning to implement mitigation control ids in GRC. Currently we are only having 1 mitigation control id and all the users are mitigated into this id.
Now, the plan is to include the mitigation control advise/comments by the SOD approvers into the GRC and thus by introducing multiple mitigation control id we could achieve this.
In our system users are mapped as per the Business Unit and we have around 25-30 business units. so each BU is have a seprate mitigation control approval (SOD Approver).
We have around 150 Risk IDs.
We are not able to understand how to design mitigation control IDs in such case? Is it a best practice to create mitigation control ID for each Risk ID in the system (May be we can group similar Risk IDs)? Your help is appreciated.
Thanks,
Umesh

Hi Umesh,
No, for 1 Mitigation COntrol there are serveral Monitors and users who are mitigated are added to only 1 mitigation control id.
Which means you have multiple people monitoring every risk in your system. Does all of the monitors belong to the same functional group?? If yes, what happens if there is a risk in other functional groups? How they can identify and monitor it??
If no, why a FI functional group monitor, needs to monitor the risk related to other groups?
Can you pls explain more on primary and secondary functions?
If the risk is related to one functional area only, the respective functional area will own it. If it is a cross functional risk, then it will be owned by both the functional area managers, which is often referred as primary and secondary functions.
  and what are the disadvantage of creating 1 mitigation control id for each risk (may be grouping some risks) considering the fact that we have 25 business units.
It is just like giving 1 coke with 100 straws while you still have a stock in your refrigerator
Regards,
Raghu

Similar Messages

  • GRC 5.3 mitigation control

    Dear Guys,
    Please help me to understand the concept of mitigation control in GRC 5.3 and when it is useful and at what time we need to implement mitigation control.
    How could we mitigate user and on what criteria....????
    Also some brief about control monitor.
    Thanks in Advance......

    Hi Arpit,
    Steps for remediation and mitigation strategy is as below,
    Once you do risk analysis, you have the list of risk available in your system, after this you have the option to remove (Remediate) risk by removing conflicting permission or action from role.
    OR
    there is scenario where you have to accept the risk in this case you have to opt for mitigation control, just consider one example given below,
    Function A: Create PO
    Function B: Release PO
    Above two functions are conflicting and create risk in standard process, so as a standard practice, in reference to compliance SAP recommends to have two people doing it separately, but customer might not be having 2 postions in org to separate this, so customer has to accept the risk and create mitigation control to document this and put the monitoring control so one person can perform this function.
    This way it is helful to follow the compliance and when audit happens customer can show that they have identified the risk and documented it and put alternate monitoring control, so the risk cannot be misused.
    Hope this helps you understand it.
    BR,
    Mangesh

  • GRC CUP 5.3 SP16.3 Mitigation Controls automation removal

    Does anyone know that if you create any user requests to remove roles from a user, that if any mitigation controls were assigned to the users for those roles, the mitigating control ids can also be automatically removed from RAR during auto provisioning of the request?
    Right now, GRC CUP, if configured properly, during auto provisioning, will assign the mitigation controls automatically to the userid in RAR to mitigate the risks when the request is processed if the new access will give any SOD violations.  But if you remove the roles from a user and he/she had any mitigation ids assigned in RAR, can the request also automatically remove the mitigated control id associated with it if the user will no longer have that risk?  I have not seen the request automatically remove the mitigated id from RAR when the role was removed from the user id during auto provisioning. But I'm not sure if this requires additional workflow configuration or not.
    Will greatly appreciate if any1 is aware of this issue and how to resolve it. Or is the only solution to manually remove it from RAR..but this can be tiresome..bc then you have to run the report every week or month in RAR to remove the excessive controls assigned if the users do not have the risks anymore..comparing reports from current to previous month, etc.
    Thanks,
    A.

    Hi Alley,
    It is not possible to automate the removal of mitigation controls through a workflow in CUP. The only solution is to review on a regular basis and remove them manually from RAR
    We also has the same issue and performing manual review at regular intervals of the user & role assigned mitigation controls
    Best Regards,
    Srihari.K

  • Mitigation control ID validity extension -easy way

    I work in GRC AC 5.3. All Mitigation control IDs have a validity expiration on same date in near future. Our GRC has many mitigation control IDs with mitigated users. How can I change the valid to date in convenient way?
    It may be extended for all mitigated users separately/individually, but it will take huge time.

