Hi,
I was hoping someone would be able to clarify what information is overwritten on completed control assessments in ARCM.
We have an example where a control tester has changed, so we have overwritten the name on the original ARIS object with the new control tester's details. We have then successfully transferred this to ARCM, but have then noticed that all of the old control assessments (which are in read-only state) have been updated & now state that they were actioned by the new control tester.
Our understanding was that control assessments which have been completed & are in a read-only state would not be affected by any changes that are made in ARIS (e.g. description, control testers etc).
Do we have to create a new object each time a change is required, so as not to overwrite the historic data? This doesn't seem appropriate & also doesn't support the feature of being able to update objects across multiple models at once.
Please can you advise?
Many thanks,
Leanne
Hi Leanne,
for users having filled out forms in ARIS Risk and Compliance, the form always links to the recent version of that user object. That means, if you have changed the name of an existing user (object), that will be visible at all places where that name is visible. That allows us more easily to fulfill the data protection requirement to anonymize users.
Especially for users, you should use a new Object instead of re-using an existing one (I guess you would also do that e.g., for email addresses, ..) and only change the existing one, if e.g. it really is only a change of name etc.
Hope that helps you.
Georg
Thanks for clarifying George.
I think the confusion came, as overwriting control descriptions etc, any completed controls were not affected & were not updated, so we assumed this was the case for all details within a completed control test, but seems this is not the case for user names.
I'll update our risk & controls team.
Thanks,
Leanne
