Skip to content

Managing Mitigating Controls

The Mitigating Controls – Maintenance page is found by selecting Risks > Mitigating Controls. Three elements of Mitigating Controls information are available on different tabs: Mitigating Controls, Risk Mapping, and Mapping Rules.

Options in the Actions dropdowns let you trace a control’s risk mapping and mapping rules. To view these for all of your controls, select the Risk Mapping or Mapping Rules tab below the search field.

Use the search field at the top of the page for a global search of all fields within the active tab. The column headers offer more advanced filtering options. Select Import at the top right to import or update your controls and Mitigations Report to view the online Mitigations Report.

Mitigating Controls Tab

The Mitigating Controls tab lists the controls themselves.

The dropdown in the Action column has a Disable / Enable Mitigation toggle to disable or enable a specific control. Note that disabling a control does not remove the risk mapping. The mapping still exists, but will not be considered when evaluating mitigations during a risk analysis (e.g., when you generate a report or run a What If simulation) unless or until the control is enabled.

The Mitigating Controls tab includes:

  • Control Code – Unique identifier for the control.
  • Name – Name of the control.
  • Control Type – May be automated or manual, preventative or detective.
  • Description – Description of the control. Select to view or copy the full text.
  • Valid From / To – Boundary dates between which the control should be evaluated during a risk analysis.
    • Valid From may be left blank or may be dated in the past or future.
    • If you set a Valid From date in the future, the control can be entered and users mapped to it, but it will not take effect until the Valid From date.
    • A Valid To date is required. It may be set for a year, if that is how often you review your controls, or it may be set longer or shorter as needed.
    • If you set a Valid To date in the past, the control can be entered and users mapped to it, but it will not take effect.
  • Enabled – Indicates True if it is enabled or False if it is not enabled. Anyone mapped to the control will not be mitigated during a risk analysis until it is enabled, or set to True.
  • External Link (optional) – Link directly to your internal audit application where you have documentation specific to this control.
  • Frequency – How often the control is executed, such as weekly, monthly, or ad hoc.
  • Last Tested (optional) – Date the control was most recently tested.
  • Owner(s) – Name of the person or persons who are designated owners of this control. There must be at least one owner assigned to each control. When there is more than one owner, the names can be selected to view a complete list.
  • Created By – Access Risk Management username of the person who created the control.
  • Created Date – Date the control was created.
  • Last Modified By – Access Risk Management username of the person who last modified the control.
  • Last Modified Date – Date of the most recent changes.

Risk Mapping Tab

On the Risk Mapping tab, you can view how controls are mapped to the specific risks that they mitigate. One control can mitigate numerous risks and multiple controls can be applied to the same risk.

Mapping remains in place when a control is disabled; however, the control is not evaluated during a risk analysis unless it is reenabled or the Valid To date is extended.

The Risk Mapping tab includes:

  • Control Code – Unique identifier for the control.
  • Rulebook Name – Rulebook that contains the risk to be mitigated.
  • Risk Code – Identifier for the risk mitigated by the control.
  • Mitigated Risk Notes (optional) – Additional information about the mitigated risk.

Mapping Rules Tab

On the Mapping Rules tab, you choose the specific entities that are mitigated. You can mitigate all users for one or all systems (All Users rule type) or specify an individual user that is mitigated (Specific Users rule type).

The Mapping Rules tab includes:

  • Control Code – Unique identifier for the control.
  • Rulebook Name – Rulebook that contains the risk to be mitigated.
  • Risk Code – Identifier for the risk mitigated by the control.
  • Rule Type – All Users or Specific Users.
  • ERP System Name – System the mapping rule applies to. This will be blank if the rule applies to all systems.
  • Mapping Attribute – Blank, if applied to all users, or ERP_SYSTEM_USER_ID for specific users.
  • Attribute Value – The specific value for the attribute that the rule applies to. For example, if your mapping attribute is ERP_SYSTEM_USER_ID, then the attribute value would be a system user’s ID, their exact SAP username. This field is blank when you use the All Users mapping rule type.
  • Valid To (optional) – End date for the mapping rule itself for a specific user or for all users. This does not impact any of the other mapping rules or the control.
  • Mitigated Entity Notes (optional) – Additional information about the mitigated entity.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.