Dear Alessandro,

Thank you very much for sharing your practises with me. I tried downloading the existing mitigations we have, and for some reason the headers are missing.

Have to see what each column is by referring to the Mitigated Users screen of NWBC.

Anyway, does that mean you use SE38 as well in your production environment when uploading the file? The transaction is considered as critical. Or do you assigned that program to a Z tcode?

Your response is very informative and helpful. I hope you don't mind me keeping the thread open for a bit more to see any other methods that people may use.

Thanks and have a nice day.

aNuar

Hi aNuar,

yes the header is missing.. but after using it once you will know which coulmn is for what. 🙂

Yes I am using SE38 also in the productive GRC system. I am also using those two transaction to extend the validity date of mitigations after yearly review. We checked with audit and no complaint from them, as we have a documented sign-off for each mitigation when we upload.

Let me know if you need further information.

Best regards,

Alesasndro

Hello again Alesasndro,

Yes, as a matter of fact I do have follow up questions. Hope you don't mind

Do you use the SAP delivered rulesets? If yes, do you customized them based on your needs? Or you just use them as what they are delivered.

Apart from the best practise, our business partner also have concerns on the rulesets. They think in 10 the rulesets are too different which causes additional risks to appear. Any best practise you know related to ruleset? If customized, what will be the impact if we upgrade the SP? or maybe enhancement in the near future (GRC 10.1). Will the customized rulesets cause issue?

Thanks again bud! Appreciate it.

aNuar

Dear aNuar,

we have our own customized rule set which was defined together with the external auditor. With upgrading to a higher SP I do not see any concerns. If you change the rule set and you have mitigations on rule level assigned, then you might get troubles, as the rule level will change (while generation of rules).

But so far I do not see any issues caused by a customized rule set.

Regards

Alessandro

Hi Alessandro,

Thank you very much for your input. Seems like I have the answer I've been looking for.

The practise of risk mitigation in 10 is either you mitigate individually or perform mass mitigation.

Can you explain to me what rule level mitigation is? We use user level mitigation. Any risks found for a user, then risk will be assigned to a mitigation control.

Thanks

aNuar

Hi aNuar,

one access risk has more than one rule ID and you can mitigate a risk also on rule ID level.

For example if you want to mitigate RISK1 then you can mitigate the risk for all rule IDS with a star (*). It is also possible just to mitigate one single rule ID.

Full mitigation of an access risk:

Rule ID mitigation of an access risk:

Hope this makes it clear.

Regards,

Alessandro

Hello,

If you refer to SOD remediation process, whe you run risk analysis check if role can be remediated before appyling mitigation.

if its false psotive go with ORG rule to emove false postive.

again mass mitigation is used can be uploaded or downloaded

you can do mass mitigation in NWBC itself.

FOR UPLOADING..

YOU can upload in GRC10. mini SP level should be SP10

mass mitigation is available

GRAC_UPLOAD_MIT_ASSIGNMENTS anf the format is like

in Active column put X

SAP Note #1749804: Download & Upload reports for mitigation assignments. 

I think this will resolve your issue as this note provide reports to download and upload Mitigation assignment.

Regards,

Prasant

Hi Alessandro,

I missed out one important detail. After modifying the mitigations in the excel file, do you upload as overwrite or append? If append, should we empty off the excel file first?

Which method (append or overwrite) is the better practise based on your experience?

Thanks again bud!

aNuar

Dear aNuar,

depends on the situation.. for example if I am going to add new mitigations (e.g. we are going to mitigate many user coz of a Go-Live) then I append them to the existings. If I change validity date for all, then it's an overwrite. Append I use only to add new mitigations to the existing ones. Generally I have all mitigations in Excel, even if I do an append, I add them to Excel and upload with overwritting all. By doing that I can always check the mitigation in the system and also Excel.

Regards,

Alessandro

all depends what you are trying to do to achieve your requirement.

like example: i have mitigation assigned manually which are perfect and want to upload mass mtigation and the manually created one is not on the file then i will go  ahead with append.

if i do not wish to keep them will overwrite.

Regards,

Prasant