Mitigating Controls – Should you use them?

Mitigating controls are never as desirable as an effective segregation of duties, but in some situations, a breach of a security rule may just have to exist.

Home » Industry Insights » Mitigating Controls – Should you use them?

Mitigating Controls – Should you use them? by ALLOut Security

Mitigating Controls – Should you use them? What controls should you have?

Mitigating controls on a risk situation is never as desirable as an effective segregation of duties. But it is recognised that in some situations, a breach of a security rule may just have to exist (for example if someone is providing temporary cover for another role within their department).

What sort of mitigating or compensating controls should you consider?

Second signature – to authorize bank payments, salary transfers, purchase orders etc
Review by a Supervisor – the daily journal entries reviewed and signed by the employee’s supervisor
Exception reports – run reports which show all SOD exceptions and review/authorise. eg
- Report of changes to G/L
- Report of postings recorded on accruals accounts
- Report on pending items resulting from reconciliations
- Report on any adjustments made to a prior period
- Report of payments over a given threshold
- Report on changes performed to master data
- Etc…. you get the picture!
- Independent Review – a detailed review of all transactions where an employee has two roles giving SOD breaches, or…
- Random Review – spot checks periodically by an independent person

Change Control

Standard JDE E1 provides only limited change control of menu changes (through OMW) and no change control of security changes.

Use ALLOut Risk Management to enforce the proper testing for SOD and Compliance, and the automated control of User Access conflicts. Automate your security change approval process and allow our delivered reports to streamline your review controls and audit process.

ALLOut will also allow you to control role assignments – allowing an approval process, recording a ‘reason’ code and justification and alerting you if a role is assigned which would cause a breach. You then have the option to ‘hard stop’ that assignment or a simple ‘warning’ with the option to upload and record the mitigation for that breach. ALLOut provides over 80 sample mitigations as part of the latest version of its SODMaster spreadsheet.

Cookie name	Default expiration time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_ga_<container-id>	2 years	Used to persist session state.
_gac_gb_<container-id>	90 days	Contains campaign related information. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. Learn more.

visitor_id<accountid>	The visitor cookie includes a unique visitor ID and the unique identifier for your account. For example, the cookie name visitor_id12345 stores the visitor ID 1010101010. The account identifier, 12345, makes sure that the visitor is tracked on the correct Pardot account. The visitor value is the visitor_id in your Pardot account. This cookie is set for visitors by the Pardot tracking code.
pi_opt_in<accountid>	If Tracking Opt-in preferences is enabled, the pi_opt_in cookie is set with a `true` or `false` value when the visitor opts in or out of tracking. If a visitor opts in, the value is set to `true`, and the visitor is cookied and tracked. If the visitor opts out or ignores the opt-in banner, the opt-in cookie value is set to `false`. The visitor cookie is disabled, and the visitor is not tracked.
visitor_id<accountid>-hash	The visitor hash cookie contains the account ID and stores a unique hash. For example, the cookie name visitor_id12345-hash stores the hash “855c3697d9979e78ac404c4ba2c66533”, and the account ID is 12345. This cookie is a security measure to make sure that a malicious user can’t fake a visitor from Pardot and access corresponding prospect information.
lpv<accountid>	This LPV cookie is set to keep Pardot from tracking multiple page views on a single asset over a 30-minute session. For example, if a visitor reloads a landing page several times over a 30-minute period, this cookie keeps each reload from being tracked as a page view.
pardot	A session cookie named pardot is set in your browser while you’re logged in to Pardot as a user or when a visitor accesses a form, landing page, or page with Pardot tracking code. The cookie denotes an active session and isn’t used for tracking.

Cookie name	Default expiration time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_ga_<container-id>	2 years	Used to persist session state.
_gac_gb_<container-id>	90 days	Contains campaign related information. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. Learn more.

visitor_id<accountid>	The visitor cookie includes a unique visitor ID and the unique identifier for your account. For example, the cookie name visitor_id12345 stores the visitor ID 1010101010. The account identifier, 12345, makes sure that the visitor is tracked on the correct Pardot account. The visitor value is the visitor_id in your Pardot account. This cookie is set for visitors by the Pardot tracking code.
pi_opt_in<accountid>	If Tracking Opt-in preferences is enabled, the pi_opt_in cookie is set with a `true` or `false` value when the visitor opts in or out of tracking. If a visitor opts in, the value is set to `true`, and the visitor is cookied and tracked. If the visitor opts out or ignores the opt-in banner, the opt-in cookie value is set to `false`. The visitor cookie is disabled, and the visitor is not tracked.
visitor_id<accountid>-hash	The visitor hash cookie contains the account ID and stores a unique hash. For example, the cookie name visitor_id12345-hash stores the hash “855c3697d9979e78ac404c4ba2c66533”, and the account ID is 12345. This cookie is a security measure to make sure that a malicious user can’t fake a visitor from Pardot and access corresponding prospect information.
lpv<accountid>	This LPV cookie is set to keep Pardot from tracking multiple page views on a single asset over a 30-minute session. For example, if a visitor reloads a landing page several times over a 30-minute period, this cookie keeps each reload from being tracked as a page view.
pardot	A session cookie named pardot is set in your browser while you’re logged in to Pardot as a user or when a visitor accesses a form, landing page, or page with Pardot tracking code. The cookie denotes an active session and isn’t used for tracking.