on 12-22-2014 3:16 PM
Hello GRC Mates,
Let's say I have three functions in a Risk namely Fn1, Fn2 and Fn3.
In the Functions, Fn1 and Fn2 has some conflicts and Fn2 and Fn3 has Conflicts, can we build a risk or is it mandatory that there should be conflicts between Fn1 and Fn3 also.
Regards
Deepak M
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Deepak,
there is no mandatory / one recommended approach here. Decision should be based on risk analysis/assessment , as between Fn1 and Fn3 there maybe a risk with lower impact on your client organization. Namely F1&F2&F3 maybe be a high risk, and should never been accepted in user authorization but F1&F3 can be accepted in some user / role cases taking into account there is compensating control in place. So from conflict resolution perspective organization response maybe different in case of F1&F3 and different in F1&F2&F3.
Therefore I would create a new risk here for F1&F3.
Filip
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.