IT infrastructures are usually complex, with many interconnected systems and components. Propagation allows you to reflect these relationships by disseminating control results and risks from one entity and/or entity collection down to multiple other entities or entity collections. Generally, with propagation, you are spreading the results from one to many entities or entity collections, as opposed to doing it from many entities or entity collections to a single entity or entity collection. In order for propagation to occur, there must be a relationship between entities or between the entity and the entity collection. Also, propagation must be enabled for the relationship. This allows the entities or entity collection to inherit results from the related entities or entity collections within a program.
RiskVision uses a publish-auto-subscribe-revocation model for propagation. Before any control results can be propagated, they first have to be published by a related entity or an entity within the same program for a relationship for which propagation has been enabled. All related entities or entity collections will automatically inherit the results but can then revoke those results if they decide to meet the control(s) on their own.
RiskVision has the following propagation types:
- Inter system: Propagation that occurs between entities and other entities, between entity collections and other entity collections, or between entities and entity collections. For example, propagating results for authentication and authorization-related controls from Active Directory to an SAP financial system.
- Intra system: Propagation that occurs between an entity collection and its members and is meant to capture controls that apply only to the specific system in question and not other systems or components. For example, Active Directory may provide authentication and authorization-related services to other systems, but for internal Active Directory components, you may need to propagate results for other controls, such as whether there is a system security plan in place or whether risk management processes are being followed for the system.
