on 04-18-2014 7:21 AM
Dear Guys,
Please help me to understand the concept of mitigation control in GRC 5.3 and when it is useful and at what time we need to implement mitigation control.
How could we mitigate user and on what criteria....????
Also some brief about control monitor.
Thanks in Advance......
Hi Arpit,
Steps for remediation and mitigation strategy is as below,
Once you do risk analysis, you have the list of risk available in your system, after this you have the option to remove (Remediate) risk by removing conflicting permission or action from role.
OR
there is scenario where you have to accept the risk in this case you have to opt for mitigation control, just consider one example given below,
Function A: Create PO
Function B: Release PO
Above two functions are conflicting and create risk in standard process, so as a standard practice, in reference to compliance SAP recommends to have two people doing it separately, but customer might not be having 2 postions in org to separate this, so customer has to accept the risk and create mitigation control to document this and put the monitoring control so one person can perform this function.
This way it is helful to follow the compliance and when audit happens customer can show that they have identified the risk and documented it and put alternate monitoring control, so the risk cannot be misused.
Hope this helps you understand it.
BR,
Mangesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.