Remediation vs. Mitigation 2.0

The aim of Remediation is not to suppress all the conflicts but to have them all under control.

For each identified risk, there are 4 possible solutions for remediation/mitigation.

REMEDIATION:

Modify user authorizations/roles to remove risk.
Change the organization’s job roles and responsibilities matrix so that the user no longer requires the access.

MITIGATION:

Remove user authorizations/roles and give user periodic access to risk by provisioning a firefighter ID that will be appropriately monitored.
Create and apply the appropriate mitigating or compensating control to the risk.

Posted by

tracymlevine

Posted on

January 25, 2016

Posted under

Uncategorized

Comments

Remediation vs. Mitigation 1.0

Remediation: Actions taken to eliminate an identified risk. Typical SAP remediation activities include, but not limited to:

Simple Security Roles Modifications
Functional Activity Groups Modifications
Updating SoD Risk
Creating New SoD Risks
Updates to Functions
Creation of New Functions
Updates to Actions
Restricting Users Access

Mitigation: Actions taken to monitor risks which cannot be remediated. Mitigation is a less desirable action due the costs associated with the maintenance, execution and traceability requirements of the mitigating control.

Tracy Juran (Levine)

A practical guide to IT Risk Management, Project Management and Methodologies & Life's Little Pleasures.

Daily Archives: January 25, 2016

Remediation vs. Mitigation 2.0

Remediation vs. Mitigation 1.0