on 01-22-2014 4:41 PM
Dear GRC Team,
I am looking for help..!!!
I am Creating Mitigation Control ID for Risk ID F001.
In Report Tab,Need to Maintain - System,Action,Monitor ID and Frequency.
Here my query is ,Under action tab - what Actions have to maintain.
Why i am asking is F001 is contain GL01 & GL02 Function ID's.
Each Functions having More than 50 T-Codes. In this case do i need to maintain total 100 T-Codes?
Could you please help me to create Mitigation Control ID.
System Details: GRC AC 10.0 & SP-12
Regards,
Rupesh.
Hi Rupesh,
Access Controls is used as a documental tool for Mitigating Controls, rather than an implementing tool, i.e. you apply the control against the role/user, but the actual application of the control is performed outside of Access Control. This may be realized by running a custom SAP report to monitor the usage of the risky functions within the ECC system etc.
Action is for the t-code of the SAP Report. A brief explanation below will help in understanding
If you have a mitigation control that Mr. Z will run X report using Y t-code on a frequent basis of monthly or quarterly and reviews the report.
Then you need to give that Report name- X, in Action - Y T-code and frequency as Monthly/Quarterly. This helps for the system to check if the t-code has been executed or not in that frequency by the Monitor and generates an Alert [based on alert generation configuration]. If the monitor doesn't execute the action in backend in the set frequency, we will find an alert in Alert monitor- control monitoring, but if the monitor executes the action we will NOT get alert.
The role of Monitor is to see whether everything that was risky from the access being mitigated is fine or not. That is, he/she would see to it that the user who has been given extra excess or conflicting access has not mis-used it. Every Mitigation control, for this purpose has a Monitor attached to it who does this job
Action - This is some tcode a monitor has to execute in backend to see that reports.
Frequency is simply what the period you want to set within which a monitor must perform this activity - say one week or one month.
If a monitor doesn’t execute that action/tcode within that time, an alert will be generated and mail will be triggered to mitigation approver (indicating that supposed task is not being performed).
For creating Mitigation controls in GRC 10.0, please check below blog post.
Regards,
Madhu.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Madhu,
Thanks a lot....... It is a great help to me....I appreciate your effort.
Here i have two doubts as below
1. Do we need to create Organization Hierarchy in each environment (DEV,QAS,PRD) or is it Transportable...? why because when i was create in Organization Hierarchy in SPRO,
it was not ask any TR.
2. How can we get these reports to maintain under ACTION Field, do we have any standard Reports for each Risk ID. If yes - Could you please provide me.
.
Regards,
Rupesh.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.