    You can download all of them in a text file, make changes and upload it back via the import/export utility under mitigation tab,
    Alpesh

  • Multiple mitigating controls assigned to one risk

    Hello experts. We are using GRC compliance calibrator 5.3. We are just starting to implement mitigating controls. The problem we have is we have multiple mitigating controls per risk. Some risks have one control and some have two or three. When we run our risk analysis the resulting report only shows the first mitigating control it finds.
    Just wondering if anyone else has this situation. I wanted to check here before I created a message with SAP.
    Thanks
    Dave

    Dave,
       I think this is how the functionality is. You will have to open a CSS message with SAP.
    Regards,
    Alpesh

  • Uploading mitigating controls - UAT to production system

    Dear gurus
    Before i place the issue i would like to give some background: In the Production system of Complaince calibrator we have 3 systems assigned Production, UAT and Develeopment. We are the implementation team and are not authorised to assign the mitigating controls for users in production system , therefore before going live we have assigned the mitigating controls to same set of users in UAT system in the production system of compliance calibrator. Now the region has gone live and the same set of mitigating controls needs to be assigned to same set of users with same risks to production system users.
    Issue: Now there are over 100 users and its not feasible for us to manually once again assign the same mitigating controls to the users. is there a posiibility to automate this assignment or will we have to do it manually. In case we can automate then how? in case we have to manually do it what is the best way to cover the users faster.
    Thanks in advance
    Vani

    Thanks Frank, Would you advise which would be the better editor?
    Hi Alpesh,
    If i understand correct, you mean to say that its the same table, since its the same RAR production system, but currently while adding the mitigations I would have chosen the users as mentioned in UAT system that is attached to RAR production, but how do I make it as production system? If i go by what you say, I should add the user ids as per the production backend system in the same tabel and then it will automatically pick it while running reports for production users, is that correct?

  • Query on Mitigation Control

    Hi all,
    We have configured Mitigation Controls and mitigated some of the users. We have the following queries in this regard:
    a) When we run the SoD anlaysis for that particular user we could able to see only half description of the Mitigation Control.
    Is there any limitation for the space or the parameters for the Mitigation Control Description.We are unable to see the entire description of the Mitigation Control (If the mitigation control is more than 7-8 lines) in the Detailed Report screen as well. Even after downloading into a spreadsheet also we are getting only the part of the mitigation control and not the entire description of the mitigation control
    b) A risk ID can be addressed by 2 or 3 mitigation controls. In this scenario,we have assigned 2-3 mitigation controls to one Mitigated user for mitigation. When we run SoD analysis we could able to see only the latest mitigation control assigned to the user in the report format (say out of 3 assigned only the 3rd one assigned is being shown).
    But when we did a search for Mitigation controls with  the Risk ID & User ID combination then it is throwing all the 3 mitigation controls. But the same is not shown in SoD violations reports
    Is there anything to do with the parameters set up or at the configuration side to resolve this.
    Please provide the procedure also in case of any changes to be made at configuration level.
    Thanks and Best Regards,
    Sri

    Hi Vit,
    Thanks for your reply. We crosschecked and you are correct that the space limitation is only for 132 characters in this table.
    Is there a way to get the mitigation control whole description or do we need to stick to this limitation itself.
    Also, when we did a search for Mitigation Control it gives only Mit.ID, Mit Control Desc, BU and Management approver. Whether there are any tables (from SAP Backend) or reports where we can get the Risk Ids including the above addressed by the mitigation controls.
    Thanks and Best Regards,
    Sri

  • Creating Mitigation Control from CUP

    Hi Guys,
    Is this feature implemented in Access Control???? Or Stills as enhancement

