Dear All,
I have a small question regarding Access Control (RAR and CUP).
We have customised our ruleset and developing new rules all the time. Many business areas ask us to include transactions where they would like to monitor who has access to it, however, it is not a "super-"critical transaction so that a violation leads to a mitigation or remediation.
The mitigating control for those reported violations would just be something like "is part of my team"... however, as far as I know, just to say "is part of my team" is not the end of story.
First of all, the mitigating controls have to be documented, then they have a limited validity so they have to be renewed as well. Also, the number of violations (or mitigated violations) is misleading, since it is not really a violation. So each violation causes quite some effort to manage it...
Therefore the question: Since it is possible to classify the risks for the rules as "low", is it also possible to configure the system in way, that for these risks no remediation or mitigation is necessary? So that in RAR they are not picked up by reports and in CUP provisioning is possible for those "low" violiations.
The perfect solution would be something like that those violations are generally ignored from the system, however if desired, you can check manually who is violating in order to see who has access to the transactions.
Hopefully I made the scenario clear.. but I guess that other companies as well have a similar scenario....
Thanks
Muhammad
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.