on 12-17-2009 1:36 PM
Hi All,
I have a specific question surrounding the setup of Mitigating Controls within RAR5.3
Our business does not use the SAP standard ruleset (more a bespoked version), the business have defined Mitigating Control based at user level.
The problem I have is that the Mitigating Controls I need to create are against specific Rule ID's rather than Mitigating the whole Risk ID.
For example within Risk ID GD01 we have 1200 Rule ID's, the business wish to Mitigate 250 of these Rules against 20 users. Whilst attempting to build this Control I realised that in order to do so I need to add these 250 rules separately within the Control and then again with the "Mitigated Users" section.
My question is "How can I add a user to an existing Mitigating Control (which has all Rule IDs built within) and rather than have to add the user to the Rule ID's separately but to Mitigate against all Rules currently under this Control?"
When I put in GD01*, GD01 or * it states "Risk :GD01* is not assigned to the Mitigation : CSF03"
Any thoughts are welcome.
Regards
Andy
Hi Simon,
Thank you for the prompt response, because our MC's are very specific about certain elemnts of the Risks it makes them difficult to maintain.
I would just assume that once you had built the ID's into the control any users or roles you want to add could be assigned against all ID's without having to re-enter them.
Regards
Andy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Andy,
If you want to go down the route of assigning Mitigations to specific rules, you need to be clear about exactly which rules you want to mitigate.
You will also need to be aware that there is potential for the rules to be updated if they are re-generated.
I would try wherever possible to separate the mitigation controls so that they are not re-used to cover different elements of the risks as far as the system is concerned.
Therefore, I would have one mitigation with GD01* assigned and a different mitigation with GD01001* (or whichever rules apply) assigned.
You can then assign the users to whichever control is most applicable.
I hope this helps.
Simon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.