We've been running Virsa/Compliance Callibrator/SAP GRC for quite a while now. When we first started the project and ran the first analysis it turned out that we were in much better shape than many people expected, certainly our external consultants. Apparently, many organisations end up with a 7-digit violation count first time around, if viewed at permission level. We had a little over 50,000. That's been reducing slowly over the course of a couple of years now, until eventually, today, we got this:
Celebrations all round :smile:
Making big reductions in that number is always easy at first, and gets progressively harder as time goes on. We've been below 1,000 violations for the last 12 months, below 500 for 6 months, and below 100 for 4 months.
We've used a few mitigations, and in a handful of places had to use Firefighter where there just aren't enough people, but mostly this is proper segregation of duties. If you are embarking on the same process and can't see the light at the end of the tunnel, take heart - it is hard work, but zero violations
is possible!
Next step - an upgrade to GRC 10.0...