Dear experts,
I would like to remove the restraint of only adding the control with the same entity and open up to select all controls regarding the entities when performing a control assessment. Currently when performing control assessment, when we try to add controls, the list will show the controls that have the same entity. How do we open up or clear the filter on this part?
Hi @ChuanYanF
I do not oppose technical solutions. I do however have to ask if you are using the functionality provided in the platform. So before we explore altering the way OOTB operates, lets look at the business process.
Using an examples;
Entity: Accounting would like to do a risk assessment on Risk: Unauthorised Access.
In the absence of controls owned by the entity, there is nothing that they can relate where they are in charge of the control. This is the scenario you face. They can however inherit Common Controls.
Notice in your control how it is a standard control.
You would need to as a Compliance Manager or a control owner, convert this control into a common control from your compliance workspace (cannot be done from UI16). When doing so you are able to add reliant entities or entity types (other entities that may inherit the control as a measure to mitigate risk)
In this example Accounting do not own any controls and therefore they cannot add their own controls to mitigate their risk. IT however have some controls in place, and one of these controls is a common control, and they have shared it with all departments.
Therefore
To reduce the Risk of Unauthorised Access, the Accounting department may inherit a common control made available to them.
Accounting therefore mitigate their risk of unauthorised access through the MFA control that IT has implemented on their SAP financial business system, and they can see the compliance state of this control while assessing the control effectiveness.
IT, owning both controls are free to add both controls to a risk assessment for mitigating the Risk: unauthorised access to Business Applications
I hope this helps.
Hi @ChuanYanF
I do not oppose technical solutions. I do however have to ask if you are using the functionality provided in the platform. So before we explore altering the way OOTB operates, lets look at the business process.
Using an examples;
Entity: Accounting would like to do a risk assessment on Risk: Unauthorised Access.
In the absence of controls owned by the entity, there is nothing that they can relate where they are in charge of the control. This is the scenario you face. They can however inherit Common Controls.
Notice in your control how it is a standard control.
You would need to as a Compliance Manager or a control owner, convert this control into a common control from your compliance workspace (cannot be done from UI16). When doing so you are able to add reliant entities or entity types (other entities that may inherit the control as a measure to mitigate risk)
In this example Accounting do not own any controls and therefore they cannot add their own controls to mitigate their risk. IT however have some controls in place, and one of these controls is a common control, and they have shared it with all departments.
Therefore
To reduce the Risk of Unauthorised Access, the Accounting department may inherit a common control made available to them.
Accounting therefore mitigate their risk of unauthorised access through the MFA control that IT has implemented on their SAP financial business system, and they can see the compliance state of this control while assessing the control effectiveness.
IT, owning both controls are free to add both controls to a risk assessment for mitigating the Risk: unauthorised access to Business Applications
I hope this helps.
