cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Mitigating risks during new user account creation

Go to solution
Former Member

on ‎07-27-2011 10:57 AM

0 Kudos

I have a requirement for AC 10.

Is it possible to send a message from the security admin stage to role owner stage to know whether to mitigate the risk or not without approving the request at security stage. I am unable to understand the stages to be configured so the mitigation risks can be done during the new/change account request type.

I would like to know who should be responsible for mitigating the risks while creating the request for new or change user account. If we assume that the risk is not mitigated already. Is security admin or role owner will mitigate it.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎07-27-2011 12:27 PM
0 Kudos 
Is it possible to send a message from the security admin stage to role owner stage to know whether to mitigate the risk or not without approving the request at security stage.

It is not possible to send a notification. However, the mitigation options can be used to identify the same in the request.

I would like to know who should be responsible for mitigating the risks while creating the request for new or change user account..

This is purely based on the process that you follow in your organization/project. Here are some instances:

1. If the role framework is properly maintained (risks are mitigated at the role level, and only composites are assigned to user) - Niether the business owner nor the security person needs to mitigate the risks at users level, since all the risks are already mitigated at the role level.

2. If the role framework is not properly maintained and single roles are assigned to users - Migitation is required. However, in a few instances, the BPOs or the functional owners will perform a risk analysis, mitigate if necessary and then raise the request. This can be done in RAR manually or also can be done in CUP.

3. The mitigation tasks are completely owned by Security team and BPOs or functional owners will only approve/review.

Hope this answers your question.

Regards,

Raghu

Show replies
Show replies
Former Member
‎07-27-2011 1:22 PM
0 Kudos

Thanks Raghu for your detailed answer.

Lets take the 2nd point you have mentioned. Roles and risks are not mitigated, and the end user raise the requests for new user creation. During the second stage security admin found there are risks than what he should be doing. He cant approve it as there are risks and cannot mitigate as the information should come from role owners to mitigate or not.

We have three stages - manger, security admin and last role owner. Do we need to change it manager, role owner and than security admin so the role owner can run risk analysis and suggest whether to mitigate the risk or not to security admin. But as there is no mail/notification system, how he can suggest the action to security admin.

Former Member
‎07-27-2011 8:25 PM
0 Kudos

Hi,

The Security admin should be the last stage. This way, you can make sure that the risks are verified and mitigated before them come to the Security team.

If you follow the same setup, you will have to go back to the manager/role owner/risk owner/mitigation owner to have approvals to mitigate and assign them, which is not a recommended way of handling.

Hope this answers.

Regards,

Raghu

Former Member
‎07-27-2011 10:14 PM
0 Kudos

Raghu, whatever you have mentioned seems to be correct. But we have to put security stage before the role owner is due to the fact BPO are not very technically sound to run the risk analysis or mitigate the risks if the mitigation control doesn't exist.

This is why we put security stage earlier, so they run the risk analysis and after approval from BPO mitigate the risk, but the problem is how security team can contact the BPO to get the approval.

Else, we can mitigate all the existing risks and everytime there is risk, security team just use the existing mitigating control and approve, it will go to the next stage of BPO who will just approve or reject the risk.

Former Member
‎07-28-2011 7:51 AM
0 Kudos

Hi,

As per my knowledge, the workflow that you are currently following is incorrect. If you wish to have the BPO approval after Security manager approval, you are making the process harded. Please note as per audit terms, Security manager or team is not the right people to decide a Go-No Go with risks & mitigations. It should always go to the BPO, who can further discuss with the risk owners/mitigation owners and decide on the mitigation.

Hope this clarifies.

Regards,

Raghu

Former Member
‎07-28-2011 8:14 AM
0 Kudos

Thanks again. You are correct.

Let's suppose if we use the BPO stage before the security admin. BPO will run the risks analysis and find some risks, and he wants to mitigate the risk and the mitigation control doesnt exist for it. How he canask the security admin to create the mitigation control for this risk. Is this activity will be done outside AC via emails.

Former Member
‎07-28-2011 8:24 AM
0 Kudos

Hi,

Well.. The actual mitigation control is a physical document that comes after due discussions. The BPOs will have to provide all the information in regards to why a mitigation is required and if the audit team, the business cycle owner, and sub cycle owner is safisfied, a mitigation control will be created with a unique identifier. The same will be created in RAR using the information from the actual mitigation control document. The BPO, Risk owner, and Risk monitor are responsible to maintain the mitigation controls from there on.

Hope this clarifies your question

Regards,

Raghu

Answers (0)

Ask a Question