cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AC10 - Auto risk analysis and auto mitigation

Go to solution
Former Member

on ‎10-17-2011 9:12 AM

0 Kudos

Hi,

I was wondering if it is possible to

- run an automatic risk analysis at the end of an approval stage of the workflow, the same way it is possible to configure at the time of request sending?

- automatically put a mitigating control in the request for the risks found?

In our case, there is only one mitigating control for each risk and the assignment of the control is an unnecessary manual task to perform. The mitigation assignment will be approved in a seperate WF by the mitigation owner.

It seems there is no out of the box solution to this, so any alternative suggestions are welcome.

Thanks,

Daniela

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-19-2011 11:23 AM
0 Kudos

Hi Daniela,

If I may give my opinion, I would probably break your question down into 2 parts.

1) Auto Risk analysis at the end of a stage - Making "Risk Analysis Mandatory" at that stage is probably the method. Unfortunately this does mean clicking one or two buttons (so not fully automated). Think AC uses this method to ensure the reviewer is aware of the conflicts caused etc.

2) Auto Mitigation - For a business access workflow in a 'Live' situation, this is probably not a good idea, as analysing and making the decision on whether to proceed with the request should really be performed by an actual person responsible for that stage in the work flow e.g. Role Owner or Security Lead etc. You would not want to mitigate all risks automatically (if I have understood correctly that you have a mitigation per risk ID). In theory, an automated mitigation process would mitigate all risks without discrimination.

On a side note, there is a configuration setting under SPRO for Access controls as follows

"Risk Analysis- Access Request : Param ID 1072 - Mitigation of critical risk required before approving the request". By enabling this configuration, you could force a mitigating control to be applied to any user requesting Critical Access.

Hope this helps.

Show replies
Show replies
Former Member
‎10-24-2011 4:32 PM
0 Kudos

Hi Kaushal,

thanks for this.

Unfortunately, I am aware of all these options.

1) Risk analysis: We wanted to avoid approvers clicking the risk analysis button, especially as they are not handling these risks. Also it is the role owner stage and this way, risk analysis will be conducted several times which is useless.

2) Auto mitigation: It would be merely a manual mapping of risk <-> mitigating control. This mapping needs an additional stage/manual clicks, as the real approval will be triggered once the assignment ist done (RAR workflow).

But I assume no. 2) will not be feasible in the system.

Anyone any ideas for automatic risk analysis in an approval stage?

Thanks,

Daniela

Former Member
‎10-25-2011 3:58 PM
0 Kudos

Hi Daniela,

Thanks for the reply. It would make sense to have certain aspects automated, I agree with that vision.

I was testing assignment of Mass Mitigations on 10.0 and I was just trying to "Mitigate Risks" from a Risk Analysis report. I had already created the Controls for specific risks and upon application, it seemed to have identified the mitigation to apply automatically.

I think this is as good as it gets, but it is obvious that compliance tools will always require a few manual decisions to be made to ensure a "human" decision is made for approval/disapproval etc.

Answers (0)

Ask a Question