Remediation vs. Mitigation 2.0

The aim of Remediation is not to suppress all the conflicts but to have them all under control.

For each identified risk, there are 4 possible solutions for remediation/mitigation.

REMEDIATION:

Modify user authorizations/roles to remove risk.
Change the organization’s job roles and responsibilities matrix so that the user no longer requires the access.

MITIGATION:

Remove user authorizations/roles and give user periodic access to risk by provisioning a firefighter ID that will be appropriately monitored.
Create and apply the appropriate mitigating or compensating control to the risk.

Remediation vs. Mitigation 1.0

Remediation: Actions taken to eliminate an identified risk. Typical SAP remediation activities include, but not limited to:

Simple Security Roles Modifications
Functional Activity Groups Modifications
Updating SoD Risk
Creating New SoD Risks
Updates to Functions
Creation of New Functions
Updates to Actions
Restricting Users Access

Mitigation: Actions taken to monitor risks which cannot be remediated. Mitigation is a less desirable action due the costs associated with the maintenance, execution and traceability requirements of the mitigating control.

Tracy Juran (Levine)

A practical guide to IT Risk Management, Project Management and Methodologies & Life's Little Pleasures.

Daily Archives: January 25, 2016

Remediation vs. Mitigation 2.0

Remediation vs. Mitigation 1.0