on 10-22-2012 4:35 PM
Hi Experts,
We´re trying to start using the mitigating controls for those users who have conflicts that have been already mitigated.
I´ve created a test user in our Sandbox environment (the profile of this user includes some transactions that are already included in one or more conflicts)
for creating a mitigating control. These are the steps I followed (I don´t know it helps or not, but we usually work in NWBC):
1. We run a "User Level" only for this test user.
2. I´ve selected the user, then I pushed the button "Mitigate Risk".
3. I´ve pushed "Create control" (there´s no controls created yet)
4. When I tried to create the control Id, I was able to fill the fields "Mitigation Control Id" and "Name" (mandatory fields). The problem is that when I´ve tried to complete the field "Organization", I looked for all the options avaible for that field, but it was empty: (below, the screenshot)
I had assumed that the info was uploaded from the environment where the test user had been created.
(The test user was created in a Finance sandbox environment, which is connected to our GRC Sandbox env)
Could you please help me with this issue?
Thank you very much in advance!!
Regards,
Sebastian.
Sebastian,
In order to use mittigation control – you need to follow below procedure
To select Owner/Monitor you need to first assign this roles to user ID
There is also some setup Required on SPRO side, not sure if you have done it - within the IMG, select whether an organization view is used for AC, PC, RM, or shared between all components.
To check it go to the View the Organization Hierarchy
Hope this helps,
Filip
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Filip,
First of all, I´d like to say thanks for your help.
On the other hand I think we have some kind of issue in our configuration. I executed SPRO and found all the path you have mentioned. I chose "Mantain Org Views" and I saw that there were some lines created, so I went back to "Organizations" work set, just for checking if they were there, but it was empty.
I´m assuming that those "Org Views ID" should be shown at "Organizations" work set, right?
In case they shouldn´t, when I click on "new entries" (back at the "Maintain Organizations Views"), all the info shown, disappear. My question is: Does this action overwrite the data uploaded before?.
Last question... The terms "GRC - AC" / "GRC - PC" / "GRC - RM" are not familiar for me, could you please tell me what do they mean?
Thanks you very much for all your help!
Regards,
Seba.
Below, the screenshots. (They will help me to make my explanation clearer).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Please be aware that in GRC 10, Access Contro (AC)l, Process Control (PC), and Risk Management (RM) are all loaded with the same software package and share certain master data, such as organization, process, control, risk, and others. I wouldn't worry a great deal about the "views". In most cases you will be using the Standard View, 002. You can create alternate views, if necessary, to look at organization hierarchies from a particular viewpoint, e.g. a Risk Managament-only view of organizations. You can load organizations with the MDUG or CLM tools. Alternatively you can create them in the NWBC or portal. If you are creating organizations manually, you usually have to setup the root (top node) organization and one level below that in the IMG. There is an IMG step for that. Once the top/parent node and one child node are setup, you can add the rest of the hierarchy.
Because Process Control and Access Control are integrated, the mitigating controls that are setup for Access Control can be linke to the controls setup in Process Control (at the local level). If you have setup an access mitigating control and linked it to a control assigned to an organization, the testing or continuous monitoring available in Process Control provide assurance that the mitigating control is effective.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.