Skip navigation
All Places > Products > RSA Archer GRC > Blog
1 2 3 Previous Next

RSA Archer GRC

271 posts

We want to help you be successful, whether you are fighting the latest security threat or mitigating business risk. Our industry-leading products help you fight those battles, but we know that buying and installing our products are just the beginning of your journey.

RSA offers many resources to help you achieve time to value with your Archer investment. It could be participating in our classroom or on-demand training through RSA University.  Or, it could be learning about Archer via our comprehensive user documentation.  It might also be taking advantage of the discussions with RSA subject matter experts, our partners, or your GRC counterparts on RSA Link…the largest GRC Community in the world.  And, engaging with your peers at events such as RSA Charge provides an incredible learning opportunity.

There is a wealth of information out there to help you begin your Archer journey.   But with so much information at your fingertips it can be overwhelming to know where to begin.

The RSA Team is dedicated to helping you take charge and power your path to Archer success.  On October 25th, we are introducing the RSA Archer Navigator to simplify the process of finding information on RSA Link.   You can identify learning assets by your role and level of expertise with links to take you directly to the information you need. And you’ll find details like the duration of various assets and the associated Continuing Professional Education (CPE) units that can be earned by leveraging these learning tools. 

RSA is committed to continually adding valuable content and enhancing the Archer Navigator tool so that your RSA Archer journey continues to be a smooth ride!

If you are attending RSA Charge, come to Room 225 to see a demo!

        • Wednesday, Oct. 26:    11:15 - 12:00 Noon
        • Wednesday, Oct. 26:      3:45 - 4:30 pm
        • Thursday, Oct. 27:        11:15 - 12:00 Noon

If you are unable to attend RSA Charge, look for the Archer Navigator banner on the Archer GRC Community for access to the Tool. 

Marshall Toburen

Ready to Be Sued?

Posted by Marshall Toburen Employee Oct 7, 2016



If you are a financial services company (bank, insurance company, asset manager) of reasonable size doing business in New York, this blog’s for you! Yesterday, I attended a meeting regarding the proposed New York State Cybersecurity Requirements For Financial Services Companies  In this meeting, Counsel from the Robinson+Cole - Cybersecurity and Privacy Practice woke me up to the breadth and significance of this regulation. By June 30, 2017, all financial services companies doing business in NY State have to be in compliance with this regulation and in 2018 must begin annually submitting the following signed certification to the NY State Department of Financial Services:


Here is the abbreviated list of what you are going to need to do (please read the regulation for the complete, unabbreviated list):

• Within 5 years of enactment, have your data at rest encrypted
• Within 1 year of enactment, have data in transit encrypted
• Have the ability to reconstruct all financial and accounting records for at least six years should a cyber security event occur
• Designate a qualified Chief Information Security Officer (CISO) with responsibility for compliance with this regulation
• Employ sufficient cybersecurity personnel to manage risks and perform core cybersecurity functions, providing on-going training to these personnel to keep their skills up to date.
• Have multifactor authentication in place around internal systems and external networks
• Have a litany of policies and procedures in place around electronic and physical security, risk assessment, training, third parties, incident response, business continuity, and data destruction
• At least bi-annual reporting to your board of directors regarding the confidentiality, integrity, and availability of your organization’s information systems, policies and procedures, cyber risks, effectiveness of the cybersecurity program, exceptions to policies and procedures, and cyber security events that have occurred.

For the 1,900 or so organizations impacted by this regulation, you will find these requirements to be more proscriptive than the EU General Data Protection Regulation, Gramm-Leach Bliley Act, and Payment Card Industry rules. However, there is a substantial amount of overlap between these regulations. Organizations that have been effective in addressing these other rules and regulations using RSA Archer should be well on their way to demonstrating compliance with this NY State regulation and minimizing the risk of litigation from non-compliance.