    Hi Alpesh
    In order to your answer... Can you help me to identify what I doing wrong when I want to approve a mitigate control in CUP.
    Path 1 : Approve request
    Stage 1: Request
    Stage 2: Security
    Stage 3: Role Owner
    Detour Path:
    Type: CUP
    Stage: Role Owner
    Condition: SoD Review
    Detour Path: Path 2
    Path 2:
    Stage 1: Approval -- > CAD : Mitigation Monitor
    The request is send to the Mitigation Monitor but when we try to approve request show the next error:
    2010-03-30 14:10:26,390 [SAPEngine_Application_Thread[impl:3]_25] ERROR  Mitigation control TEST_5.1 could not be saved for user PRUEBAGRC_6
    com.virsa.ae.core.BOException: Exception from the service : Mitigation record doesn't exist
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:207)
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.saveMitigationControls(MitigationControlBO.java:321)
         at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:6993)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:6748)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6600)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:6393)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:949)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:104)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:295)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)
         at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:461)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(Native Method)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    Caused by: com.virsa.ae.service.ServiceException: Exception from the service : Mitigation record doesn't exist
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.checkForSuccess(MitigationControlWS52DAO.java:832)
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.executeUpdateUserMitigation(MitigationControlWS52DAO.java:287)
         at com.virsa.ae.service.sap.MitigationControlWS52DAO.insertUserMitigation(MitigationControlWS52DAO.java:309)
         at com.virsa.ae.accessrequests.bo.MitigationControlBO.insertMitigationControl(MitigationControlBO.java:195)
    Can you help me please?? All URI are OK.
    Thanks !!!!
    Edited by: Karen_sans on Mar 31, 2010 7:45 PM

  • SAP GRC AC10 Common Practices on Mitigation Control

    Hi all,
    Currently, our company is implementing the GRC tool globally and we are required to set up mitigation control. I would like to get some ideas about what structures are used in various companies. And are those mitigation control align with the internal audit practices?
    We are having some initial idea that setting up template for those mitigation control, but should these be applied to all companies? And if we set up in this way, do we still need to identify any approver and monitor in local organization?
    And the mitigation controls should be owned by global organization or compliance department or local organization?
    Please help.
    Thx!

    Hi "GRC_SAP_AUDIT"
    I presume that you have a single Global Ruleset used within the company to define the risks across the company, but some risks may not be applicable or realistically avoidable in certain parts of the organisation in different countries due to the possible nature of a "Small office" structure (i.e. a small team doing various types of job tasks which are bound to cause SOD conflicts etc). So you may want to create a control for a risk in one area/region, but not for another. This is all possible with GRC AC.
    You can have a Specific Risk assigned to as many Mitigating Control definitions; therefore if you had different controls in different countries for that risk, e.g. UK Risk F001 is to have control X applied, whilst USA Risk F001 is to have control Y applied, it is good practice to define it that way.
    With the example above, you can then assign regional Control Owners and Monitors. Usually, I recommend giving the ownership of controls to the regional/company/departmental leads (depending on your org structure) who would manage the control, as I strongly feel that this has to be business driven. The decision of what approach to take is yours, as you have to see what will be the best solution to implement within your organisation.
    Hope this helps. If you wish to add any further detail, im sure the forum members are happy to help.

  • Report Tab in Mitigation Control

    Dear Experts,
    Can anyone explain me the purpose/usage of Report Tab in Mitigration Control. I have browsed the forum but could not understand the actual need of this tab as I found different answers.
    Thanks,
    Raj

    HI Raj,
    Access Controls is used as a documental tool for Mitigating Controls, rather than a implementing tool, i.e. you apply the control against the role/user, but the actual application of the control is performed outside of Access Control. This may be realized by running a custom SAP report to monitor the usage of the risky functions within the ECC system etc.
    Access Control allows you to document such reports against the Mitigation Control, so this is the purpose of the tab. Given that GRC 10.0 integrates AC and PC, Mitigating Controls is master data that is shared amongst the different GRC modules, so I get the feeling Process Controls might utilize the "Report" data and check if the reports are being monitored by the control monitor/s at the scheduled frequency etc.

