Chat now with support
Chat with Support

Identity Manager 8.0 - Risk Assessment Administration Guide

Compliance Rule and Rules Violation Risk Indexes

Installed Modules:

Compliance Rules Module

Attestation Module

Table 4: Configuration Parameters for Calculating Risk Indexes of Rule Violations
Configuration Parameter Active Meaning
QER\CalculateRiskIndex\MitigatingControlsPerViolation

This configuration parameter controls calculation of risk indexes for rule violations. If the parameter is set, exception approvers can assign mitigating controls to rule violations. The risk index calculation only takes these mitigating controls into account. If the parameter is disabled, risk index calculation take mitigating control assigned to compliance rules into account.

Risk indexes can be applied to compliance rules to evaluate the risk of rule violations. Each rule can be assigned mitigating controls, which are implemented the moment the rule is violated. If a rule violation is approved, the rule violation's exception approver can assign a specified mitigating control. Mitigating control reduce the compliance rule's risk index.

Use the configuration parameter "QER\CalculateRiskIndex\MitigatingControlsPerViolation" control whether mitigating controls are assigned to rule violations in the case of exception approval. If this configuration parameter is set, only mitigating controls assigned to rule violations are taken into account when calculating risk indexes. The configuration parameters is disabled by default.

The risk index of violated rules is taken into account when employee risk indexes are being calculated.

Table 5: Calculating Compliance Rule and Rule Violation Risk Indexes
Risk Index Function for Configuration Parameter is
Disabled Set
Compliance rules (ComplianceRule. RiskIndexReduced) The reduced risk index is calculated from the compliance rule risk index and the significance reductions of all assigned mitigating controls. The risk index is not reduced. The reduced risk index corresponds, therefore, to the stored compliance rule's risk index.
Violated rules (BaseTree. RiskIndexCalculated) The risk index corresponds to the reduced risk index of the violated rule.
Employees with rule violations (PersonInBaseTree. RiskIndexCalculated) The risk index corresponds to the calculated risk index of the violated rule.
Employees with approved rule violations (PersonInBaseTree. RiskIndexCalculated) The risk index is reduced by a fixed amount if the rule violation was granted approval.
Employees with attested rule violations (PersonInBaseTree. RiskIndexCalculated) The risk index is reduced by a fixed amount if the rule violation was attested and granted approval.
Employees with approved rule violation and assigned mitigating controls (PersonInBaseTree. RiskIndexReduced) The risk index is not reduced further. Therefore, the reduced risk index corresponds to the rule violation risk index (PersonInBaseTree. RiskIndexCalculated).

The reduced risk index is calculated from the rule violation risk index (PersonInBaseTree. RiskIndexCalculated) and the significance reduction of the mitigating control, which was assigned on exception approval.

If no mitigating controls are assigned, the reduced risk index corresponds to the calculated index of the rule violation (PersonInBaseTree. RiskIndexCalculated).

Employees (Person) RiskIndexCalculated) The highest risk index of all the employee's rule violations is established. The calculation takes the reduced risk index of the rule violations in to account (PersonInBaseTree.RiskIndexReduced).

Employee Risk Indexes

Employee Risk Indexes

Installed Module:

Attestation Module

To calculate employee risk indexes, the risk indexes are found for all assigned company resources. To do this, there are functions stored with the assignment tables to do this (for example, "Resource assignments"). The values also reduced by another factor.

  • The assignment is attested and approved

The risk indexes for all employee memberships in application roles and for rule violations are found (table "Employees: membership in roles and organizations"). The membership risk index is reduced by another factor.

  • The membership is attested and approved

The One Identity Manager determines the highest risk index per object type from assignment, rule violations and connected user account risk indexes (calculation type: "Maximum (weighted)") for each employee.

An employee risk index results from the highest risk index of the calculated single values. This value is reduced or increased by other factors.

  • The employee is attested and approved
  • The employee is a manager or other employee
  • The employee is disabled and linked to an enabled user account

NOTE: Employees can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of an employee increases if:

  • The employee is a manager or other employee
  • The employee is disabled and linked to an enabled user account

TIP: The default function "Business roles and organizations" on table "Employees: memberships in roles and organizations" finds the risk indexes for all secondary employee memberships in hierarchical roles and IT Shop structures. In the process, the risk indexes are determined for secondary membership in business roles, departments, locations, cost centers and IT Shop structures. You can use risk indexes from these memberships for custom calculation or evaluation. Implement your own functions or processes to do this.

Defining Risk Index Functions

Defining Risk Index Functions

You can define company specific functions and edit certain properties of the default function.

To edit risk index functions

  1. Select the category Risk Index Functions.
  2. Open Risk index functions in the navigation view.

    All tables with functions defined in them are shown in the navigation view.

  3. Select the table with the function you want to edit.

    These are tables with a RiskIndexCalculated column.

  4. Select the filter Assignments.

    - OR -

    Select the filter Properties.

    All the functions with assignments to the selected table are collected under Assignments (for example, Active Directory user account membership in Active Directory groups).

    All functions, which increase or decrease calculated risk indexes, are grouped under properties.

  5. Select a function in the result list and run the task Change master data.

    – OR –

    Click in the result list toolbar.

  6. Fill out the function data.

    You can customize the following properties for default functions:

    • Disabled
    • Calculation type
    • Weighting/change value
    • Calculate immediately
  7. Save the changes.
Related Topics

General Data for a Function

General Data for a Function

Enter the following information for a risk index function.

Table 6: Risk Index Function Master Data

Property

Description

Name

Name of the function as displayed in the One Identity Manager tools.

Description

Spare text box for additional explanation.

Disabled

Specifies whether risk index functions are taken into account in the total calculation of risk indexes.

Calculation type

Method with which to calculate the risk index. Permitted values are:

Maximum (weighted) The highest value from all relevant risk indexes is calculated, weighted and taken as basis for the next calculation.
Maximum (normalized) The highest value from all relevant risk indexes is calculated, weighted with the normalized weighting factor and taken as basis for the next calculation.
Increment The risk index of Table column (target) is incremented by a fixed value. This value is specified in Weighting/Change value.
Decrement The risk index of Table column (target) is decremented by a fixed value. This value is specified in Weighting/Change value.
Average(weighted) The average of all relevant risk indexes is calculated, weighted and taken as basis for the next calculation.
Average(normalized) The average of all relevant risk indexes is calculated with the normalized weighting factor and taken as basis for the next calculation.
Reduction Used when calculating the reduced risk index for rules, SAP functions, company policies and attestation policies. You cannot add custom functions with this calculation type!

NOTE: If calculation types for both weighting and normalization are implemented in risk index functions for one and the same target column, the risk index calculation does not determine a reasonable value.

The following applies for all risk index functions of one target column: Only combine functions with the calculation type "Maximum (weighted)" and "Average (weighted)" or the functions with calculation types "Maximum (normalized)" and "Average (normalized)".

Weighting/change value

The value by which to modify the risk index. There are three possible cases:

Calculation type Weighting/change value
Maximum (weighted) and average (weighted) Value by which the risk index is weighted in the total calculation.
Maximum (normalized) and average (normalized) Value by which the risk index is weighted in the total calculation. The value for this calculation is normalized to 1 beforehand.
Increment and decrement Value by which the risk index is incremented or decremented in the total calculation.
Detailed information about this topic
Related Documents