Check your false positives SoD with APM-UM
Why pay a lot of attention and spend time on creating and monitoring mitigating controls for false positiv SoD conflicts, if the end users are not using the tcodes causing the SoD conflicts.
This article will show you how easy it is to validate if a combination of tcodes, causing SoD conflicts, have actually been used by the end users?
If you can identify your false positives you can save time and resources in mitigating controls.
Definition: A false positive SoD is a situation where a user will show up in a risk analysis (ARA in GRC 10.0 and RAR in GRC 5.3) but in fact the users haven’t execute the tcode that causes the conflict.
Until now it has been a difficult and time consuming task to do such analysis. Not anymore.
With APM-UM you can now easily and quickly generate a report that gives you the overview of all users that are mitigated. Furthermore, you will have a full overview of which users are actually using the tcodes that causes the SoD conflicts and which users are actually not using the tcodes causing the SoD conflicts.
The report is very easy to generate in APM-UM. In the report tab in APM-UM, the only selection criteria you have to change is “Group” in the “General selections” section. Select “none” from the drop down list. You can specify specific users if you want to narrow down your output of users.
When the report is generated save the report to a folder of your own choice. Otherwise Excel doesn’t allow you to make a Pivot table, which is perfect for the analysis.
Now choose the Insert menu in Excel and the PivotTable option. Your report would look like this.
Now drag the “User” to the “Row Labels” area, “Tcode” to the “Column Labels” area and “Days used” into “Values” area. The report will look like this.
Now you will be able to filter on the tcodes that causes the SoD conflict. Let’s try with XD01 and VA01.
What you see in this table is that if there is a value on both columns than the users have the SoD conflict combination and if the value is zero than we know that the tcode have not been used by the users. Now you can begin cleaning and removing tcodes that causes SoD conflicts, but not been used by the users.
Now you might spend time on creating mitigating controls. This followed by a quarterly reporting on mitigating users that are actually using the SoD conflicts. With the right information in hand you can reduce list of mitigating controls.
I would really like to hear you opinion in this matter. In your opinion, do you think it would be possible to reduce the number of mitigating controls? Any pitfalls?