|
Installed modules: |
Compliance Rules Module
Attestation Module |
Table 4: Configuration parameters for calculating risk indexes of rule violations
| QER | CalculateRiskIndex | MitigatingControlsPerViolation |
This configuration parameter controls calculation of risk indexes for rule violations. If the parameter is set, exception approvers can assign mitigating controls to rule violations. The risk index calculation only takes these mitigating controls into account. If the parameter is disabled, risk index calculation take mitigating control assigned to compliance rules into account. |
Risk indexes can be applied to compliance rules to evaluate the risk of rule violations. Each rule can be assigned mitigating controls that are implemented the moment the rule is violated. If a rule violation is approved, the rule violation's exception approver can assign a specified mitigating control. Mitigating control reduce the compliance rule's risk index.
Use the "QER | CalculateRiskIndex | MitigatingControlsPerViolation" configuration parameter to control whether mitigating controls are assigned to rule violations in the case of exception approval. If this configuration parameter is set, only mitigating controls assigned to rule violations are taken into account when calculating risk indexes. The configuration parameters is disabled by default.
The risk index of violated rules is taken into account when employee risk indexes are being calculated.
Table 5: Calculating compliance rule and rule violation risk indexes
| Compliance rules (ComplianceRule. RiskIndexReduced) |
The reduced risk index is calculated from the compliance rule risk index and the significance reductions of all assigned mitigating controls. |
The risk index is not reduced. The reduced risk index corresponds, therefore, to the stored compliance rule's risk index. |
| Violated rules (BaseTree. RiskIndexCalculated) |
The risk index corresponds to the reduced risk index of the violated rule. |
| Employees with rule violations (PersonInBaseTree. RiskIndexCalculated) |
The risk index corresponds to the calculated risk index of the violated rule. |
| Employees with approved rule violations (PersonInBaseTree. RiskIndexCalculated) |
The risk index is reduced by a fixed amount if the rule violation was granted approval. |
| Employees with attested rule violations (PersonInBaseTree. RiskIndexCalculated) |
The risk index is reduced by a fixed amount if the rule violation was attested and granted approval. |
| Employees with approved rule violations and assigned mitigating controls (PersonInBaseTree. RiskIndexReduced) |
The risk index is not reduced further. Therefore, the reduced risk index corresponds to the risk index of the rule violation (PersonInBaseTree. RiskIndexCalculated). |
The reduced risk index is calculated from the risk index of the rule violation (PersonInBaseTree. RiskIndexCalculated) and the significance reduction of the mitigating controls assigned on exception approval.
If no mitigating controls are assigned, the reduced risk index corresponds to the calculated risk index of the rule violation (PersonInBaseTree. RiskIndexCalculated). |
| Employees (Person. RiskIndexCalculated) |
The highest risk index of all the employee's rule violations is established. The calculation takes the reduced risk index of the rule violations in to account (PersonInBaseTree.RiskIndexReduced). |
|
Installed modules: |
Attestation Module |
To calculate employee risk indexes, the risk indexes are found for all assigned company resources. To do this, there are functions stored with the assignment tables to do this (for example, "Resource assignments"). The values also reduced by another factor.
- The assignment is attested and approved
The risk indexes for all employee memberships in application roles and for rule violations are found (table "Employees: membership in roles and organizations"). The membership risk index is reduced by another factor.
- The membership is attested and approved
One Identity Manager determines the highest risk index per object type from assignment, rule violations, and connected user account risk indexes (calculation type: "Maximum (weighted)") for each employee.
An employee risk index results from the highest risk index of the calculated single values. This value is reduced or increased by other factors.
- The employee is attested and approved
- The employee is a manager or other employee
- The employee is disabled and linked to an enabled user account
NOTE: Employees can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of an employee increases if:
- The employee is a manager or other employee
- The employee is disabled and linked to an enabled user account
TIP:"Business roles and organizations" in the "Employees: memberships in roles and organizations" table finds the risk indexes for all secondary employee memberships in hierarchical roles and IT Shop structures. In the process, the risk indexes are determined for secondary membership in business roles, departments, locations, cost centers, and IT Shop structures. You can use risk indexes from these memberships for custom calculation or evaluation. Implement your own functions or processes to do this.
You can define company-specific functions and edit certain properties of the default function.
To edit risk index functions
-
Select the Risk Index Functions category.
-
In the navigation view, expand the Risk index functions node.
All tables with functions defined in them are shown in the navigation view. These are tables with a RiskIndexCalculated column.
-
Select the table whose risk index functions you want to edit and expand the node.
This displays the Assignments and Properties filters.
The Assignments filter groups all the risk index functions with assignments to the selected table (for example Active Directory user account membership in Active Directory groups).
The Properties filter groups all risk index functions that further increase or decrease the calculated risk indexes.
-
Select a filter.
-
Select the password policy in the result list then select the Change master data task.
- OR -
To create a new risk index function, click 
in the result list.
-
Fill out the function data.
You can customize the following properties for default functions:
-
Deactivated
-
Calculation type
-
Weighting/change value
-
Calculate immediately
- Save the changes.
Related topics
Enter the following information for a risk index function.
Table 6: Risk index function master data
|
Name |
Name of the function as displayed in the One Identity Manager tools. |
|
Description |
Text field for additional explanation. |
|
Deactivated |
Specifies whether risk index functions are taken into account in the total calculation of risk indexes. |
|
Calculation type |
Method with which to calculate the risk index. Permitted values are:
| Maximum (weighted) |
The highest value from all relevant risk indexes is calculated, weighted, and taken as basis for the next calculation. |
| Maximum (normalized) |
The highest value from all relevant risk indexes is calculated, weighted with the normalized weighting factor, and taken as basis for the next calculation. |
| Increment |
The risk index of Table column (target) is incremented by a fixed value. This value is specified in Weighting/Change value. |
| Decrement |
The risk index of Table column (target) is decremented by a fixed value. This value is specified in Weighting/Change value. |
| Average(weighted) |
The average of all relevant risk indexes is calculated, weighted, and taken as basis for the next calculation. |
| Average(normalized) |
The average of all relevant risk indexes is calculated with the normalized weighting factor and taken as basis for the next calculation. |
| Reduction |
Used when calculating the reduced risk index for rules, SAP functions, company policies, and attestation policies. You cannot add custom functions with this calculation type! |
NOTE: If calculation types for both weighting and normalization are implemented in risk index functions for one and the same target column, the risk index calculation does not determine a reasonable value.
The following applies for all risk index functions of one target column: Only combine functions with the calculation type "Maximum (weighted)" and "Average (weighted)" or the functions with calculation types "Maximum (normalized)" and "Average (normalized)". |
|
Weighting/change value |
The value by which to modify the risk index. There are three possible cases:
| Maximum (weighted) and average (weighted) |
Value by which the risk index is weighted in the total calculation. |
| Maximum (normalized) and average (normalized) |
Value by which the risk index is weighted in the total calculation. The value for this calculation is normalized to 1 beforehand. |
| Increment and decrement |
Value by which the risk index is incremented or decremented in the total calculation. | |
Detailed information about this topic
