Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 Previous Next

RSA Archer Suite

302 posts

Our worlds often consist of constant change, an overload of incoming emails, and what feels like a never-ending series of meetings.  With so much information coming at us, our ability to adapt to change really relies on our ability to quickly and easily find pertinent information, right when we need it.


Updating your RSA Archer environment is one such change that you may feel you’ve seen a wealth of information on, but now that you’re getting ready to move to the next build, where-oh-where can you find that information that is now lost in the shuffle?


That’s where the RSA Archer Navigator can help. By using the Focus filter of Release Notes and Advisories, you can immediately drill down into a complete list of all such documentation that’s been made available in recent years.  Add or change the filters to reference your Role of Admin, your Expertise level, add a Media Type of Documentation, or make other changes, and your results will adjust to display the data that’s important to you. 


Some examples of documentation available include a look at the RSA Archer Release 6.2 Upgrade Process, RSA Archer 6.2 and later Release Notes, and more.


No more needing to know just the right keyword in order to find the information you need – use the Navigator filters to define general categories, and let us do the steering for you!


Watch the RSA Navigator video to maximize your Navigator experience, and if you haven’t yet taken a drive over to our Navigator page, route your path today!

We heard you loud and clear - with the upcoming long Memorial Day weekend fast approaching, school classes ending in the Midwest for the summer, and a host of work-related commitments, you wanted more time to submit Call for Speakers (C4S) Abstracts.


We are pleased to tell you that the deadline for C4S submissions has been extended and is now EOD on June 9, 2017.


This is a hard deadline, however, and will not be extended again so we can meet all the time-sensitive event activities leading up to RSA Charge 2017.


All of the information to help you submit your proposal can be found on the RSA Charge 2017 microsite, including Charge registration information – though RSA Charge ‘Speakers’ receive a complimentary pass to the Charge event – another solid reason to submit!


First, check out the webinar replay of 'What You Should Know Before Submitting Your Proposal' and then use the Offline Submission Form (for practice) before submitting your proposal using the Online Submission Form. There are also FAQs to help you too. 


The Tracks for RSA Charge 2017 include:


(Governance, Risk & Compliance)

Inspiring Everyone to Own Risk

Managing Technology Risk in Your Business

Taking Command of Your Risk Management Journey

Transforming Compliance

RSA Archer Suite Technical

RSA Archer Suite Advanced Technical


(Security Operations, Identity, Anti-Fraud)

Detecting and Responding to the Threats That Matter

Identity Assurance

Reducing Fraud, while Not Reducing Customers

Secrets of the SOC


Complete Session details are also available.


With the extended deadline through June 9, we hope you will consider sharing your first-hand knowledge, advice, ideas, experiences, case studies, and war stories with your peers at Charge 2017. For the many who have already submitted proposal abstracts, ‘thank you’ and we look forward to seeing you in Dallas, Oct. 17-19.

In my previous blog, New Job Chapter One, I described an approach using RSA Archer to drive your Business-Driven Security strategy.  I want to emphasize a couple of points critical to an organization demonstrating their compliance with information security-related regulations like the EU-GDPR, GLBA, NY State Cybersecurity laws, etc.  Here, again, is the BizDS flowchart I introduced:




RSA Archer is used to capture the products and services, IT infrastructure and business processes of the organization (Applications, Servers, Databases, Data stores, devices, web-facing services, etc.).  The type, format (physical or electronic), criticality, and the amount of information handled by or through each business process and each piece of IT infrastructure is documented and the inherent risk of each is calculated.  You now have the information necessary to make decisions about where to apply technical controls (Identity, SEIM, Vulnerability scanners, Firewalls, etc.) and organizational controls (physical access, employee background checks, codes of conduct, SDLC management, training, third-party controls, resiliency, etc.).


As you move into the monitoring phase of your information security program, technical controls and organizational control indicators are generating a tidal wave of data, suggesting that there may be weaknesses in your protection of information.  Utilizing a Business Driven Security strategy, the data thrown off by technical controls and organizational control metrics is married back up with the information you have already evaluated about your business processes and IT infrastructure using Archer.  By combining this information you are able to effectively wade through the sea of technical information, understand its business context in terms that are meaningful to the business, prioritizing your response to the information based on its significance to your organization and the resources you have available to work the problems.  Sometimes you are overwhelmed with the number and significance of security gaps and issues to address.  A Business Driven Security strategy helps your technical teams to articulate these gaps and issues in a form the business understands so that they can make meaningful decisions regarding the allocation of additional capital and human resource investments to remedy the problems.