  • Business unit in mitigation control and business process in rule architect

    Dear Friends
    Can any one please tell me the difference between business unit configuration in mitigation control and business process in rule architect.
    If they are same, why we are configuring the same two times.
    full points awarded for good answer.
    Thanks and Regards
    A.Rama Krishna.
    Edited by: Ramakrishna Ailanani on Nov 25, 2008 10:02 AM

    Hello Ailanani,
    The use for these entities solely depends on the business and has to be decided between the implementors and the BPOs. This can vary a lot from organization to organization and thus cant be generally stated.
    Also, as this would be an integral part of the implementation, would advice you to be sure and clear once you define them or take help from some GRC AC consultants who can guide you on the same. Without a clear definition of the BPs and the BU's you may end up putting a lot of time, money and resource for a thing which probably you might have to reverse later.
    Regards,
    Hersh.

  • Mitigation control workflow for AC10

    We are configuring the Mitigation control workflow during the implementation of AC 10.
    I would like to know whether its mandatory to have the workflow for Mitigation approver and monitor. As per the implementation team there is no requirement for them as this is not covered during the rampup.  But I think this should be mandatory to have the mitigation approval worflow so all the mitigation risk should be approved before mitigating. Otherwise, security admin can mitigate any risk and complete the request.
    Please advice.

    Hi,
    Yes. It will be a manual process. In some of the organizations, risks identification and mitigation will be performed manually by the Business process owners, which means in reality there will not be any risks that pop-up in CUP or RAR since they are already mitigated for the user.
    If you don't want to enable the mitigation process in the workflow, you have to do it and record the evidences manually.
    Hope this answers.
    Regards,
    Raghu

  • Multiple mitigation controls assignment through CUP

    Dear All,
    We have implemented CUP 5.3 and under SP9.
    We have multiple controls addressing same risk where in we are supposed to assign multiple controls to the users. When the manager is assigning multple controls, the old one is getting replaced with the new one for the same risk.
    Is there any configuration change to be made to assign multiple mitigation controls to the same user for the same risk using CUP.
    Thanks and Best Regards,
    Srihari.K

    Ben,
       This is how CUP works. There is no configuration which allows you to ignore SOD violaton even if there is mitigation. You will have to live with this for now.
    Regards,
    Alpesh

  • Mitigating controls

    Good day all,
    I have been tasked with creating "generic" mitigating controls for all risks in our 5.3 GRC installation. This means I must develop about 280 general mitigating controls. This is so that when we do an install at a client, we can assist them quickly to populate the mitigating risks. Has anyone done this? If so would you be able to share the information with me.
    Thank you
    Regards
    Jill

    Dear Jill,
    The controls should address the risks associated with the processes represented by sub processes,activities.This -control - is scenario specific.A control that could be effective for a scenario may be ineffective for the other.For example a depot - tiny retail outlet having a low volume of Turnover-manager can handle issue of goods,invoicing and the receipt of money.But this scenario will be a serious SOD issue for scenarios other than for tiny retail outlets.controls are complex in nature and work differently for different scenarios..
    The control environment,Firm's maturity,management's risk appetitte-all these have a telling effect on the risks and controls.
    While a general understanding of the risks and the relevant controls is certainly a good idea;adapting generic controls to the business situations without analysing the risks,its impact will be dangerous.Any control before being implemented should be simulated and approved by the risk/control/process owners.
    My 2 cents.
    Regards
    Ramesh

