cancel
Showing results for 
Search instead for 
Did you mean: 

Mitigation Functionality in GRC 10

JaneLa
Participant
0 Kudos

We have GRC 10 installed (SP13) and have deployed ARA and EAM.  I am having problems with the mitigating control functionality.   Our mitigation procedure is to assign the Risk ID, Rule ID and role to the Mitigating Control.  However, I've found that when the rules are regenerated (after making Function or Risk updates) that the Rule ID (previously assigned to the control) often changes.   This requires an update of each affected Mitigating Control: I have to assign the current Rule ID and role to each control.   I would appreciate feedback from others; are you aware of any ways to avoid this issue? 

    

  Thank you, Jane Landreth 

Accepted Solutions (1)

Accepted Solutions (1)

alessandr0
Active Contributor
0 Kudos

Hi Jane,

mitigation on rule level is very tricky as the rule id might change when rules are regenerated. It is not possible to avoid such behaviour as the creation of the rules follows the next available sequence for the id. That means if 0001 is already used, 0002 will be the next generated rule id.

Try to avoid regeneration of the rules for all risk ids. Rather regenerated the rules for dedicated risks only.

You can also transport rules from DEV to PROD so that the same mitigation control can be used and tested (export in DEV and import in PROD).

Rather than mitigating each risk on rule level consider if mitigation can be done on risk level (where ever possible) so that only a few risk are mitigated on rule id level.

Hope this helps. Let us know if you have further questions.

Regards,

Alessandro

JaneLa
Participant
0 Kudos

Thank you, Allesandro.  I appreciate your response.

My best,

Jane

Answers (1)

Answers (1)

Former Member
0 Kudos

This message was moderated.