Access risks are the core objects that identify potential access problems that your enterprise may encounter. The elements that make up a risk are its attributes. Attribute descriptions are used to generate rules.
Access risks are object definitions:
When you create an access risk, you define its attributes.
When you modify an access risk, you change its attributes.
The attributes of an access risk are:
Attribute |
Description |
|
---|---|---|
Risk ID |
The identification code of the risk |
|
Description |
A short, plain text description of the risk and its purpose |
|
Risk Type |
The nature of the risk. Risk types include the following: |
|
Segregation of Duties (SoD) Risk |
A combination of two or more actions or permissions that, when assigned to a single employee, create a vulnerability. In the case of two conflicting actions an employee may have permission to perform one of these actions, but not both. This risk can have 2 or more functions. |
|
Critical Action Risk |
Certain actions are risky. Any employee who has permission to perform one of these actions automatically poses a risk. Defining a critical action risk ensures that any employee assigned this action is identified by the risk analysis process. You can define a critical action to include both the action and the corresponding permissions that allow the user to perform the critical action. This risk can have only one function. |
|
Critical Permission Risk |
Defining a critical permission risk ensures that risk analysis identifies any employee who has been assigned a potentially risky permission. You can use this feature if the permission has been enabled but has no actions. This risk can have only one function. |
|
Risk Level |
The severity of the access risk. Risk levels include: Low, Medium, High, and Critical. These levels are customizable. Each enterprise forms its own severity requirements for risks. You use the Risk Level attribute to categorize risks and the rules they generate by severity. |
|
Business Process |
A user-defined attribute used to associate a risk (or a function) to a specific business process of your enterprise. |
|
Status |
The setting that determines whether or not the risk is enabled. |
|
Conflicting Functions |
The functions that constitute the risk. The risk can be defined by actions included in the functions, or on the permissions associated with those actions. Note In the case of a critical action or permission, the risk definition includes a single function. End of the note. |
|
Detailed Description |
A full-length text description of the risk. |
|
Control Objective |
A full-length text description of the mitigating control targeted by the risk intended for auditing. |
|
Risk Owners |
The individual employee or employees who have oversight responsibility and final approval authority for any steps taken to mitigate or maintain the risk. This flows into Workflow, if enabled. |
|
Rule Sets |
User-defined attributes used to associate a risk and the rules it generates to collections of risk analysis rules. For example, you might have a rule set that includes all rules of interest to Human Resources, and another rule set solely for use by auditors. |
When you create or modify a risk, most attributes are mandatory; Description and Control Objective are not mandatory.
Note
When you create or maintain a risk, and you save it, you may see Save or Submit push buttons.
If you can see Save, workflow has not been enabled. If you can see the Submit push button, this indicates that Workflow is enabled. In that case, a workflow task notifies the risk owner of the new risk task.
When the task has been approved, the capability saves the risk changes and generates the rules. You can now generate rules.
The tasks associated with managing risks include creating, modifying, and deleting risks.