With only a couple of weeks left before the largest gathering of GRC and Security professionals in the world happens in New Orleans Oct. 25-27, 'Throwback Thursday' is making a comeback.


Register by Oct. 10 using code: 8C6TBTSOCIAL to save on the RSA Charge 2016 microsite



We know that there is an enormous amount of content on the Archer Customer/Partner Community, 3800+ pieces to be exact, and it grows every single day. Now add the 40 RSA University training courses, and it can be a daunting task figuring out what is relevant content based on your role within your organization, and your level of Archer experience.


We knew we had to do something to make you successful with Archer training and implementation. You’ve told us so much; and we listened, and acted.


We are pleased to announce that on October 25, at RSA Charge 2016, and also on the Archer GRC Community, we will be launching the new Archer NAVIGATOR Tool.


This NAVIGATOR Tool is the FIRST step in an ongoing 3-step campaign to make it easier for Archer customers like you to find relevant training and documentation, plus helpful support content, based on your role within your organization – Archer Admin, Archer Tech Admin, Business User, or End User, and your knowledge level of Archer - from Getting Started (1-2 years), to Expanding (3-4 years) to Advanced (5 years+). 


Phase 2 will start right after Charge, and Phase 3 of the NAVIGATOR Tool will launch in Q1 2017.

There is a dedicated team of Archer employees, across different business units to help you take charge and power your way to Archer success. The team is focused on building upon each Phase of the NAVIGATOR Tool to make a significant improvement over the prior version. And, we will count on your feedback to help us reach this goal. Our endgame at the conclusion of Phase 3 will be to deliver you an automated solution to manage our informational assets, helping you be an Archer success.


Over the next several weeks, leading up to Charge 2016, you will see blogs from Kathy Coe, Education Services/RSA University; Anya Kricsfeld, Technical Support; Megan Olvera, Education Services/RSA University; Meg O’Neil, Engineering; Susan Read-Miller, Product Marketing; Amy Robertson, Solutions; Denise Sposato, Product Marketing/Communities; and Elizabeth Wenzel, Technical Publications.


If you are attending RSA Charge 2016, there will be 3 lab sessions in Room 225 that you can register to attend on the RSA Charge 2016 microsite, or just drop by. If you haven’t registered yet for RSA Charge 2016, do so today, or visit the RSA Charge microsite for full details.

  • Wednesday, Oct. 26:    11:15 - 12:00 Noon
  • Wednesday, Oct. 26:      3:45 - 4:30 pm
  • Thursday, Oct. 27:        11:15 - 12:00 Noon 


We are very excited to launch Phase 1 of the Archer NAVIGATOR Tool on October 25 – hope to see you at RSA Charge in New Orleans, or on the Archer GRC Community.


Take Charge! Power Your Path to Archer Success! 



Next week, on October 5th, many companies and professionals all over the world will be celebrating CX Day – a day set aside to focus and celebrate customer experience created by companies and their people and processes.  It is an important day, and we at Dell, RSA, and Archer will definitely take part in festivities planned to mark such occasion.  We will take the time to review all the things we do well, recognize individuals in our company who exemplify the right attitude and approach at taking care of our customers, and talk about the plans we have to kick our customers’ experience to an even higher level.


But…. anyone can do that.


What makes this day authentic here at Archer, is that you, our customers, are the central point of all of our activities, not just on CX day, but every day and at every part of our journey together.


I wrote in my previous blog about the formation of the Total Customer Experience (TCE) forum to focus even more on the experience we provide to you.  With the renewed and a more focused effort through this forum, I am happy to see improvements already in several aspects of our business that result in a better experience.  Here are a few to mention:

  • Faster time to relief – through the combined efforts of Customer Support team and Engineering, we have seen measurable improvements in time to relief on support issues opened by our customers. We have focused on better technical training for the teams, improved communication methods, and closer collaboration with engineering.  I hope you have noticed the improvements.
  • Improved availability of resources – with the increased focus on providing more resources to enable you, our customers, we have been able to more than double ourKnowledge Base. In addition to all articles now being accessible from our Community, the most frequently used KB’s are easily seen on the main page.  And, they are now easier than ever to find – you can Google them.  Give it a try.
  • Closer collaboration with the GRC Community – from Champions Network to a plethora of Working Groups, to Roadmap review meetings, staying connected with both Archer Product direction and the GRC community has never been easier. Get involved if you haven’t yet.


