on 2021 Sep 30 8:41 PM
New to GRC and stuck with a task of changing the current Monitor Owner and Monitor Approver.
I have created access for the new owner and approver and have assigned them the access in Access control Owners.
I have added the new people in Organizations.
At this moment if I run a User Level Risk Analysis the old monitor still appears.
If I try to remove the old owners from the Organization upon saving I obtain the following error:
Can anyone tell me why this error and how to properly make the change. I did not come across similar error messages in the community hence why I am asking.
Request clarification before answering.
Alexei,
Some basics - you can only have one approver/owner of a mitigation control, but you can have multiple monitors defined for the control. You can only assign one monitor per mitigated user. There is Setup --> Mass Maintenance of Mitigation Control Owners where you can make mass changes to the Owner--Mitigation Control association. This should be done first. (I have not used this as most changes I do only involve 1-4 mitigating controls that need to be reassigned so I do it one by one)
There is also the Mitigation Control--Mitigated User--Risk situation, which you can manage with the two programs I mentioned earlier to download/upload. When you run that you will get one line for each user/mitigating control/risk combination. Here is where you change the mitigation monitor for that user/risk combination. The owner/approver does not apply here.
So to answer your question, you can have multiple monitors assigned to a mitigating control. When you mitigate a user's risk you will get to choose which monitor to use. It will not pop up automatically, you have to choose. What I do however is once ALL the user/risk/monitor line items are changed over to the new monitor, you can remove the old monitor from the mitigation, then the Organization. Then you will only get the new monitor.
I hope that helps.
James
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Alexei,
Once you have added the new monitor to the mitigation(s) itself, you will have to update the currently mitigated end users by running GRAC_DOWNLOAD_MIT_ASSIGNMENTS, editing the file by replacing the old monitor with the new monitor, and uploading it back with GRAC_UPLOAD_MIT_ASSIGNMENTS. See note 1940906. Just remember if you are using Excel to edit the file that you import the Date fields as Text, not General. If you use a text editor, you will be fine. Once the old monitor is no longer monitoring any risks you can remove them from the Risk/Organization/System.
I would suggest that you practice this in your sandbox system.
Best Regards,
James
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you for your answer and will test this change first. Another doubt comes to mind, any mitigation already applied to mitigation control "X" won't reflect the new monitor, but does this apply to new mitigations? example; I change the the control owner and a new mitigation needs to be applied right now with the same control to a new risk, will this reflect the previous control monitor or the new one?
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.