In summary, for an organization trying to demonstrate it's compliance with information security-related regulations  like the EU-GDPR, GLBA, NY privacy law, etc., it is essential to demonstrate you can answer these questions:


  • Does the organization know what, where, and how much regulated information is managed by the organization and how much risk it poses?
  • Have the technical and organizational risk treatments been implemented around those points where high-risk information is processed, handled, stored, or transmitted in some manner?
  • Are the technical and organizational controls operating effectively and are the events, vulnerabilities, warnings and exceptions generated being addressed in accordance with the business risk they represent?


A mature business-driven security strategy answers these questions and can help an organization demonstrate compliance with their regulatory obligations around information security.


We explore how to implement a Business Driven Security strategy in more detail in this white paper


It’s down to the final weeks for Call for Speakers (C4S) proposal submissions for the RSA Charge 2017 event.


If you are still on the fence, time is running out but there are some helpful aids to get you started. First, check out the webinar replay of ‘What You Should Know Before Submitting Your Proposal’ and then use the Offline Submission Form (for practice) before submitting your proposal using the Online Submission FormThere’s also FAQs to help you before submitting your proposal.


The RSA Charge 2017 GRC Tracks include:

  • Inspiring Everyone to Own Risk
  • Managing Technology Risk in Your Business
  • Taking Command of Your Risk Management Journey
  • Transforming Compliance
  • RSA Archer Suite Technical
  • RSA Archer Suite Advanced Technical

Complete Session details are also available


All of the information to help you submit your proposal can be found on the RSA Charge 2017 microsite, including Charge registration information – though RSA Charge ‘Speakers’ receive a complimentary pass to the Charge event – another solid reason to submit!

Overview of WannaCry/Wanna Decryptor

As you know, starting late Thursday and hitting mainstream over Mother’s Day there is a current outbreak of a ransomware threat known as “WannaCry” or “Wanna Decryptor”. Ransomware attacks like “WannaCry” are meant to be very visible in order to pressure the victim to pay the ransom. The scale of this attack, together with this specific ransomware family, is unique in that it has worm-like capabilities leveraging an exploit against vulnerable Microsoft Windows® operating systems. This exploit was recently made publicly available and appears to be associated with the “Shadowbrokers” release of nation state hacking tools. As of 5/15/2017 at 1pm ET, the associated income achieved is less than $50k the best we can estimate, less than 150 individuals or businesses impacted that were willing to pay.


While details are still emerging, RSA believes it follows a typical attack pattern where a malicious link is delivered through email as part of a phishing scam, whereby the malware installs itself. The malware can spread rapidly when an already infected computer is able to locate additional open and vulnerable computers with outbound internet connections. This malware can travel quickly through an internal network as a result of a core Windows networking function exploit. Microsoft issued a patch for this vulnerability under advisory (MS17-010).


The vulnerability exploited in this attack was made public in September, 2016. Microsoft released a patch in March, 2017. If an organization looks at their enterprise risk management with proper cyber hygiene, they may not have been vulnerable to this attack.


While mitigating attacks like this, which include host blocking, a robust backup strategy and comprehensive patch management, IT leaders should also be mindful that because of Microsoft’s patch support policy, any organization still running Windows XP, Windows 8 or Windows Server 2003 remain at high risk. Microsoft has issued specific guidance for this attack, which can be found here. This is not a new phenomenon and like in most major attacks, resistance is achieved with disciplined patching hygiene.


This latest wave of ransomware continues a trend with this popular attack method. Attackers are shifting away from stealing information for profit, rather taking advantage of the fact that data is critical to its victims for daily business operations.


Was RSA or Dell Technologies Impacted?

While we continue to monitor and validate, at this time there appears to be no impact to the internal networks of any of the major Dell Technologies networks.


Are RSA Products Impacted?

Individual alerts have been sent to clients using specific products. Because many clients leverage Microsoft OS and products as underlying components of RSA Products, there is a risk they could be impacted. That said, the actual product applications that RSA distributes are not impacted.


How RSA Can Help You?

