on 11-24-2014 5:20 AM
After mitigation, rerun risk analysis.
Regards,
Prasant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alessandro,
I have concern over MC showing 'Risk not yet Mitigated'.(as in my 1st screenshot) So, let me clarify my understanding.
- MC definition requires Risk to be included, which i have mentioned, while MC creation.
- I have not mitigated user, which i want to do, through Access request. But the Risk Analysis result should show that MC is available, for the risk. therefore, i have included option 'Include Mitigated Risk', in my Risk Analysis(or while doing re-run risk analysis). But no MC appears.
So, Mitigation of user is the second step, which i am not expecting now. Because, there is a option 'Mitigate Risk', which lets me assign the MC to the user. This is no problem.
But MC does not appear for already Mitigated risk.
Plaban,
that's a missunderstanding. Include mitigated risks means that risk analysis shows already mitigated risks. E.g. in your case if the risk is already mititgated for that particular users this would show up (risk analysis has then the mitigating control and assigned controller included).
In your case you have to mitigate the risk and then re-run the risk analysis. If you include mitigated risks it will show up (the red light will change to green for "mitigation control").
Select the line with the risk and push the button "Mitigate risk". The control will be available and you can proceed with the mitigation.
The "mitigated risk" will only show when this particular scenario is mitigated (user, system, risk, and rule). Please be aware that you can use wildcards for system and rule.
Please share the screenshot of your mitigation for that user and risk and I will check if all settings are correct.
Regards,
Alessandro
Dear Plaban,
as Prasant has mentioned if you mitigate during the approval in the access request you have to re-run the risk analysis to have the information updated. Also please be aware that if you mitigate risks only in your productive environment, but you have test/dev systems assigned in the access requests which have risks too, those are not mitigated and in case you have defined your workflow that access requests cannot be approved when risks then the user might not be able to approve.
And as your system is greyed-out I assume that it might be possible to have other systems in the access request as usually a user gets the same authorization in quality system and hence this might be another issue too.
Hope this helps.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.