Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

GRC Access Request is going to mitigation owner for existing mitigated/approved risks

pnandan
Explorer

on ‎2017 Jul 14 12:08 PM

0 Likes
2,602

Hi all,

We have an issue where GRC access request is going to mitigation owner for already mitigated risks.

Our workflow design: BASIS raises access request (auto risk analysis) -> Role Owner -> Mitigation Owner -> User Manager -> Auto Provisioning

GRC Access Request was raised for a user for additional roles. It was observed that the request went to mitigation owner for the risk which was already mitigated.

We expect that if the risks are already mitigated and in validity period then access request should not seek approval for same risk. Mitigation approval should only be requested for unmitigated risk.

Looking for help here. Thanks!

Regards,

Piyush.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎2017 Sep 18 8:15 PM
0 Likes

Hi Piyush,

Do you have any Cross System SOD's that are not mitigated?

Thanks

Ramesh

Show replies
Show replies
former_member226273
Active Participant
‎2017 Jul 17 7:48 AM
0 Likes

Hello Piyush,

As stated by Madhu, you can uncheck "include mitigated risks" so that already mitigated risks would not come up. If you require the mitigated risks to be displayed as well, Administrators have to make right selections while submitting mitigation control assignment request.

The control assignment request might be getting triggered for validity change.Also, please also check if Rule IDs are different for risk is question.

Kind regards,

Yashasvi

Show replies
Show replies
pnandan
Explorer
‎2017 Jul 18 12:46 PM
0 Likes

Hi Yashasvi, Hi Madhu,

Thanks for the input!

I tried the option as stated by you, even deactivated SPRO (1030 = NO) config to include mitigated risk. But still the request goes to mitigation owner for already mitigated risk.

Regards,

Piyush.

pnandan
Explorer
‎2017 Jul 18 12:58 PM
0 Likes

One more observation - When an additional access request is raised, which doesn't lead to any new SOD conflict, then the request doesn't route to SOD path and no approval for previously mitigated risk is required. This is working as expected.

Only when the additional access request has new risk, workflow routes to SOD path and it seeks approval from mitigation owner for both new unmitigated and existing mitigated risks.

pnandan
Explorer
‎2017 Jul 18 9:07 PM
0 Likes
Observation on checking further:Our SOD path: BASIS raises access request (auto risk analysis) -> Role Owner -> BASIS applies mitigation -> Mitigation Owner -> User Manager -> Auto Provisioning
  1. At security stage for BASIS to apply mitigation, option ‘Include mitigated risks’ needs to be always selected, else request doesn’t recognizes the mitigation owner for the controls.
  2. If BASIS choose ‘Include mitigated risks’ while mitigating, then requests routes to mitigation owner for both existing mitigated risks and new unmitigated risks.
former_member226273
Active Participant
‎2017 Jul 19 6:56 AM
0 Likes

Hello Piyush,

Its upto BASIS on what risks are to be mitigated. When you try to mitigate risks, select only new risks.

PS: there is possibility that the new access also has the existing Risk, so it is showing up in analysis. Also, please check the control assignment request might be triggering for validity changes,

Kind regards,

Yashasvi

pnandan
Explorer
‎2017 Jul 17 6:18 AM
0 Likes

Looking for help. Thanks!

Show replies
Show replies
pnandan
Explorer
‎2017 Jul 14 8:25 PM
0 Likes

Just to provide more description to the issue:

I raised an access request for additional roles for user 'A', who already has a mitigated SOD conflict 'R1'.

Now the additional role is popping up new SOD risk 'R2'. When the request comes to admin, he applies mitigation for the new risk 'R2'.

After that the request is routed to mitigation owner stage, the request goes to both the mitigation owners (R1 & R2) for approval.

Is this standard? My assumption is if the risk is already mitigated, request should not go to mitigation owner for that particular risk for approval.

Ideally in my case, request should have only gone to mitigation owner corresponding to unmitigated risk 'R2'.

I don't have access to the system now, will submit screenshots and details in next post.

Regards,

Piyush.

Show replies
Show replies
madhusap
Active Contributor
‎2017 Jul 16 3:43 PM

Hi Piyush,

Do not show already mitigated risks in the risk analysis report so that when admin receives the request they will see only unmitigated risks and can take action on them accordingly.

Usually it is advised that mitigated risks also shown so that the approver (admin or compliance approver) are aware of the violations which are already mitigated. In this case you need to train your admin to select only those lineitems in the risk analysis report without controls and then submit for mitigating control owners approval.

Regards,

Madhu

former_member226273
Active Participant
‎2017 Jul 14 1:55 PM
0 Likes

Hello Piyush,

Please share details of routing rule, and audit log. Screen shots will help analysing the issue.

Kind regards,

Yashasvi

Show replies
Show replies
Ask a Question