You may be asking how RSA can help. First, recognize that ransomware threats, by design, are noisy and are obvious to the infected victim … this is part of the criminal’s objective and business model. RSA NetWitness® Suite is designed to help identify and provide visibility into a ransomware attack – but as part of this attack method, the victim organization’s data is being encrypted by the malware. This is the same for any advanced threat detection and response technology platform.


From a risk perspective, RSA Archer is designed to help automate risk management, prioritizing activities to reduce risk (i.e. Vulnerability Risk Management) to mission-critical systems, and consistently and effectively manage an actual incident.


From an investigation and readiness standpoint, RSA can provide strong visibility and expertise, helping users to reconstruct, analyze, and understand the attack for current and future identification of ransomware behavioral indicators and operational performance optimization. Analysts within Security Operations Centers (SOC) can see suspicious activities such as lateral movement of infected systems, and/or attempts to infect workstations and other network and critical business assets to more readily determine the overall operational, business continuity, governance, regulatory and compliance impact of the attack to their business. Lastly, RSA can help security programs and IT operational functions see the last known good state of the workstation to understand when the incident first began in order to measure “dwell time”, determine SOC visibility and detection, gaps and remediation requirements as well as the ability to restore from known good backup. This can help limit data loss and reduce the prospect of paying ransom to the attackers.


In a large-scale attack like this, expertise and experience in readiness, response, resilience and business risk management is imperative. RSA can help organizations in their response and readiness efforts and programs. These attacks can be contained and preemptive efforts can be taken to block similar attacks from occurring in the future, minimizing the impact and scale of ransomware campaigns.


For a deeper dive on using RSA Netwitness to improve you visibility and make decisive steps to reduce the impact on your environment, see WannaCry from the RSA NetWitness Suite's Perspective and Blocking WannaCry with Netwitness Endpoint.


Other RSA and Third Party References

Here are some additional resources if you’d like to learn more about the attack.


What's to Come?

New attacks are often followed by attack variants that use a similar infection vector with minor changes to bypass common defenses such as port and allowed path blocking. As such, four broad predictions:

  • Many organizations will not patch core systems, rather put in protective defensives such as AV, blocking ports and IP addresses, and other supplemental actions. Thus, future morphs of WannaCry will continue to impact customers.
  • After some minor reductions in volume of attacks we will see continued:
    • Increase in leveraging attack tool leaks to fuel new attacks. Increase in attacks that focus on incidents that demand immediate monetary payment. (i.e. DDOS, Ransomware, identity change, etc.)
    • Exploit of older vulnerabilities will continue to make headlines.
  • Industry and government regulatory bodies always respond to major cybersecurity events, thus you can assume there will be a continued tighten requirements around vulnerability management and patch hygiene.
  • Risk management will become more fundamental in the scheme of prioritizing resource allocation and spend. More alignment between business needs and underlying security activities are on the horizon … this is still a year of planning and early walks for most organizations.


In Summary

While newsworthy and certainly impacting organizations, the underlying issue for WannaCry is patch hygiene. Understanding the IT investments needed to be able to upgrade applications tied to OS changes (i.e. config, patches, etc.) must be a focus for organizations to better improve vulnerability to patch to deployment. Understanding major newsworthy hacking event, can reveal defensive commonalities that can have broad, risk reducing impacts to the organization short and long term.


These include:

  • Aligning business risk tolerance to a risk and cybersecurity plan
  • Prioritizing actions to reduce risk (less whack-a--mole)
  • Focus on the fundamentals that positively impact all threats:
    • Educating people
    • Business-driven risk reduction tied to an action-oriented plan
    • Continually test your environment for weaknesses
    • Strengthened identity and access assurance program
    • Assume all defenses will fail and that your understand of your environment isn't optimal.  Make sure you have expert visibility at the perimeter, inside the network, in the cloud and on attached mobile devices.  You must be able to monitor logs, packet traffic and what's actually happening on the endpoint. More importantly, you must have the expert capacity (people) to seek, monitor and respond to threats.
    • Automate your processes wherever possible. Very few organizations can invest at a level that provides enough people to adequately address the workload manually. The more organizations seek to enhance the efficiency and efficacy of their security teams, the greater the probability of success.


RSA’s Business-Driven Security solutions uniquely link business context with security incidents to help organizations manage risk and protect what matters most. The RSA Risk and Cybersecurity Practice, our expert professional services team, help organizations identify, assess, and close the gaps; and take command of their evolving security posture. Feel free to contact RSA for further detail or assistance.


