Let’s talk about risks baby, let’s talk about you and me. (SALT N’ PEPA PEOPLE, C’MON! Live a little!).
If you’re like me, lonely and depressed because you’re missing SAPPHIRE/ASUG 2014, well let’s pull ourselves up from our boot straps and start talking GRC, together (forever!). #postgradsap : Turning frowns upside down since 1989.
Today I will be discussing the steps to take to mitigate risks (both SoD risks and critical actions risks) with the help of GRC. So we’ve implemented GRC Access Control (10.0 or 10.1 respectively) and we have run batch risk analysis against all relevant systems. Now we are left with a slew of information, what to do next? Well my friends, it’s time to clean house.
Steps to Clean Up Your Segregation of Duties (SoD) Risks:
- Run batch risk analysis by users and roles at permission level for SoD Access Risks.
- Determine the roles that are assigned to users that have inherent SoD violations. Make role changes as necessary to remove one side of the conflict from roles with inherent violations (a task based approach to your role design will work best when trying to do such remediation tasks).
- Re-run batch risk analysis by user at permission level for SoD Access Risks.
- Determine roles that are assigned to users that have one side (or part) of the SoD conflict. Should these roles actually have this access and are the roles properly defined to indicate as such? Make any role changes as necessary.
- Determine users that have SoD violations and remove one or more roles from their user master record if the access is not required.
- Create and assign mitigating controls as necessary for the remaining and unavoidable SoD violations.
Steps to Clean Up Your Critical Action Risks:
- Validate the critical action rule-set… Ensure that risks are appropriately defined and actions/permissions correspond to the risk definition. Make changes to the rule-set as necessary.
- Run batch risk analysis at role level and user level for Critical Actions
- Determine roles that have critical actions. Should these roles actually have this access and are the roles properly defined to indicate as such? Make any role changes as necessary.
- Look at users who still have critical actions. Should these users have this access? Make user master record changes as necessary.
- Create and assign mitigating controls as necessary for remaining critical actions.
If you are at SAPPHIRE, don’t forget to stop by booth #339 and visit @itelligence_US!