  • Error while uploading mitigation controls

    Dear All,
    While uploading the mitigation controls i am facing with the below error. Can you please help me in resolving this error.
    Error in table dataVIRSA_CC_MITUSER
    SQL:=>Insert into  VIRSA_CC_MITMON(MITREFNO,MONITORID) Values(?,?)
    Record::Line Number :21 : D VIRSA_CC_MITMON TESTC1 TEST1
    Below is the text file which i am uploading into the RAR for test purposes
    M     VIRSA_CC_ADMIN     USERID     NAME     EMAILID     ROLEID               
    D     VIRSA_CC_ADMIN     TEST1     TEST1     test     M          
    M     VIRSA_CC_BUSUNIT     BUSID                              
    D     VIRSA_CC_BUSUNIT     TH                              
    M     VIRSA_CC_BUSUNITT     BUSID     LANG     DESCN                    
    D     VIRSA_CC_BUSUNITT     TH     EN     Thailand                    
    M     VIRSA_CC_BUAPPVR     BUSID     APPROVERID                    
    D     VIRSA_CC_BUAPPVR     TH     TEST1                         
    M     VIRSA_CC_BUMONITOR     BUSID     MONITORID                         
    D     VIRSA_CC_BUMONITOR     TH     TEST1                         
    M     VIRSA_CC_MITREF     MITREFNO     BUSID     APPROVERID               
    D     VIRSA_CC_MITREF     TESTC1     TH     TEST1                    
    M     VIRSA_CC_MITREFT     MITREFNO     LANG     DESCN                    
    D     VIRSA_CC_MITREFT     TESTC1     EN     Test mitigation control               
    M     VIRSA_CC_MITRISK     MITREFNO     RISKID                         
    D     VIRSA_CC_MITRISK     TESTC1     F006*                         
    M     VIRSA_CC_MITMON     MITREFNO     MONITORID                         
    D     VIRSA_CC_MITMON     TESTC1     TEST1                         
    M     VIRSA_CC_MITRPT     MITREFNO     ACTIONS     VSYSKEY     MONITORID     FREQUENCY          
    M     VIRSA_CC_MITUSER     MITREFNO     RISKID     USERID     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_MITROLE     MITREFNO     RISKID     ROLEID     VALIDFROM     VALIDTO     MONITORID     STATUS
    D     VIRSA_CC_MITROLE     TESTC1     F006*     Z1.*.ASST-SC-FINC-MGR     6/9/2010     7/25/2010     TEST1     0     
    M     VIRSA_CC_MITHROBJ     MITREFNO     RISKID     HROBJ     HROBJTYP     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_MITPROF     MITREFNO     RISKID     PROFILE     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_MITUSRORG     MITREFNO     RISKID     USERID     ORGRULEID     VALIDFROM     VALIDTO     MONITORID     STATUS
    M     VIRSA_CC_DETDESC     OBJECT_TYPE     OBJECT_ID     LANG     DETAIL_DESCN     
    D     VIRSA_CC_DETDESC     MIT     TESTC1     EN     Test Mitigation control                    
    We are not mitigating users now. Only roles are getting mitigated and hence we have not provided any values to the MIT USER table.
    Thanks and Best Regard,
    Srihari.K

    Dear Varun,
    Thanks for your reply. It helped me a lot. But however i am facing the following issue while uploading the mitigation controls
    After exporting the mitigation file from RAR, we opened the text file in a spreadsheet format and added few lines to the file and saved in the same text format or in UTF-8 format also
    After uploading the same into RAR again after changes we are facing similar errors mentioned in above query.
    But when we add lines  directly in the wordpad and upload the file then it is successful.
    We have to add so many mitigation controls and roles to be assigned for which excel would be easy way to dump.
    Is there anything wrong we  are doing here in editing and converting the files.
    Thanks and Best Regards,
    Srihari.K

Maybe you are looking for

  • How Do U Do This?

    Hi Today at work we were using apple laptops running tiger. My friend said do you want to see something cool I said yeah he presses like 2 buttons and everything changes color like everything the look the icons and when u open photo-booth your face l

  • Maximum attachement file size?

    One of the requirements of a job I am applying for states: "We often send large files so it is important that your account be able to hold large files. Choose an Internet account that allows up to 10MB of email and attachments." Does .me mail qualify

  • Easier backup of large iPhoto libraries in version 6?

    If I upgrade from v5 to v6 will backup be easier? My library is >12 GB. An easily restorable backup requires using eg Backup 3 for a set of >=3 DVDs (hard to do this to backup frequently- and possibly flaky), or breaking it up into libraries <4.3GB u

  • Default JNDI server question.

    Does Java standard/ee from Sun come with a default JDNI server program, upon which to perform naming.rebind ?

  • My emac safari launches with no search screen and when i open a new tab it shuts down wit an error message???

    Hi, and thanks in advance. I have an emac thats working fine except for safari. Click safari the top bar comes up but no page and when i open a new tab it shuts down with a error and message saying it unexpectedly quit and send to apple or relaunch.