Additional Resources

Join more than 2,000 security, risk and compliance professionals at the premier Business-Driven Security event, RSA Charge 2017. This year’s event will be held Oct. 17-19 in Dallas at the Hilton Anatole Hotel.


This is your opportunity to network with RSA customers, partners, and industry experts while discovering how to implement a Business-Driven Security strategy in an increasingly uncertain high-risk world.


To whet your appetite, check out Top 10 Reasons to Attend RSA Charge 2017 and Agenda at a GlanceFor those that are waiting for confirmation, the RSA Archer Working Groups will be held on Tuesday, Oct. 17 from 9:00 am – 3:00 pm with more information coming soon. RSA University will also once again be offering condensed training courses beginning Monday, October 16 and on Tuesday, October 17, with information available soon on the RSA Charge microsite.


Don’t miss this event - inspiring Keynotes, hands-on labs, strategic security sessions, technical deep-dives, and so much more; register today and save $300 now through June 30 with the Early Bird Discount


See you in Dallas!


In my last blog "Translating Security Leadership into Board Value" I introduced RSA's most recent Security for Business Innovation Council report along with the concept of Business Driven Security.  A business driven security strategy is of great value to existing CISOs, information security leaders and the organizations they serve.


To explore business driven security concepts a little more, imagine that you have just accepted a job at a different company, to be responsible for the company’s entire information security program.  You know very little about your new company except what you have read on their website, via Google searches, and from published financial statements.  You are very excited to start your new job and you know your first priority is to complete a preliminary assessment of information security in a very short period time. 


On day one, you know you don’t know:

  • The information most important to the organization;
  • The information security regulations imposed upon your organization;
  • How much important information needs to be protected;
  • Where the important information resides inside the organization and with third parties the organization does business with;
  • What technical and organizational measures the organization has in place to manage and monitor information risk;
  • Whether the technical and organizational measures that are in place are commensurate with the level of information security risk; and
  • Whether technical and organizational measures are designed and sufficient to tell you the potential impact to the organization should the measure fail, a vulnerability arise, or breach occur.


By utilizing RSA Archer and consistently applying risk management principles such as those outlined in ISO 31000, you are able to build the foundational elements of a business driven security strategy for just about any type of information that is important to the organization whether it is intellectual property; imposed by contractual obligation, such as PCI; or imposed by regulations such as GLBA or EU-GDPR.


The following diagram provides a condensed view of where RSA Archer would be used to enable a business driven security strategy.  RSA Archer is used to document the identification of information at risk, assess inherent and residual risk around the information, evaluate the acceptability of the risk; document the technical and organizational measures to mitigate risk; document decisions regarding the acceptance of risk; performing control tests; and to monitor the on-going risk profile, related key risk and control indicators, and outstanding risk issues to be remediated.  Lastly, RSA archer is used to capture vulnerabilities, incidents, and control gaps, provide insight into their business context and the amount of associated risk so that problems are remediated based on their priority and significance.



By utilizing RSA Archer as your foundation for Business Driven Security you are able to answer the questions you set out to answer.  You now know:

  • What information is most important to the organization;
  • What information security-related regulations are imposed upon the organization;
  • How much important information needs to be protected;
  • Where the important information resides inside the organization and with third parties
  • What technical and organizational measures the organization has in place to manage and monitor information risk;
  • Whether the technical and organizational measures in place are commensurate with the level of information security risk;
  • Whether the risk treatment measures are designed and sufficient to tell you the potential impact to the organization should the measure fail or indicate that a vulnerability or breach has occurred; and
  • Whether the information security risk profile is changing and why it is changing


All of this information informs your conversation with executive management and the board.  You are able to articulate the amount of risk in business terms, justify security expenditures, and state how much various breaches might impact the organization, should they occur.  Finally, with your documentation and methodical approach, you are able to demonstrate to all of your stakeholders, including regulators, that you have a sound, logical, and defensible risk-based approach to information security.


Learn more about how Archer can enable a business driven security strategy in your organization with this just released white paper: 7 Steps to Build a GRC Framework Aligning Business Risk Management for Business-Driven Security.


CISOs find themselves increasingly engaged directly with their Board and Executives because the Board and Execs see the volume and impact of security incidents increasing.  In fact, Oxford Economics just reported that serious breaches permanently shave nearly 2% off public company value.  This is in addition to the substantial expense ($4 million per breach on average) and turmoil organizations experience when incidents do occur.  Executives and Boards are left wondering if management understands the risk – where it resides, how much it is, and whether it is being adequately addressed. 


When CISOs get the call from their boards and Execs, they are often not able to answer these questions and to converse in a way the Execs and Board want.  CISOs are extraordinarily adept at understanding security risk that arises around the technologies employed by their organization but translating their technical understanding into business terms can be difficult.  Communicating technical risk into business risk is a paradigm shift for most organizations.  Effective information security programs are becoming “Business Driven Security” programs.


RSA just released a Security for Business Innovation Council Report regarding this problem, “What Boards Want to Know and CISOs Need to Say” that discusses the translation of security leadership into board value.  A Business Driven Security strategy is core to the translation of CISO technical expertise into Board terminology but it also enables CISOs to better understand where they should implement technical and organizational measures to protect the most important information to the organization.  This understanding can be more easily conveyed to the Board and executive team before spending millions of dollars on security initiatives and human resources.  It provides the what, where, how, and why they are spending the money, that it's being spent properly, on the biggest risks, and that there are procedures to monitor that the spend has been effective.  In my next blog I will describe how you can use RSA Archer to drive a Business Driven Security strategy.



Looking for information on Archer and how to get the most out of it?  The Archer Information Design and Development team (formerly known as Technical Publications) has your back.  I’m Elizabeth Wenzel, and I have the pleasure of managing a talented team of content developers that are working hard to deliver the information that you need to get the most value out of your Archer investment.


We are currently working to not only strengthen and deepen the coverage in the existing documentation but also to add additional content and manuals to help you on your business-driven security journey with RSA Archer. Of course, having a lot of material to use is both a blessing and a curse – you know that the information is ‘somewhere’ but where?  This is where the new RSA Archer Navigator 2.0 comes in.


Use the Navigator on RSA Link to filter the Archer assets by your role and expertise in using Archer, the area you are focused on (Platform, Use Cases, and so forth), and the product version. Navigator shows you the assets that meet your filter criteria, allowing you to jump right in and get the right information so you complete your task.


While all of the documentation content, other than technical content (installation, sizing, and Archer Control Panel) is included in the Archer online Documentation system built into the Archer product, we’ve anticipated that you may have the need to access that information in a printable book format (PDF) – all of the content in the online Documentation is also available within PDF guides (the same content in two formats): What’s New Guide, Platform Administrator’s Guide, User Guide, RESTful API Guide, and Use Case Guides.  Combine these with the technical documents such as Installation and Configuration Guide, and it adds up to a lot of content at your disposal! Now, I recommend you use the Navigator to hone in on just what you are looking for. If we’ve missed something, we have even provided an easy way for you to share this with us, right on the Navigator home page.


We hope you agree that the Navigator 2.0 a helpful tool; find your path to success with the RSA Archer Navigator 2.0


Watch the RSA Navigator video to maximize your Navigator experience. 

So time flies… It seems like yesterday when the RSA customer community gathered in New Orleans to share experiences and learn new tactics and strategies. 2017 marked the 13th year of the RSA Archer user community summit and believe it or not, year number 14 is just around the corner.   Last week, we announced the call for speakers for RSA Charge 2017 and I cannot wait to start seeing the speaker submissions flowing in.  

We have put together a stellar team to construct the learning tracks to optimize your experience. As content chairperson for the RSA Archer portion of RSA Charge, I have the privilege of seeing this process unfold. While this will be my 9th user group conference with RSA and Archer, it is still inspiring to hear you tell the stories of your successes - how you overcame challenges or leveraged an innovative approach to deliver strategic value to your organization.

If you are contemplating submitting a session, know that this is a very rewarding experience. Presenting to your peers can be a bit unnerving but the satisfaction and return is well worth it. To teach others is to learn about oneself. Thinking through your experiences, applying your new found knowledge and acknowledging your successes and lessons learned is as much of a benefit as imparting your wisdom to others.

A few topics come to mind as food for thought if you are looking for ideas:

  • We always welcome stories about how your long term strategies unfolded in your companies. Our Take Command of Your Risk Management Journey track is dedicated to hearing how you built your plans, gathered forces and conquered the difficult path that risk and compliance efforts can sometimes take.  
  • As the market moves toward concepts of Integrated Risk Management, the Inspire Everyone to Own Risk track needs content focused on engaging all lines of defense to manage risk. How your company is blending different risk initiatives - Operational Risk, Resiliency, 3rd Party Risk and Audit – is a topic of keen interest.
  • We can’t forget the Compliance world either. Many of your GRC and risk management efforts were borne out of compliance drivers and our Transforming Compliance track is THE place to tell your tale. One topic that keeps coming up is the impending General Data Protection Regulation (GDPR). Any story of how your organization was better prepared for GDPR or any new regulation based on the RSA Archer implementation is a great learning topic for all participants.
  • And what RSA user group conference is not complete without stories of how IT & security risk is being managed. RSA Archer has a great legacy when it comes to helping IT & security teams manage risk processes. Vulnerability and threat management, security incident processes, IT compliance and general IT risk strategies are top of mind subjects for every organization today and perfect for the Managing Technology Risk in Your Business track.
  • Last but certainly not least are the RSA Archer Technical Tracks. This is where the innovation, creativity and expert chops of RSA Archer administrators come to the forefront.   The topics in these tracks range from inventive workflows to state-of-the-art API integrations and more.

I invite all of you to take a look across your implementation of RSA Archer and pull out those nuggets to share with your peers. RSA Charge is the perfect venue to help others navigate their own challenges. Hope to see and hear you in Dallas!

Check out our webinar in preparing to submit your proposal.



Believe it or not, the RSA Charge 2017 event is only six months away, Oct. 17-19 in Dallas at the Hilton Anatole. Visit the RSA Charge microsite, now open!  And this means, 'Call for Speakers' submissions are now being accepted as well.  


In case you were not able to attend one of the two live RSA Charge 'Call for Speakers' webinars in April, 'What You Need to Know About Submitting Your Speaker's Proposal'  the webinar replay is now available for your listening pleasure. 


To help you get those creative juices flowing, the following 2017 Submission Tracks have been identified for RSA products; for full session descriptions please see attachment:


Security Operations, Identity, Anti-Fraud

  • Detecting and Responding to the Threats That Matter
  • Identity and Assurance
  • Reducing Fraud, while Not Reducing Customers
  • Secrets of the SOC


Governance, Risk and Compliance

  • Inspiring Everyone to Own Risk
  • Managing Technology Risk in Your Business
  • Taking Command of Your Risk Management Journey
  • Transforming Compliance
  • RSA Archer Suite Technical
  • RSA Archer Suite Advanced Technical


It is recommended that you once you listen to the replay, you use the 'offline' form,' available on the microsite as your draft before submitting. You may also have more than one submission. RSA Charge official  'Speaker' Submission Form is also available on the microsite.


Please Note: 'Call for Speakers' closes on May 26.'

Marshall Toburen

Completing the Puzzle

Posted by Marshall Toburen Employee Apr 14, 2017

In a previous blog I reviewed the real world pay back for being a risk leader.  Let’s say your company gets it, they know that good risk management increases the likelihood that objectives will be fulfilled and profits improved, and now you’ve been given the assignment to start the risk management program and make your organization a risk leader.  Where do you start, how far do you take the program, and how do you get from start to finish? 


Today, most organizations operate based on a complex interrelationship of business processes, technology, telecommunication, supply chains, and outsourced activities.  Putting the puzzle pieces together may not be easy in your organization.  No one talks about risk the same way.  Capturing the pieces and analyzing and understanding them is challenging, and it is difficult to convey them to the boss in a consistent manner with the limited resources you have available, within the deadlines you have been given.


Since our inception we have worked with thousands of companies to help them build a risk and compliance program tailored to their most pressing needs.  We have learned that most organizations just starting out tackle the same problems and follow the same general path.  We have consolidated these pieces into the RSA Archer Ignition Program.


The RSA Archer Ignition Program is a fast track, economical, approach to launch the foundational elements of a business risk management strategy to help organizations get up and running as quickly and easily as possible.  The ignition program includes:

  • The ability to catalog and monitor Risk, to establish a strategic method to understand risks across the enterprise;
  • The ability to identify and track Third Parties used by your business to understand the emerging ecosystem that affects risk;
  • A process to manage Issues that arise from audits, risk assessments, and internal compliance activities;
  • A Business Impact Analysis framework to quickly catalog and prioritize assets and business processes to build the context to connect risk and prioritize technical and organizational risk treatment measures;
  • Fixed-price deployment and quick launch professional services to let you quickly stand up your environment; and
  • Insights and best practices from RSA University.


In my prior post, I discussed the Risk Catalog component of the RSA Archer Ignition Program.  With organizations outsourcing so much of their business activities these days, it is also a critical, foundational component, to understand and manage these outsourced relationships.  As part of the RSA Archer Ignition Program, the RSA Archer Third Party Catalog allows you to document all third party relationships, engagements, and associated contracts, as well as the business units and named individuals in the organization that are responsible for each third party relationship. With RSA Archer, you can understand the significance of your outsourced relationships. You can report on all third party information, including profiles, engagements, third party business hierarchy, internal contacts, facilities, third party contacts, and more within a single repository.

Key Features of the RSA Archer Third Party Catalog allow you to:

  • Catalog organizational elements of your business for third party reporting
  • Catalog suppliers, partners, service providers and other third parties
  • Capture important details related to third parties, including contracts
  • Map internal business units to third parties
  • Manage contacts with third parties
  • Efficiently manage your third party relationships
  • Establish accountability for each third party relationship
  • Track exceptions related to third party relationships


With the RSA Archer Third Party Catalog, you can:

  • Obtain Awareness of all third party relationships throughout the organization
  • Reduce time spent identifying third party relationships and contracts
  • Build awareness of manager’s Accountability for individual supplier relationships and quickly identify relationship owners
  • Track contract terms, including notification of key contract events such as contract obligations and renewal and expiration dates


The RSA Archer Ignition Program empowers organizations of all sizes to complete the puzzle, to respond to risk with data-driven facts using a streamlined, fast time-to-value approach.

I’m glad the world didn’t end during DRJ Spring World 2017 conference last week, because over 1,000 of the world’s business continuity and disaster recovery specialists were there!


It was another great conference and I had the pleasure of presenting on building resiliency across the organization’s value chain and the key relationship between business resiliency and operational risk management. Both topics were on the minds of attendees as shown by their questions:


  • Outside of surviving a high profile disaster, how do we make customers understand the value that our resiliency program adds to our product or service?
  • If the company has a critical Third-Party vendor and that vendor outsources, who owns the relationship and the potential risk exposure?


Also, over 20% of the sessions at DRJ dealt with resiliency or risk which shows experts are thinking about the importance of business resiliency on the organization and how risk should be considered more broadly than just recovery.


I mentioned in a previous blog, Driving Resiliency Through Operational Risk Management, that there is a direct correlation between driving business resiliency (versus recovery only) and operational risk management (ORM). I believe collaboration between ORM and business continuity programs is a precursor to improving business resiliency, and the top three reasons are:


  1. The bigger picture – looking outside typical business continuity type risks, like natural or man-made disasters, broadens our horizon. Considering the potential risk and impacts from supply chains, reputation impairment, social media, regulatory compliance, or even the risk culture within the organization highlight new risks that could have larger affects on the organization’s resiliency that were never dealt with before. Coupled with a view across the value chain, resiliency teams are better able to anticipate how these new risks might impact the going concern of the organization.
  2. Aligns the Forces – the ORM “umbrella” by its very nature aligns risk functions across the organization, including their methodologies, approaches, resources and outcomes. The key is ORM gets these separate functions on the same page, working together, aligned on priorities, and striving toward agreed upon and appropriate outcomes. Individuals or siloed groups trying to manage risk may feel that their efforts don’t affect the outcomes, but a larger, more coordinated approach does.
  3. Drives Risk Maturity – as risks become more complex, fluid and pervasive, risk approaches need to mature to enable the organization to become resilient to those risks. ORM is a discipline that continues to evolve and mature, unlike siloed risk functions in every organization that attempt to deal with risks reactively, as best as they can. Every organization should evaluate their holistic risk management capabilities against a maturity model (refer to my blog above), determine where they currently stand and what the end goals is in terms of risk maturity.


Organizations that are able to align siloed risk functions under the auspices of their ORM programs have a better chance to become risk-proactive, even opportunistic. As ORM and Business Resiliency are considered together and measured against the bigger picture of the organization’s value chain, functions like business operations, business continuity, supply chain management and internal audit can understand the risks that impact their organization and implement better measures to ensure the resiliency of the organization.


Send me your comments at or connect with me @pnpotter1017.

