cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best practice for ruleset development & maintenance - GRC10

Go to solution
Former Member

on ‎05-05-2012 1:19 PM

0 Kudos

Hi there,

We have a 2-tier landscape of GRC10 with DEV & PRD. We are considering the following approach when making changes to rules and I'm wondering if this would be considered best practice / viable / or not a good idea:

  • Use the DEV environment (linked to our R/3 QAS system) as a test system to change conditions, functions, risks, mitigating controls and organizational rules and verify the results against test users in the R/3 QAS system - until we are satisfied that we understand what needs to change and how in order to produce the correct results in the RAR analysis
  • Modify functions, risks, mitigating controls and organizational rules directly in PRD (once the above understanding was obtained)
  • Export / import the ruleset info from PRD to DEV periodically so that in the DEV environment we would be working with relatively up-to-date info
  • This export functionality should also give us a "backup" of the PRD ruleset in case of need

It was mentioned to us that in terms of change history we would be able to keep a more meaningful change history this way (without all the trial and error changes reflected), and in addition it gives us the opportunity to test what works first (because we are all relatively new to GRC).

Hoping for guidance!

Many thanks,

Lisa

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

kevin_tucholke1
Contributor
‎05-05-2012 5:34 PM
0 Kudos

Lisa:

This was one of the complaints that most customers had with the AC5.3 Version that changes could not be transported.  AC10 give you the abiltiy to allow the transport of the rule set.  While this is technically possible, I would not call it a best practice.  As I understand it, the transport would also transport the change history from the GRC Configuration client through the landscape.

If you choose to go down the route of making changes in Production, you may want to think about implementing the Workflow for Risk / Function changes so that approvals can be captured.

Thanks,

Kevin Tucholke

Show replies
Show replies
Former Member
‎05-07-2012 2:56 AM
0 Kudos

Hi Kevin,

I was reading through your response and could not get the statement " AC10 give you the abiltiy to allow the transport of the rule set.  While this is technically possible, I would not call it a best practice"

If i am reading it correctly - are you suggesting that transporting rule sets is not a good practice..

Thanks for your additional 2 cents on the transport route for GRC rule sets..

As of now, in our present landscape - we would like to transport GRC AC 10 rule sets from DEV --> QAS --> PRD and since they are transportable, we plan to follow, change management process and normal testing in QAS...

Rgds,

Sri

kevin_tucholke1
Contributor
‎05-07-2012 12:59 PM
0 Kudos

Sri,

No, just the opposite.  It is recommended to TRANSPORT the rules through the GRC landscape.  It was meant to say that doing the Upload/Download is technically possible, but not recommended as you have the transport capability now.

Sorry for any confustion.

Kevin Tucholke

Former Member
‎05-07-2012 1:19 PM
0 Kudos

Thanks for the reply. I understand the transport route is better then and we will have to make it so - I guess ideally we need a "Sandbox" client to try out the theory behind the logic! Much obliged, Lisa

Answers (0)

Ask a Question