cancel
Showing results for 
Search instead for 
Did you mean: 

Can CUP be configured to ignore Critical Action risks during SOD analysis?

anand_ogirala
Explorer
0 Kudos

Hi All,

We have configured our CUP workflow to take a detour path if SOD violations are found at a stage. RAR has Critical actions defined in the rule set. When CUP performs the SOD analysis, is there any way we can skip critical action risks and consider only SOD risks?

We are 5.3 SP 11.1

Accepted Solutions (1)

Accepted Solutions (1)

martin_trachsel
Participant
0 Kudos

Hi,

If the critical action activated in the same rule set, than you have to define a mitigation control as well, because CUP is going to show these risk after a risk analysis and you have to mitigate that. There is no possiblity to skip that.

Possible solutions:

If you want these risks (critical actions) just for reporting aspects in RAR, than you should maybe create a new ruleset just only for these risks, and deactivate it, on the Global ruleset... I wouldn't recommend that, because, if you are going to define critical actions, you have to define mitigation control, from the security aspects as well.

Cheers,

Martin

Former Member
0 Kudos

Anand,

I totally agree with Martin. The easiest solution is to create a separate ruleset for Critical Action. That's what I have been doing at most of my clients. Also, I do not recommned applying mitigating controls to critical actions as it defeats the purpose of having critical actions in the ruleset.

Alpesh

Answers (0)