Chat now with support
Chat with Support

Identity Manager 8.2.1 - Risk Assessment Administration Guide

Risk index for compliance rules and rule violations

Installed modules:

Compliance Rules Module

Attestation Module

Table 4: Configuration parameters for calculating risk indexes of rule violations
Configuration parameter Effect when set
QER | CalculateRiskIndex | MitigatingControlsPerViolation

This configuration parameter controls calculation of risk indexes for rule violations. If the parameter is set, exception approvers can assign mitigating controls to rule violations. The risk index calculation only takes these mitigating controls into account. If the parameter is disabled, risk index calculation take mitigating control assigned to compliance rules into account.

Risk indexes can be applied to compliance rules to evaluate the risk of rule violations. Each rule can be assigned mitigating controls that are implemented the moment the rule is violated. If a rule violation is approved, the rule violation's exception approver can assign a specified mitigating control. Mitigating control reduce the compliance rule's risk index.

Use the "QER | CalculateRiskIndex | MitigatingControlsPerViolation" configuration parameter to control whether mitigating controls are assigned to rule violations in the case of exception approval. If this configuration parameter is set, only mitigating controls assigned to rule violations are taken into account when calculating risk indexes. The configuration parameters is disabled by default.

The risk index of violated rules is taken into account when employee risk indexes are being calculated.

Table 5: Calculating compliance rule and rule violation risk indexes
Risk Index Function for Configuration Parameter is
Not set Enabled
Compliance rules (ComplianceRule. RiskIndexReduced) The reduced risk index is calculated from the compliance rule risk index and the significance reductions of all assigned mitigating controls. The risk index is not reduced. The reduced risk index corresponds, therefore, to the stored compliance rule's risk index.
Violated rules (BaseTree. RiskIndexCalculated) The risk index corresponds to the reduced risk index of the violated rule.
Employees with rule violations (PersonInBaseTree. RiskIndexCalculated) The risk index corresponds to the calculated risk index of the violated rule.
Employees with approved rule violations (PersonInBaseTree. RiskIndexCalculated) The risk index is reduced by a fixed amount if the rule violation was granted approval.
Employees with attested rule violations (PersonInBaseTree. RiskIndexCalculated) The risk index is reduced by a fixed amount if the rule violation was attested and granted approval.
Employees with approved rule violations and assigned mitigating controls (PersonInBaseTree. RiskIndexReduced) The risk index is not reduced further. Therefore, the reduced risk index corresponds to the risk index of the rule violation (PersonInBaseTree. RiskIndexCalculated).

The reduced risk index is calculated from the risk index of the rule violation (PersonInBaseTree. RiskIndexCalculated) and the significance reduction of the mitigating controls assigned on exception approval.

If no mitigating controls are assigned, the reduced risk index corresponds to the calculated risk index of the rule violation (PersonInBaseTree. RiskIndexCalculated).

Employees (Person. RiskIndexCalculated) The highest risk index of all the employee's rule violations is established. The calculation takes the reduced risk index of the rule violations in to account (PersonInBaseTree.RiskIndexReduced).

Risk index for employees

Installed modules:

Attestation Module

To calculate employee risk indexes, the risk indexes are found for all assigned company resources. To do this, there are functions stored with the assignment tables to do this (for example, "Resource assignments"). The values also reduced by another factor.

  • The assignment is attested and approved

The risk indexes for all employee memberships in application roles and for rule violations are found (table "Employees: membership in roles and organizations"). The membership risk index is reduced by another factor.

  • The membership is attested and approved

One Identity Manager determines the highest risk index per object type from assignment, rule violations, and connected user account risk indexes (calculation type: "Maximum (weighted)") for each employee.

An employee risk index results from the highest risk index of the calculated single values. This value is reduced or increased by other factors.

  • The employee is attested and approved
  • The employee is a manager or other employee
  • The employee is disabled and linked to an enabled user account

NOTE: Employees can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of an employee increases if:

  • The employee is a manager or other employee
  • The employee is disabled and linked to an enabled user account
TIP:"Business roles and organizations" in the "Employees: memberships in roles and organizations" table finds the risk indexes for all secondary employee memberships in hierarchical roles and IT Shop structures. In the process, the risk indexes are determined for secondary membership in business roles, departments, locations, cost centers, and IT Shop structures. You can use risk indexes from these memberships for custom calculation or evaluation. Implement your own functions or processes to do this.

Defining risk index functions

You can define company-specific functions and edit certain properties of the default function.

To edit risk index functions

  1. Select the Risk Index Functions category.

  2. In the navigation view, expand the Risk index functions node.

    All tables with functions defined in them are shown in the navigation view. These are tables with a RiskIndexCalculated column.

  3. Select the table whose risk index functions you want to edit and expand the node.

    This displays the Assignments and Properties filters.

    The Assignments filter groups all the risk index functions with assignments to the selected table (for example Active Directory user account membership in Active Directory groups).

    The Properties filter groups all risk index functions that further increase or decrease the calculated risk indexes.

  4. Select a filter.

  5. Select the password policy in the result list then select the Change main data task.

    - OR -

    To create a new risk index function, click in the result list.

  6. Fill out the function data.

    You can customize the following properties for default functions:

    • Deactivated

    • Calculation type

    • Weighting/change value

    • Calculate immediately

  7. Save the changes.
Related topics

General data for a function

Enter the following information for a risk index function.

Table 6: Risk index function main data

Property

Description

Name

Name of the function as displayed in the One Identity Manager tools.

Description

Text field for additional explanation.

Deactivated

Specifies whether risk index functions are taken into account in the total calculation of risk indexes.

Calculation type

Method with which to calculate the risk index. Permitted values are:

Maximum (weighted) The highest value from all relevant risk indexes is calculated, weighted, and taken as basis for the next calculation.
Maximum (normalized) The highest value from all relevant risk indexes is calculated, weighted with the normalized weighting factor, and taken as basis for the next calculation.
Increment The risk index of Table column (target) is incremented by a fixed value. This value is specified in Weighting/Change value.
Decrement The risk index of Table column (target) is decremented by a fixed value. This value is specified in Weighting/Change value.
Average(weighted) The average of all relevant risk indexes is calculated, weighted, and taken as basis for the next calculation.
Average(normalized) The average of all relevant risk indexes is calculated with the normalized weighting factor and taken as basis for the next calculation.
Reduction Used when calculating the reduced risk index for rules, SAP functions, company policies, and attestation policies. You cannot add custom functions with this calculation type!

NOTE: If calculation types for both weighting and normalization are implemented in risk index functions for one and the same target column, the risk index calculation does not determine a reasonable value.

The following applies for all risk index functions of one target column: Only combine functions with the calculation type "Maximum (weighted)" and "Average (weighted)" or the functions with calculation types "Maximum (normalized)" and "Average (normalized)".

Weighting/change value

The value by which to modify the risk index. There are three possible cases:

Calculation type Weighting/change value
Maximum (weighted) and average (weighted) Value by which the risk index is weighted in the total calculation.
Maximum (normalized) and average (normalized) Value by which the risk index is weighted in the total calculation. The value for this calculation is normalized to 1 beforehand.
Increment and decrement Value by which the risk index is incremented or decremented in the total calculation.
Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating