Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 Previous Next

RSA Archer Suite

282 posts

If as a child you marveled at watching the simple, fascinating micro-example of physics of a pebble dropped into a puddle, you know what the results are. The pebble drops; the water’s surface is broken; ripples fan out from the point of impact… such an unassuming yet beautiful study of cause and effect.   Now imagine instead of a puddle, it’s a lake, with stones dropping at a continuous and rapid rate, all in different spots. I am sure you can visualize the effect - the water agitated in all directions, waves tossing to and fro…

Many organizations today face this churn when it comes to risk. It is not that organizations aren’t thinking about risk. Survey after survey indicates risk is a board level topic.   But the rocks keep falling. Those that are tasked with managing risk are riding the roiling waves. Issues are identified through a variety of sources such as audits, risk assessments and security assessments but are not managed properly to closure. Prioritization of these issues is near impossible because there is no common understanding of the business criticality of business assets and processes affected by these issues. Companies then lack any consolidated view of general risks or have very manual (spreadsheet) based approach to cataloging and assigning risks. And the lake and those falling rocks aren’t always in the control of your company. Third parties (outsourcers, contractors, service providers, business partners, etc.) are becoming increasingly important and organizations just don’t know what entities are impacting their risk profile.

To address this churn, RSA Archer is pleased to announce the RSA Archer Ignition Program – a fast track approach to launch a business risk management strategy. To strategically address risk, enterprises need a strong foundation for their program. While the risk management program vision may be long term initiative, there are some specific areas that need to be addressed at the beginning of the effort that not only provide quick value to the organization but set up a much healthier and sounder foundation for the future. A strategic foundation needs:

  • A process for Issues Management to eliminate ‘churn’ around risk and compliance issues from audits, risk assessments, and internal compliance processes;
  • A Business Impact Analysis framework to catalog and prioritize assets and build the context to connect risk issues to impacts to the business;
  • The ability to catalog and monitor Risks to establish a strategic method to view and understand risks across the enterprise; and
  • The ability to identify and track Third Parties used by the business to understand the emerging ecosystem that affects business risk.


The RSA Archer Ignition package includes integrated use cases to address these four key areas via RSA Archer Use Cases with Quick Launch services and education offerings to get your program off the ground quickly.   This package is priced and scoped based on the size of the organization allowing you to maximize your initial return on your investment.   Once your organization gets these processes in place, RSA Archer provides a maturity driven approach to build on these foundations to develop a strategic approach for Business Risk Management.   Our suite of use cases allows you to grow your risk management program to the level of maturity necessary for your business and ensure your lake, while still full of waves, is manageable and navigable.

For more information, see the RSA Archer Ignition Program.

Political risk is the risk of financial, market or personnel losses resulting from political decisions or disruptions.  In the past, organizations doing business internationally were significantly concerned about political risk.  Top of mind were worst-case scenarios such as government nationalization, trade restrictions, and the imposition of barriers to access resources.  Things have changed and organizations of all kind are realizing they must become much more savvy political risk managers in order to thrive. 


The most poignant example of domestic political risk so far this week was the announcement by two Western cities to pull their business from the financial institution financing the Dakota Access Pipeline project.  This amounts to more than $3 billion in annual cash flow! 


Less recent but frequent examples include being specifically called out and criticized by the executive branch, vacillation in the enforceability of government mandates, and uncertainty over future government policies, regulations, trade agreements, and tax codes.


Organizations do not thrive in an environment of uncertainty and so must find ways to cushion themselves from political risk.  Risk management principles that are effective for operational risk can be equally applied in the management of political risk.

  • Catalog your organization’s strategic objectives, products and services, business processes, infrastructure, and third party relationships. This gives you business context and a baseline of exactly what your organization is doing and who they are doing it with.
  • For each of the items catalogued, document what politically-related things could happen that would be adverse to the organization.
  • Assess these political risks. How likely is the political risk to occur, how would it manifest, and what would be the worst-case impact to the organization should it happen?
  • Examine the complete portfolio of risks to your organization and prioritize actions to be taken to reduce those risks that exceed your organization’s risk appetite.
  • For political risks that exceed acceptable levels, actions may include reducing the activity that introduces political risk, creating contingency plans to minimize the impact if the political risk incident arises, proactively adjusting the business plan to hedge the risk, and negotiating with the counterparties that are the source of the political risk.
  • Monitor the political risk as the political environment changes. Political risk tends to be volatile, and can be quite sudden to appear.  This volatility warrants great diligence to constantly monitor.


Today, political risk can severely damage an organization’s reputation, financial performance, and fulfillment of objectives.  It warrants the application of proven risk management tools such as the RSA Archer suite to methodically apply accepted risk management principles to this vexing risk.

Great news! The RSA Archer Platform version 6.1 just received an Evaluation Assurance Level ( EAL) of 2+ from a Common Criteria lab. The RSA Archer platform has carried this designation across many years and many versions, but was just retested and recertified against our latest platform changes and enhancements.

What is an EAL?

It is the designation that an impartial third party assessor has tested the design and functionality of RSA Archer software to prove that the internal security features of the platform work as intended (and as advertised!).

Why should you care?

This gives the end user assurance that a tool with an EAL can be used to safely store and process sensitive data. For example, EAL testing gives the assurance that RSA Archer provides not just rigid access control between authorized and unauthorized users, but also rigid and nuanced access enforcement between different levels of authorized internal users. These CC EAL certifications are important to our public sector buyers. Even if you’re in the private sector, however, you can get a little extra piece of mind knowing that this EAL 2+ has enabled RSA Archer to be implemented in a wide range of federal environments, including in highly sensitive and classified environments.

Our evaluation was performed by Leidos' Common Criteria Testing Laboratory within its Commercial Cybersecurity practice. Leidos is one of the top evaluation and testing laboratories approved by the National Information Assurance Partnership (NIAP).

A full announcement is available here, but I wanted to share the update too. We’re all proud of the progress we are making in moving the platform forward with new features, but maintaining our strict security standards as we go!

Thanks for reading and, as always, email me with questions or comments


How many times growing up did my mother say to me after I did something particularly stupid, “I hope you learned your lesson!” Luckily it wasn’t that often, but on those occasions I usually did learn a lesson. However, what was painful was the lesson came after I had made the mistake and suffered the consequences. I’ll never forget the time my mother looked down at me sprawled on the ground in a heap after a very gnarly skateboard wipeout, and say, “that wouldn’t have happened if you had been at work with your father.” Thanks mom.


Anyway, mothers are usually pretty forgiving, but the world of business isn’t always so. We only have so many chances to learn from our mistakes, especially when crises or business disruptions occur, because the ramifications can be so high.


Business Continuity Planning (BCP) and Crisis Management (CM) are disciplines built on the foundation of preparing, planning, testing, assessing risks and other proactive measures so that when a real crisis occurs we are as prepared as we can be. However, you’ve heard the saying that there’s no substitute for real experience? Well, we always learn things when a real crisis occurs that we could not even think to plan for, and it is important to capture those lessons learned and incorporate that insight into our planning and preparation for the next inevitable event. Hence, the reason we have added a Lessons Learned Assessment (LLA) into the RSA Archer Resiliency Management use case.


The RSA Archer Resiliency Management use case (Check out the Business Resiliency Use Cases) enables organizations to manage disruptive events as they occur. The use case integrates with Emergency Mass Notification Systems (EMNS) to manage crisis communications, and helps users activate Business Continuity and IT Disaster Recovery plans to recover parts of the organization disrupted during the crisis. What the LLA adds is an easy, yet inclusive way to capture feedback from each member of the crisis teams after the crisis event is under control, such as what occurred, what could have been done differently to handle the event and so on. The LLA is in a survey format using our new advanced workflow, which makes it easy to identify team members and ask them questions based on their role. For example the Human Resources (HR) person responds to the HR questions and so forth. The results of the surveys are compiled, issues and follow up actions are captured and the information can be easily viewed via Archer reports and dashboards. In short, the LLA is a very practical and simple way to capture real-time, valuable insight from those closest to the crisis event. That insight can later be used to adjust crisis response plans or recovery strategies, as examples.


The LLA was introduced in the RSA Archer 6.2 launch in December 2016. This release also includes other valuable platform and solution enhancements you can see here (6.2 Release Update). One of those is how the updated Issues Management use case now integrates with the Business Continuity and Disaster Recovery Planning use case. This is powerful because you can now create and track issues and remediation plans raised directly from BC/DR plan tests or crisis events, and take advantage of new advanced workflow to better manage the issues. I’ll be talking more about and showing a demo of the LLA on the January 21 Free Friday Tech Huddle (Free Friday Tech Huddles), so dial in and learn more.


To conclude and give my mom some credit, she also says, “If you want to be successful, learn from successful people”. Well, input from many successful people went into developing this new LLA (kudos to the BCM Working Group and our internal SME team). However, success is not only built on smarts and hard work, but lessons learned along the way. Hopefully this Lessons Learned Assessment will help you be more successful in your efforts to better manage the crises your organization faces. As always, send me your feedback at, and good luck!

For the third consecutive year, Gartner has placed Dell Technologies (RSA) as a Leader in the 2016 Magic Quadrant for Operational Risk Management Solutions.

As you can see in the MQ graphic (above), Gartner has positioned Dell Technologies (RSA) based on “ability to execute” and “completeness of vision.” 


This year’s Magic Quadrant (MQ) evaluation was based on RSA Archer Release 6.1. This release represents a collection of individual use-case-based-solutions that can be purchased and deployed independently or collectively. RSA Archer developed this new approach to align with the way our customers typically mature their operational risk management (ORM) programs. Customers are able to affordably purchase and install exactly what they need, when they need it, and then easily build out a more comprehensive ORM solution when they are ready. When combined with other RSA Archer solutions, organizations can extend their ORM solution into a broader, enterprise risk management deployment.


Gartner evaluates customers’ reviews of solution capabilities, and we thank all of you that took time to participate in this year’s survey from Gartner. We sincerely appreciate your valuable time in sharing your thoughts and experiences with the Gartner team. Much of RSA Archer’s strength stems from the passion of our customers across numerous industries, in more than 50 countries, and what they share with us and more than 6,000 of their peers in the RSA Archer Community on RSA Link.


We value Gartner’s insight on changes in the practice of risk management because they invest significant time and effort in talking with so many organizations around the world regarding their risk management program activities. Of particular interest to us is Gartner’s observation that “security and risk management leaders are seeking to integrate their risk management solutions to gain a more holistic view of risk across the enterprise,” and that “operational risk management solutions serve as the core element of integrated risk management.” We’ve also heard this from our customers and see it in analyses of various enterprise risk management (ERM) surveys. Organizations globally seem to be moving toward ERM, and, in fact, the practice of ERM has reached critical mass. Why? Perhaps because, as Ernst & Young reported, companies in the top 20% of risk maturity generate three times the level of EBITA than those in the bottom 20%!

If your organization is in the process of extending your ORM program or “testing the waters” for ERM, we encourage you to reach out to us to learn more about our how Archer can provide your organization with a proven path for your risk and compliance roadmap.

Interested in reading more about the Gartner Magic Quadrant for ORM Solutions? We’ve made the report available to you here to share with your colleagues and management team.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Dell Technologies RSA. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

On November 1, the U.K. government published its National Cyber Security Strategy 2016-2021 This 81-page strategy explains the U.K. government’s approach to tackling and managing cyber threats in the U.K. and sets out how the U.K. will aim to be one of the most secure places in the world to do business in cyberspace.


Having read a number of information security policies over the years, I am struck by how much more detailed this U.K. Strategy is compared with heretofore efforts.  Here are a few examples of what I mean:

  • The document defines “cyber security as the protection of information systems (hardware, software and associated infrastructure), the data on them, and the services they provide, from unauthorised access, harm or misuse. This includes harm caused intentionally by the operator of the system, or accidentally, as a result of failing to follow security procedures.” This seems to me to be a broad but accurate definition.  It acknowledges that effective cyber security is both an electronic and physical security challenge and that there are a number of other operational risk considerations to cyber security including intentional and unintentional human error, and harm resulting from natural and man made disasters.
  • The strategy defines threats and vulnerabilities, the role of defense and deterrence and the strategy for strengthening cyber security skills and human resources.
  • The strategy is forward looking, calling for “effective horizon scanning” while promoting the use of metrics to gauge progress and effectiveness of the cyber security strategy.
  • The strategy sets a cyber security bar for all U.K. organizations, public and private, stating: “we will not accept significant risk being posed to the public and the country as a whole as a result of businesses and organisations failing to take the steps needed to manage cyber threats” To do this, the strategy states: “The Government will make use of all available levers, including the forthcoming General Data Protection Regulation (GDPR), to drive up standards of cyber security across the economy, including, if required, through regulation.
  • It endorses The National Data Guardian for Health and Care data security standards.
  • The strategy will be promoted to businesses, by working “through organisations such as insurers, regulators and investors which can exert influence over companies to ensure they manage cyber risk” and to “highlight the clear business benefits and the pricing of cyber risk by market influencers.”


If there was any question as to whether “Brexit” meant the U.K. was going to exit the EU General Data Protection Regulation, this Strategy makes it clear that complying with GDPR remains a priority.  There is much to comply with the GDPR.  Please read my blog to get more background about this significant regulation.  If your organization is doing business in the U.K., it is time to familiarize yourself with this new Strategy and prepare your organization for the compliance obligations which will follow on.

At the end of each calendar year, I look back at how the year went, mainly in my personal life.  For example, I reflect on what happened in my family - who graduated, got engaged or married or had kids, who accepted new jobs or moved.  I also look at how things went with my career, if my health has improved and how my relationship with my wife got better.  These are some of the most important aspects of my life and that’s why I reflect on them.  Not that I don’t think about them more often, because I do, but the end of the year is a good time to look back.


I was also reflecting recently on the areas I oversee here at RSA - which are Business Resiliency and Audit for Archer.  These two areas are not that similar, but I have noted a common theme in that these two fields continue to turn their sights to risk management, moving more and more from being primarily compliance-driven disciplines.  Specifically, they are looking at what the impacts of risk are to the businesses they support - their organizational goals, revenue and growth projections, customer impacts and strategic objectives, to name a few.  I have also noticed that IT organizations, specifically trying to manage the far-reaching effects of cyber threats, are translating IT risk into business impact so executives and business decision makers can better understand the implications and make better decisions.


That’s the pattern I’ve noticed this year - moving to business risk.  It’s the right trend and a good sign.  Some things are helping this along.  For example, frameworks like the ‘three lines of defense’ are being more widely recognized and adopted and are driving better alignment across groups that deal with risk.  It also helps that industry analysts are touting the benefits of aligning the three lines within the enterprise risk or operational risk management (ERM/ORM) umbrella, and that many solution providers and partners are following suit.  This has been RSA Archer’s mantra for many years so it’s good to see it catching on.


What happens next?  We need to take action and I recommend these areas to consider.  


One Step at a Time.  My personal reflections sometimes (maybe not often enough) result in changes in my life but often fall off because they’re based on “changing the world” goals.  I recommend aiming for incremental change.  Do a little better each day.  How do we know if we’re improving our business risk management? We monitor and report and analyze key risk metrics.  We also need to focus on simplicity.  Not many of us are risk experts, but we all have a role in owning risk, so we need a concise set of indicators (think of your car’s dashboard) we can use to make course corrections.  Recognize small victories and build on them. 


First Things First. We need to focus on the most important risks.  Like my personal reflections about my family, career and life illustrate, they’re the absolutely most important aspects of my life.  Business risk management should follow suit.  Complex businesses throw so many risks at us that we can’t focus on everything and do it well.  So, prioritize and focus on the most important risks.


Today and Tomorrow.  I look back to see how the year went but I also reflect every day on how I can improve some aspect of my life.  Business risk management should also include analysis, reflection and action based on long and short term views.  Risks take different shape and affect our businesses differently over the short and long term.  This goes for negative and positive risks.  We can learn much by looking at both viewpoints and taking action based on what we learn.


Something I’ve learned doing this year after year is to stay as positive as you can and keep working at it.  Have a great end of 2016 and may your 2017 be even better!  Contact me at or @pnpotter1017.  

Without question, RSA Charge is my favorite week of the year. RSA Charge 2016 in New Orleans represents 13 years of the Archer community of practitioners, partners and subject matter experts gathering to learn, grow, share, mentor, and network with more than 2,000 of our closest risk management and compliance friends. Even after all these years, RSA Charge continues to inspire me with amazing stories of our customers’ and partners’ accomplishments, ability to overcome challenges, and willingness to share lessons learned and best practices with peers who quickly become new friends and colleagues.


As I rushed between customer meetings at Charge, an RSA Archer customer stopped me in the hallway to shake my hand, introduce himself and say, “Thank you. Thank you for my career. You have enabled me to provide for my family.” He went on to tell me how RSA Archer continues to challenge him and he doesn’t foresee a day that he’ll want to do anything else.


Wow! Albeit it brief, this was such a powerful conversation for me. At RSA Archer, we strive to make a difference. In fact, two of RSA’s core values are:

  • We Give a Damn – About our clients, about what we’re doing, about each other. We’re in this together.
  • What We Do Matters – Our work makes a difference in the world.


As technology providers, we aspire to bring business value to our customers. We want to help organizations gain quick wins and inspire everyone within their organization to own risk. And to have that “difference” articulated to me by one of our customers in such a real, personal way truly inspired me.


In my many years with Archer, I’ve witnessed customers beginning their programs, growing their teams, and advancing their careers, and I’ve watched leaders move on to another organization and start this process all over again. I’ve seen Archer associates become Archer customers. And likewise, I’ve seen Archer customers become Archer associates. This technology and the Archer Community continues to inspire teams and help forge amazing careers.


The Archer Community is truly one of a kind. Some have jokingly referred to the Archer Community as “cult-like,” with participants who are truly enthusiastic about sharing and helping others. But I believe that the Archer Community and our Archer team is more like family. Events like RSA Charge feel more like a family reunion -- a chance to catch up, find out how others are moving ahead, help each other through the challenges, and celebrate each other’s successes.


Our Archer family has grown considerably over the years. We can no longer fit everyone into that small hotel conference room in Scottsdale, Arizona that we first shared in 2003. I sincerely cherish the time that we spend together at RSA Charge and I’m looking forward to repeating this fantastic experience once again next year. Get ready to pack up your boots and cowboy hats and I’ll see y’all Oc#tober 17-19 at RSA Charge 2017 in Dallas, Texas!

What a week! This pre-Halloween week, we held RSA Charge 2016 in New Orleans, the most haunted city in America – and what a phenomenal turnout! We’re thrilled to have more 2,000 attendees join us this week to share best practices for GRC, security and business risk management and to gain invaluable insights from their peers and subject matter experts alike. And the stories shared at RSA Charge are just a small sampling from the more than 1,300 organizations who have implemented Archer.


The spirits of RSA Archer gatherings past – this being our 13th year – give us this opportunity to look at how much the industry has grown and how GRC is shifting. Risk and compliance management is out of the shadows, transitioning from a functional role to an enterprise-wide strategic perspective. Looking at the “Ghosts of GRC Past, Present and Future” helps provide perspective on the continuing growth and transformation of this increasingly business-critical practice.


The “Ghost of GRC Past” had organizations trying to keep up with new regulations and emerging compliance requirements.  GRC was anything but a strategic program for the business, focusing on very discrete problems and a few, select processes. Archer was there in 2000 at GRC’s beginning, as companies began investigating technology enablers.


The “Ghost of GRC Present” has companies formally adopting practices based on industry and international standards, implementing combined strategies to tie together data and consolidate processes, and instituting frameworks to guide procedures. While technology is a cornerstone of risk management strategies, many organizations still have “skeletons in their closet” pockets of disconnected risks that can cause serious damage.


The “Ghost of GRC Future” shows growing emphasis on determining how risks impact your company’s overall performance. The very strategies that fuel your company’s growth are the same initiatives that introduce more risk into your organization. GRC can no longer be considered separate from business strategy and objectives, and evolves to become Business Risk Management.


Business Risk Management is more than connecting dots – it’s anticipating where the next dot will be. That means gathering the right information from the right sources to get the complete risk picture you need to analyze and predict your risk landscape, rather than merely survey it. Clearly, it’s time for the “Ghost of GRC Past” to be laid to rest. It’s time to evolve to beyond GRC to Business Risk Management.

It’s Official: The RSA Archer NAVIGATOR Tool Is Now Live – premiering at RSA Charge 2016 and on the Archer GRC Community on October 25.


The NAVIGATOR Tool is designed to help you take charge of your learning and power your path to Archer success.

As you know, RSA offers many resources to help you achieve time to value with your Archer investment. It could be participating in our classroom or on-demand training through RSA University.  It could be learning about Archer via our comprehensive user documentation.  Or, it might also be taking advantage of the discussions with RSA subject matter experts, our partners, or your GRC counterparts on RSA Link…the largest GRC Community in the world.  And, engaging with your peers at events such as RSA Charge, or reviewing the more than 60 RSA Charge/Summit customer use case presentations, both of which provide incredible learning opportunities. 


This wealth of information at your fingertips, however, can also be daunting … how do you know where to start, what training and/or documentation are right for you personally?


With the NAVIGATOR Tool, we are taking the first step toward simplifying the process of finding the right information and content for you, based on your role and your level of expertise, that’s right ‘your role’ and ‘your level of Archer expertise.’ (*see definitions below)


For those of you attending Charge, we will be hosting 3 Lab Sessions in Room 225:

        Wednesday, Oct. 26:   11:15 am – 12:00 Noon

        Wednesday, Oct. 26:    3:45 pm -   4:30 pm

        Thursday, Oct. 27:      11:15 am – 12:00 Noon


For all others, we invite you to watch the NAVIGATOR video and to check out the NAVIGATOR Tool for yourselves (attached below for your convenience). We ask that you remember this is only Phase 1 of a 3-Phase project; our goal is to have an automated NAVIGATOR Tool available in Q1 2017.



*Key Definitions


1.      A person in an Archer Administrator role is typically responsible for implementing business requirements within the RSA Archer Platform. While a full understanding of the Platform features is required, additional knowledge about the solutions in use can also be beneficial.

2.      A person in a Technical Administrator role is typically responsible for the installation and maintenance of the RSA Archer Platform. They require knowledge of the Platform, its solutions and all the technical aspects of deploying RSA Archer for usage by the various teams within their company.

3.      An Archer Business User is typically responsible for defining requirements for an Archer build.  This user should know what the Archer platform is capable of, so that appropriate requirements can be written.  Knowledge of the solution area(s) purchased is also appropriate for this user.