In addition to this, we have work going on in a lot of other areas, such as:

  • Improving our billing process 
  • Refining our licensing and entitlement process
  • Accelerating our ability to provide resolution to both support and product issues


So, as we approach CX Day, and I reflect on what this means to me, two thoughts come to mind.  First, thank you for being our customers – our biggest advocates, and our firmest drivers for change and improvement.  Without you, there’d be no C in the CX day.  And second, I am so excited to be part of a team who not only provides a great product, but realizes that without a great experience to go along with it, we would never succeed.  I am excited to continue in our journey together and can’t wait to achiever bigger and better results.


Thank you and happy CX Day to all!


If you haven't yet registered for RSA Charge 2016, you have just over a week to save $200 off the onsite fee; the discount registration fee of $695 ends on September 23. This year's venue takes place Oct. 25-27, at the Ernest N. Morial Convention Center, New Orleans.


This must-attend event will be the largest gathering of Archer customers, partners, and risk and compliance experts from around the world, providing GRC professionals – from experts to novices – with the premier venue to share knowledge, gain hands-on experience, and learn best practices from other GRC professionals and subject matter experts.


Like last year, your RSA Charge 2016 registration pass will give you full access, without additional fees, to ‘all’ RSA Charge sessions, under one roof, including RSA Archer GRC Summit presentations, Security Operations, Identity, and Fraud.


The conference registration package also includes access to keynotes, the Archer super session, breakouts, birds-of-a-feather sessions, hands-on labs, and the Innovation Zone. And, if you need more reasons, registration also includes your access to evening events, as well as a continental breakfast and lunch on Wednesday and Thursday.


Don’t miss out on this Savings; REGISTER TODAY and visit the RSA Charge 2016 microsite for more information.

If you haven't heard, RSA Charge is just around the corner!


This year, New Orleans will play host to our customers, partners and the RSA team. If you can spare a few hours between trips to the French Quarter, Café Du Monde for a beignet (or 12), and Fritzel's for traditional jazz, the RSA team wants to hear from you.


RSA Charge provides a unique opportunity for you to engage face to face with the RSA Archer team in focused working groups. The working groups provide an opportunity for you to influence the product roadmap; learn about the future of our solutions, use-cases and features; and to interact with your peers.


To learn more about the Archer Working Groups at RSA Charge, please view Antoine Damelincourt, recent blog Join the Archer Product Management team @RSA Charge!


Still need to register for RSA Charge? Take advantage of the discounted rate before time runs out!


See you in a few weeks!



You know that RSA Charge 2016 will be the largest gathering of Archer customers, partners, and risk and compliance experts from around the world, providing GRC professionals – from experts to novices – with the premier venue to share knowledge, gain hands-on experience, and learn best practices from other GRC professionals and subject matter experts.


Now, RSA University (formerly known as Education Services) is making RSA Charge 2016 even better, with their announcement of pre-Charge courses being offered at 20% OFF normal pricing. Seats fill up fast and are limited to 10 students maximum per class. Don't miss this opportunity - REGISTER today using the links below. 


RSA Archer Pre-Summit Admin Boot Camp (2-day class

This 2-day course provides an overview to the concepts, processes, and procedures necessary to successfully design and administer the RSA Archer Platform.  Students will gain knowledge of the key RSA Archer 6.x platform components such as applications, security management, and communication tools through presentations and hands-on practice.   This course is a compact version of the standard four-day RSA Archer Administration I course. Many of the same core components will be included.  