Many of you know that implementing an effective governance, risk, and compliance program can be a costly and time-consuming effort: Hardware, software, and the active engagement of a lot of people in the 1st, 2nd, and 3rd lines of defense.  Before implementing a program and periodically throughout the life of the program, the question always arises from senior management: Is this REALLY worth the cost and effort?


I have very good news for you. The return on investment (ROI) in implementing a GRC program using RSA Archer is probably better than most any other investment your organization can make!


Over the past 5 years we have engaged three independent assessments of the ROI of RSA Archer.


The first independent analysis of RSA Archer customer ROI was conducted by Forrester in April, 2012. This analysis showed a 3 year composite ROI of 572%.  Even we were stunned and a little skeptical of Forrester’s estimate.


In November, 2014, GRC 20/20 took a look at one of our largest financial institution customers and confirmed that they were achieving annual savings in excess of $1.5 million / year while increasing assessments 317%, without increasing staff.  We were feeling a little more confident that the ROI was huge.


Finally, just last month, IDC completed an independent analysis of a cross section of Archer customers and concluded that the 5 year ROI related to their Archer implementation was 496%; with average annual benefits of $4.1 million per organization, or $17,931 per user.  That represents a payback period of only 11 months!


The IDC Report attributes the ROI of RSA Archer to 3 factors: improved risk mitigation, greater business productivity, and IT infrastructure cost savings.  I encourage you to read the IDC report.  Your organization’s results might vary based on the scope of your program but you will be able to see the individual breakout for each of the areas where they identified positive returns:

  • Network security breach response
  • Auditing
  • Disaster recovery management
  • Third-party risk management
  • Risk management assessments
  • Regulatory compliance


Whether you have a small program or a large, mature program, it is safe to say that you are probably seeing a significant, positive return on your investment in Archer.  Based on these independent assessments, upward of 500%.  If you don’t believe it, try estimating your own ROI.  I explain how to estimate your ROI in an earlier blog and we have made a template available for you to do so.

Marshall Toburen

Capture the Prize

Posted by Marshall Toburen Employee Apr 5, 2017

Risk is the effect of uncertainty on objectives.  Organizations that manage risk well increase the certainty that their objectives will be achieved.  Not surprisingly, organizations that lead in the management of risk “capture the prize”.  They more frequently achieve their objectives and are actually more profitable and less likely to experience a negative profit margin than those organizations that don’t manage risk well. 


                    Source: PWC 2015 Risk in Review Survey

Pretty compelling stuff, right?  You would think that everyone would be chasing this certain prize.  Yet, there are still a lot of organizations that think it too difficult and time consuming to set up a basic risk management program.  With this in mind, earlier this year we
announced the RSA Archer Ignition Program – a fast track approach to launch the foundational elements of a business risk management strategy to help your organization get its program up and running as quickly and easily as possible.  The ignition program includes:

  • The ability to catalog and monitor Risks to establish a strategic method to view and understand risks across the enterprise;
  • A process to manage Issues from audits, risk assessments, and internal compliance processes;
  • A Business Impact Analysis framework to quickly catalog and prioritize assets and business processes to build the context to connect risk and prioritize technical and organizational risk treatments;
  • The ability to identify and track Third Parties used by your business to understand the emerging ecosystem that affects risk;
  • Fixed-price deployment and implementation services to let you quickly stand up your environment; and
  • Insights and best practices from RSA University.


A central element of the RSA Archer Ignition Program is the RSA® Archer® Risk Catalog.  It provides the foundation to record, assess, and track risks across your enterprise, and establish accountability by named first and second line of defense managers. It provides a three-level rollup of risk, from a granular level up through enterprise risk statements. Inherent and residual risk can be assessed utilizing a top-down, qualitative approach, with assessed values rolling up to intermediate and enterprise risk statements.

Key Features

  • Consistent approach to documenting risk, assigning accountability, and assessing risks
  • Oversight and management of all risks in one central location
  • Ability to understand granular risks that are driving the big risks across your enterprise
  • Consolidated list of prioritized risk statements


With RSA Archer Risk Catalog, you can:

  • Obtain a consolidated list of the organization’s risk
  • Enforce a consistent approach to risk assessments
  • Prioritize risks to make informed decisions about risk treatment plans
  • Create accountability for the ownership of risks


The RSA Archer Ignition Program empowers organizations of all sizes to respond to risk with data-driven facts using a streamlined, fast time-to-value approach. Contact us to learn how we can help you capture the prize.