4.      End users of an Archer implementation will benefit from learning how to navigate the system and how to build reports.  They may also benefit from viewing the solution training(s) and reading the Use Case guides for the solution(s) within which they will be working.

Levels of Expertise

1.      Getting Started:  Brand new to RSA Archer and needing foundational information on the RSA Archer platform and solution areas

2.      Expanding: Advancing your knowledge of the platform and achieving a deeper understanding of the RSA Archer use cases and how to implement them

3.      Advanced: Mastering your knowledge of RSA Archer from a technical, administrative or business use, depending upon your role


Whether attending the 2016 RSA Charge event in New Orleans, or back at your office, you can now view and/or download any or all of the 60+ customer Use Case presentations starting today, October 25. (Please Note: several will be posted by EOD today)


This year's presentations represent 6 tracks: 

  • GRC - Taking Command of Your GRC Journey
  • GRC - Where Cyber Risk Meets Business Risk
  • GRC - Transforming Compliance
  • GRC - Inspiring Everyone to Own Risk
  • GRC - Archer Technical
  • GRC - Archer Advanced Technical


The 2016 presentations promise to be some of the best submissions we've received to date. , I know, we say that every year, but Archer customers continue to amaze us with their willingness to share their best practices and learnings and even some of the war stories, with other Archer customers.



We want to help you be successful, whether you are fighting the latest security threat or mitigating business risk. Our industry-leading products help you fight those battles, but we know that buying and installing our products are just the beginning of your journey.

RSA offers many resources to help you achieve time to value with your Archer investment. It could be participating in our classroom or on-demand training through RSA University.  Or, it could be learning about Archer via our comprehensive user documentation.  It might also be taking advantage of the discussions with RSA subject matter experts, our partners, or your GRC counterparts on RSA Link…the largest GRC Community in the world.  And, engaging with your peers at events such as RSA Charge provides an incredible learning opportunity.

There is a wealth of information out there to help you begin your Archer journey.   But with so much information at your fingertips it can be overwhelming to know where to begin.

The RSA Team is dedicated to helping you take charge and power your path to Archer success.  On October 25th, we are introducing the RSA Archer Navigator to simplify the process of finding information on RSA Link.   You can identify learning assets by your role and level of expertise with links to take you directly to the information you need. And you’ll find details like the duration of various assets and the associated Continuing Professional Education (CPE) units that can be earned by leveraging these learning tools. 

RSA is committed to continually adding valuable content and enhancing the Archer Navigator tool so that your RSA Archer journey continues to be a smooth ride!

If you are attending RSA Charge, come to Room 225 to see a demo!

        • Wednesday, Oct. 26:    11:15 - 12:00 Noon
        • Wednesday, Oct. 26:      3:45 - 4:30 pm
        • Thursday, Oct. 27:        11:15 - 12:00 Noon

If you are unable to attend RSA Charge, look for the Archer Navigator banner on the Archer GRC Community for access to the Tool. 

Marshall Toburen

Ready to Be Sued?

Posted by Marshall Toburen Employee Oct 7, 2016



If you are a financial services company (bank, insurance company, asset manager) of reasonable size doing business in New York, this blog’s for you! Yesterday, I attended a meeting regarding the proposed New York State Cybersecurity Requirements For Financial Services Companies  In this meeting, Counsel from the Robinson+Cole - Cybersecurity and Privacy Practice woke me up to the breadth and significance of this regulation. By June 30, 2017, all financial services companies doing business in NY State have to be in compliance with this regulation and in 2018 must begin annually submitting the following signed certification to the NY State Department of Financial Services:


Here is the abbreviated list of what you are going to need to do (please read the regulation for the complete, unabbreviated list):

