cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Risk is Mitigated, but Risk Analysis shows 'Risk not yet Mitigated'

Go to solution
Former Member

on ‎11-24-2014 5:20 AM

0 Kudos

Hi All,

On Risk Analysis(on Access request form submission), Risk is found, but Mit. Control shows' Risk not yet mitigated'.

Access request shows no MC assigned(with option' Include Mitigated Risk')

I have assigned these risks to Mit. Controls, as shown below. What can be the reason?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member193066
Active Contributor
‎11-24-2014 5:36 AM
0 Kudos

After mitigation, rerun risk analysis.

Regards,

Prasant

Show replies
Show replies
Former Member
‎11-24-2014 8:22 AM
0 Kudos

I did, but no change.

alessandr0
Active Contributor
‎11-24-2014 8:25 AM
0 Kudos

Do you really have mitigated the risks to the user? As you printscreen shows only the risks added to a mitigating control which doesnt mean that you have mitigated the risks for the user.

Please show us the mitigation for the user.

Regards,

Alessandro

Former Member
‎11-24-2014 10:56 AM
0 Kudos

Hi Alessandro,

I have concern over MC showing 'Risk not yet Mitigated'.(as in my 1st screenshot) So, let me clarify my understanding.

- MC definition requires Risk to be included, which i have mentioned, while MC creation.

- I have not mitigated user, which i want to do, through Access request. But the Risk Analysis result should show that MC is available, for the risk. therefore, i have included option 'Include Mitigated Risk', in my Risk Analysis(or while doing re-run risk analysis). But no MC appears.

So, Mitigation of user is the second step, which i am not expecting now. Because, there is a option 'Mitigate Risk', which lets me assign the MC to the user. This is no problem.

But MC does not appear for already Mitigated risk.

alessandr0
Active Contributor
‎11-24-2014 11:26 AM
0 Kudos

Plaban,

that's a missunderstanding. Include mitigated risks means that risk analysis shows already mitigated risks. E.g. in your case if the risk is already mititgated for that particular users this would show up (risk analysis has then the mitigating control and assigned controller included).

In your case you have to mitigate the risk and then re-run the risk analysis. If you include mitigated risks it will show up (the red light will change to green for "mitigation control").

Select the line with the risk and push the button "Mitigate risk". The control will be available and you can proceed with the mitigation.

The "mitigated risk" will only show when this particular scenario is mitigated (user, system, risk, and rule). Please be aware that you can use wildcards for system and rule.

Please share the screenshot of your mitigation for that user and risk and I will check if all settings are correct.

Regards,

Alessandro

alessandr0
Active Contributor
‎11-26-2014 7:59 AM
0 Kudos

Plaban,

any feedback here? Is the issue resolved now? If yes, please close the thread.

Thanks and regards,

Alessandro

Answers (1)

Answers (1)

alessandr0
Active Contributor
‎11-24-2014 7:43 AM
0 Kudos

Dear Plaban,

as Prasant has mentioned if you mitigate during the approval in the access request you have to re-run the risk analysis to have the information updated. Also please be aware that if you mitigate risks only in your productive environment, but you have test/dev systems assigned in the access requests which have risks too, those are not mitigated and in case you have defined your workflow that access requests cannot be approved when risks then the user might not be able to approve.

And as your system is greyed-out I assume that it might be possible to have other systems in the access request as usually a user gets the same authorization in quality system and hence this might be another issue too.

Hope this helps.

Regards,

Alessandro

Show replies
Show replies
Former Member
‎11-24-2014 9:18 AM
0 Kudos

Hi Alessandro,

I have re-run risk analysis, but still no MC appears. I have only 1 system as connector.so, there are no roles of any other systems.


Regards

plaban

former_member193066
Active Contributor
‎11-24-2014 11:19 AM
0 Kudos

Hello ,

You have mitigation assignment workflow approval configured.

you need to approve it first before you rerun risk analysis.

Regards,

Prasant

Ask a Question