If you can’t remediate an access risk, you must apply mitigating controls. It is recommended to use mitigation as a last resort. Mitigation is about determining and implementing alternative controls for situations when a violation can't be corrected or eliminated (remediated). That is, it isn't possible to segregate duties within the business process. For example, in a small office, one person must take over two roles in the business process, which, depending on roles can cause an SoD conflict.
Business process owners are responsible for designing controls for risks. Senior officers take part in approval of mitigating controls for risks on a business level.
There are typically two types of mitigating controls:
- Preventative: controls designed to minimize the likelihood and potential impact of a risk before it occurs.
- Detective: controls designed to alert the responsible person when a risk takes place, so corrective measures may be taken.
Mitigation is integrated in Access Risk Analysis, Access Request Management, and the Business Role Management components of SAP Access Control.
During Risk Recognition, it is important to identify any existing controls currently in place for each access risk deemed relevant for analysis. Mitigating controls, once applied, require regular periodic assessment, testing, and review to determine if they are an effective mitigation of the associated risks. Mitigating control assignment at the user level also requires periodic review to determine which users still need access to activities that constitute a risk covered by each control.
Mitigating Control Creation
Mitigating control can be created in the Mitigating Control app or from risk analysis results in Access Risk Analysis, Access Request Management, Business Role Management components of SAP Access Control. To learn how to create mitigation controls, watch the following video.
Summary
You can create a Mitigating Control in the Mitigating Control app or from risk analysis results in SAP Access Control modules. These controls can be detailed with access risks, owners, reports, attachments, and links. Each control is associated with one or more access risks. When addressing an access risk, all mitigating controls associated with the risk are available for selection. The Owner tab shows the assigned Mitigating Approver and Mitigating Monitor for each control, who are responsible for its maintenance, approval, and consistent monitoring. Further actions and information about the control can be added in the Reports, Attachments, and Links tab.
Mitigating Control Assignment
Once you've defined a mitigating control in the catalog, it's available to be assigned during risk analysis in the following components of SAP Access Control:
- Access Risk Analysis
- Access Request Management
- Business Role Management
Also, you can mitigate access risks for users, roles, profiles and HR objects in the Mitigated Users, Mitigated Roles, Mitigated Profiles, and HR Mitigation apps. You can assign a mitigating control to users, roles, profiles, and HR objects. Access risk specialist and risk owners are responsible for assignments of mitigating controls. The preceding example shows how you can assign mitigating controls in the ad-hoc User Level Risk Analysis report by choosing the Mitigate Risk, in the technical view of the report.
Mitigation is also possible using the remediation view of the ad-hoc User Level Risk Analysis report and can be applied at the risk or rule level. You can see above an example of the remediation view.
To mitigate multiple risks at once while viewing an access risks analysis report, you can use the Mass Mitigation option. This option speeds up the mitigation process by assigning multiple mitigations in a single step. To send mitigating control assignments for approval to a mitigation approver of this control, you can configure an appropriate workflow.