• Within 5 years of enactment, have your data at rest encrypted
• Within 1 year of enactment, have data in transit encrypted
• Have the ability to reconstruct all financial and accounting records for at least six years should a cyber security event occur
• Designate a qualified Chief Information Security Officer (CISO) with responsibility for compliance with this regulation
• Employ sufficient cybersecurity personnel to manage risks and perform core cybersecurity functions, providing on-going training to these personnel to keep their skills up to date.
• Have multifactor authentication in place around internal systems and external networks
• Have a litany of policies and procedures in place around electronic and physical security, risk assessment, training, third parties, incident response, business continuity, and data destruction
• At least bi-annual reporting to your board of directors regarding the confidentiality, integrity, and availability of your organization’s information systems, policies and procedures, cyber risks, effectiveness of the cybersecurity program, exceptions to policies and procedures, and cyber security events that have occurred.

For the 1,900 or so organizations impacted by this regulation, you will find these requirements to be more proscriptive than the EU General Data Protection Regulation, Gramm-Leach Bliley Act, and Payment Card Industry rules. However, there is a substantial amount of overlap between these regulations. Organizations that have been effective in addressing these other rules and regulations using RSA Archer should be well on their way to demonstrating compliance with this NY State regulation and minimizing the risk of litigation from non-compliance.

With only a couple of weeks left before the largest gathering of GRC and Security professionals in the world happens in New Orleans Oct. 25-27, 'Throwback Thursday' is making a comeback.


Register by Oct. 10 using code: 8C6TBTSOCIAL to save on the RSA Charge 2016 microsite



We know that there is an enormous amount of content on the Archer Customer/Partner Community, 3800+ pieces to be exact, and it grows every single day. Now add the 40 RSA University training courses, and it can be a daunting task figuring out what is relevant content based on your role within your organization, and your level of Archer experience.


We knew we had to do something to make you successful with Archer training and implementation. You’ve told us so much; and we listened, and acted.


We are pleased to announce that on October 25, at RSA Charge 2016, and also on the Archer GRC Community, we will be launching the new Archer NAVIGATOR Tool.


This NAVIGATOR Tool is the FIRST step in an ongoing 3-step campaign to make it easier for Archer customers like you to find relevant training and documentation, plus helpful support content, based on your role within your organization – Archer Admin, Archer Tech Admin, Business User, or End User, and your knowledge level of Archer - from Getting Started (1-2 years), to Expanding (3-4 years) to Advanced (5 years+). 


Phase 2 will start right after Charge, and Phase 3 of the NAVIGATOR Tool will launch in Q1 2017.

There is a dedicated team of Archer employees, across different business units to help you take charge and power your way to Archer success. The team is focused on building upon each Phase of the NAVIGATOR Tool to make a significant improvement over the prior version. And, we will count on your feedback to help us reach this goal. Our endgame at the conclusion of Phase 3 will be to deliver you an automated solution to manage our informational assets, helping you be an Archer success.


Over the next several weeks, leading up to Charge 2016, you will see blogs from Kathy Coe, Education Services/RSA University; Anya Kricsfeld, Technical Support; Megan Olvera, Education Services/RSA University; Meg O’Neil, Engineering; Susan Read-Miller, Product Marketing; Amy Robertson, Solutions; Denise Sposato, Product Marketing/Communities; and Elizabeth Wenzel, Technical Publications.


If you are attending RSA Charge 2016, there will be 3 lab sessions in Room 225 that you can register to attend on the RSA Charge 2016 microsite, or just drop by. If you haven’t registered yet for RSA Charge 2016, do so today, or visit the RSA Charge microsite for full details.

  • Wednesday, Oct. 26:    11:15 - 12:00 Noon
  • Wednesday, Oct. 26:      3:45 - 4:30 pm
  • Thursday, Oct. 27:        11:15 - 12:00 Noon 


We are very excited to launch Phase 1 of the Archer NAVIGATOR Tool on October 25 – hope to see you at RSA Charge in New Orleans, or on the Archer GRC Community.


Take Charge! Power Your Path to Archer Success!