01-28-2015 7:21 PM
Hi,
I've found that the mitigating control IDs can be modified and this updates the local control as well. I've also found that this is due to the SAP Note
"1675082 - Mitigating Control ID Can not be changed after Creation".
I would like to know why this SAP Note was created and the effect on the GRC system if the mitigating control ID is changed when the system allows it. I would like to know if there are any adverse effects in doing this.
Thank you.
Best Regards,
Raphael
02-02-2015 6:05 PM
Hi,
I've opened an OSS note to explore this further and SAP has indicated that they've found no issue with changing the mitigating control ID through the SAP note.
I'll review this further, but I believe this is looking good.
Thank you.
Best Regards,
Raphael.
01-29-2015 4:47 PM
Hi Raphael,
as it is mentiioned in the note it is not possible to change the control ID when risks are already mitigated. I am on a higher service pack level and it is not anymore possible to change the control ID after the control is created eventhough there is no active mitigation. Also I don't see a valuable reason in changing the control ID itself. The ID must be unique and is the key for all references (like mitigations).
Based on a specific business requirement it might make sense to change control ID after it is created.
What exactly are you looking for? Are you thinking of implementing this note? I suggest to rethink your requirement and based on that take the decision of implementing.
Let us know.
Regards,
Alessandro
01-29-2015 6:17 PM
Hi Alessandro,
Thank you for the reply. May I know what SP pack you are currently in?
Thank you.
Best Regards,
Raphael
01-29-2015 6:25 PM
01-29-2015 6:51 PM
Hi Alessandro,
I've found that the mitigating control ID is modifiable in V1000 SP10 and above.
There were some mitigating controls that were used for testing and were no longer in use. Instead of just leaving them, I'm reusing them. These controls haven't been mitigated yet so the system is allowing changes to them. I've found that the system warns if it is mitigating an AC risk.
I've been testing changing the mitigating control ID in other systems and haven't found any impact as of yet. But I'm trying to determine if there is anything that I may have overlooked.
Thank you for the advice and I'm looking into it. Also thank you for VCard of Madhu.
Additional details:
Best Regards,
Raphael
Message was edited by: Raphael Ramos
02-02-2015 6:05 PM
Hi,
I've opened an OSS note to explore this further and SAP has indicated that they've found no issue with changing the mitigating control ID through the SAP note.
I'll review this further, but I believe this is looking good.
Thank you.
Best Regards,
Raphael.