立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Risk Assessment Administration Guide

Risk index for compliance rules and rule violations

NOTE: This function is only available if the Compliance Rules Module and the Attestation Module are installed.

Risk indexes can be applied to compliance rules to evaluate the risk of rule violations. Each rule can be assigned mitigating controls that are implemented the moment the rule is violated. If a rule violation is approved, the rule violation's exception approver can assign a specified mitigating control. Mitigating control reduce the compliance rule's risk index.

Using the QER | CalculateRiskIndex | MitigatingControlsPerViolation configuration parameter, you can control whether mitigating controls are assigned if an exception is granted to rule violations. If this configuration parameter is set, only mitigating controls assigned to rule violations are taken into account when calculating risk indexes. The configuration parameters is disabled by default.

The risk index of violated rules is taken into account when identity risk indexes are being calculated.

Table 4: Calculating compliance rule and rule violation risk indexes
Risk Index Function for Configuration Parameter is
Not set Enabled

Compliance rules (ComplianceRule. RiskIndexReduced)

The reduced risk index is calculated from the compliance rule risk index and the significance reductions of all assigned mitigating controls.

The risk index is not reduced. The reduced risk index corresponds, therefore, to the stored compliance rule's risk index.

Violated rules (BaseTree. RiskIndexCalculated)

The risk index corresponds to the reduced risk index of the violated rule.

Identities with rule violations (PersonInBaseTree. RiskIndexCalculated)

The risk index corresponds to the calculated risk index of the violated rule.

Identities with approved rule violations (PersonInBaseTree. RiskIndexCalculated)

The risk index is reduced by a fixed amount if the rule violation was granted approval.

Identities with attested rule violations (PersonInBaseTree. RiskIndexCalculated)

The risk index is reduced by a fixed amount if the rule violation was attested and granted approval.

Identities with approved rule violations and assigned mitigating controls (PersonInBaseTree. RiskIndexReduced)

The risk index is not reduced further. Therefore, the reduced risk index corresponds to the risk index of the rule violation (PersonInBaseTree. RiskIndexCalculated).

The reduced risk index is calculated from the risk index of the rule violation (PersonInBaseTree. RiskIndexCalculated) and the significance reduction of the mitigating controls assigned on exception approval.

If no mitigating controls are assigned, the reduced risk index corresponds to the calculated risk index of the rule violation (PersonInBaseTree. RiskIndexCalculated).

Identities (Person. RiskIndexCalculated)

The highest risk index of all the identity's rule violations is established. The calculation takes the reduced risk index of the rule violations in to account (PersonInBaseTree.RiskIndexReduced).

Risk index for identities

NOTE: This function is only available if the Attestation Module is installed.

To calculate identity risk indexes, the risk indexes are found for all assigned company resources. To do this, functions are stored for the assignment tables, such as the Resource assignments table. The values also reduced by another factor.

  • The assignment is attested and approved

In addition, the risk indexes of all identities in application roles and of rule violations are calculated (table Identities: memberships in roles and organizations). The membership risk index is reduced by another factor.

  • The membership is attested and approved

The highest risk index is determined for each identity from the risk indexes of assignments, memberships, rule violations, and connected user accounts (calculation type: Maximum (weighted)).

An identity risk index results from the highest risk index of the calculated single values. This value is reduced or increased by other factors.

  • The identity is attested and approved

  • The identity is a manager or other identity

  • The identity is disabled and linked to an enabled user account

NOTE: Identities can obtain a calculated index even if there are no risk indexes stored with the company resources. In this case, the risk index is calculated from the additional factors which increase the risk index. The risk index of an identity increases if:

  • The identity is a manager or other identity

  • The identity is deactivated but linked to enabled user accounts.

TIP: The default risk index functions Business Roles and Organizations on the Identities: memberships in roles and organizations table determines the risk indexes of all secondary memberships of identities in hierarchical roles and IT Shop structures. In the process, the risk indexes are determined for secondary membership in business roles, departments, locations, cost centers, and IT Shop structures. You can use risk indexes from these memberships for custom calculation or evaluation. Implement your own functions or processes to do this.

Defining risk index functions

You can define custom functions and edit certain properties of the default function.

To edit or create the functions for risk indexes

  1. In the Manager, select the Risk Index Functions category.

  2. In the navigation view, expand the Risk index functions node.

    This shows all the tables with functions defined in them. These are tables with a RiskIndexCalculated column.

  3. Select the table whose functions you want to edit and expand the menu item.

    • The Assignments filter groups all the risk index functions with assignments to the selected table (for example Active Directory user account membership in Active Directory groups).

    • The Properties filter groups all risk index functions that further increase or decrease the calculated risk indexes.

  4. Select a filter.

  5. Select the password policy in the result list then select the Change main data task.

    - OR -

    To create a new risk index function, click in the result list.

  6. Fill out the function data.

    You can customize the following properties for default functions:

    • Deactivated

    • Calculation type

    • Weighting/change value

    • Calculate immediately

  7. Save the changes.
Related topics

General main data of risk index functions

Enter the following information for a risk index function.

Table 5: Risk index function main data

Property

Description

Name

Name of the function as displayed in the One Identity Manager tools.

Description

Text field for additional explanation.

Deactivated

Specifies whether the function is taken into account in the overall calculation of risk indexes.

Calculation type

Method used to calculate the risk index. Permitted values are:

  • Maximum (weighted): The highest value from all relevant risk indexes is determined, weighted and used as the basis for further calculation.

  • Maximum (normalized): The highest value from all relevant risk indexes is calculated, weighted with the normalized weighting factor and taken as basis for the next calculation.

  • Increment: The risk index of table column (target) is incremented by a fixed value. This value is specified in Weighting/Change value.

  • Decrement: The risk index of the table column (target) is decreased by a fixed value. This value is specified in Weighting/Change value.

  • Average (weighted): The average of all relevant risk indexes is calculated, weighted, and taken as basis for the next calculation.

  • Average (normalized): The average of all relevant risk indexes is calculated with the normalized weighting factor and taken as basis for the next calculation.

  • Reduction: Used when calculating the reduced risk index for compliance rules, SAP functions, company policies, and attestation policies. You cannot add custom functions with this calculation type!

NOTE: If calculation types for both weighting and normalization are implemented in risk index functions for one and the same target column, the risk index calculation does not determine a reasonable value.

The following applies to all of a target column's risk index functions: Only combine risk index functions with the Maximum (weighted) and Average (weighted) calculation types or functions with the Maximum (normalized) and Average (normalized) calculation types!

Weighting/change value

The value by which to modify the risk index. There are three possible cases:

  • Calculation types Maximum (weighted) and Average (weighted): Value used to weight the determined risk index in the overall calculation.

  • Calculation types Maximum (normalized) and Average (normalized): Value used to weight the determined risk index in the overall calculation. The value for this function is normalized to 1 beforehand.

  • Calculation types Decrement and Increment: Value by which the calculated risk index is decreased or increased in the overall calculation.

Detailed information about this topic
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级