CyMetric allows you to disable controls after they are no longer needed either because the organization's risk profile has changed or something about the system changes to moot the existence of the control. CyMetric does not allow for the deletion of controls because any previous assessments on that control would be lost. Further, if a regulator, auditor or litigant were interested in how the system was managed prior to the control's obsolescence, you would want to provide that background information and how the system was properly maintained. In place of deleting a control, CyMetric disables them. The disabled controls still appear as organization approved controls and appear in assessments, but you would know that it was disabled from the Control Details section and could record its status in the assessment. The feature helps an organization detect controls that were previously approved but are now disabled so they can consider the providence of that decision.
To disable a control on a system, navigate to the information systems module, click on the system you want to mopdify. Next, click on the Controls tab from the top of the information system area. Find the control you wish to disable by scrolling through the list or use the filter to find the contrtol. Click on the caret (>) at the end of the row of the control you want to disable:
The details of the control are displayed, including its status. The control will display as active. Click on the Edit button to initiate the change.
Once in Edit mode, disable the control by moving the slide switch to the inactive position. CyMetric requires that you provide a reason for deactivating the control. When you are finished, click on the Save Edits button.
The status of the control can be changed at any time if the decision is made to re-activate the control. Please note that deactivating the control only applies to the system you are editing. If you need to disable the same control for other systems, you will need to repeat this process.
This above process can also be accessed from the Approved Control list. Navigate to the control and then select the system instance and do the same steps described above.