Target audience includes new Archer administrators who are responsible for building in and managing the RSA Archer 6.x Platform.


October 24-25, 2016  ($1600 per person, 10 students maximum)



RSA Archer GRC 6 Advanced Workflow & Navigation  (1 day class, offered twice) 

This 1-day workshop for experienced 5.x admins provides an overview of the RSA Archer GRC 6 interface and hands-on practice using the Advanced Workflow feature.  Target audience is existing RSA Archer administrators who are well-versed in RSA Archer versions 5.5 and earlier. 

Prerequisite Knowledge/Skills:  Students must be comfortable with the administrative features of the RSA Archer GRC Platform, including but not limited to: Data-Driven Events, calculated fields, and On-Demand Notification Templates. Experience building out business workflow using these features is essential.


October 24, 2016 ($800 per person, 10 students max on this day)

October 25, 2016 ($800 per person, 10 different students max on this day)



RSA Archer GRC 6 Platform Fundamentals for Business Users  (1 day class, offered twice)

This one-day workshop includes a thorough overview of RSA Archer Platform features, including but not limited to: Application and questionnaire creation and management, essential access control concepts, email notification options, reporting and dashboard options, integration possibilities, and more.

Target audience includes RSA Archer business users with a need to understand what is possible with the platform. Ideal audience includes those who may need to create business requirements but will not actually administer the platform.


October 24, 2016 ($800 per person, 10 students max on this day)

October 25, 2016 ($800 per person, 10 different students max on this day)



Also being offered:

RSA Hunting Workshop for Analysts – Security Analytics/ECAT  (2-day class)

This 2-day workshop presents the opportunity to spend class time working in a hands-on virtual environment, with minimal lecture and materials. Students will be provided with a complex use cases to work through, involving a network-based attack resulting in end-point malware infection. 

Target audience includes Security Analysts interested in using RSA NetWitness Logs and Packets and RSA NetWitness Endpoint to locate anomalies on the network and endpoint devices, to diagnose and track malware infections, and to reconstruct a cyber-attack in a realistic virtual enterprise setting.

October 24-25, 2016  ($1600 per person, 10 students maximum)


The Agenda for the October 13 RSA EMEA Archer GRC Summit in Amsterdam has been announced. 


This is the fourth year for the RSA EMEA Archer GRC Summit and promises to be one of the best with the largest gathering of customers, partners plus risk and compliance experts from across Europe, the Middle East, and Africa.


Join us for this 'complimentary' must attend event to share in driving GRC innovation through education and collaboration with the industry's best minds at the RSA EMEA Archer GRC Summit.

Location: The Grand Sofitel, Oudezijds Voorburgwal 197, 1012 EX Amsterdam Netherlands.





Sir Francis Bacon is attributed with the quote, “Knowledge is Power”.  There have been many variations on this phrase but I want to add one more twist.


I presented at a conference this week where the session was dedicated to discussing the risks and remedies of ransomware, which are the practices and technologies used by bad guys to gain access to systems and hold information hostage until a ransom is paid.  Sometimes the information they get ahold of is not so important, but other times they hit the jackpot and gain access to the “crown jewels” of a company – customer information, trade secrets or pending business strategies and plans. Company and institutional knowledge/information your company has worked hard to accumulate, formulate, organize and use is the lifeblood of your business.   In some organizations, this information is the most vital asset they possess.


The venue for my presentation was the Washington D.C. Spy Museum.  As I toured the museum afterward, I learned a few things about the history of “spying”.  I learned that people who spy do it for many reasons, but the single most important goal is the attainment of – you guessed it, information.  Information gives them power.  Back to the “knowledge is power” concept – when the bad guys have access to your information, they don’t necessarily have knowledge but they have power.  However, safe and secure in your hands, this information equates to knowledge, and how this knowledge translates into power is in your ability to use it to compete and win in the marketplace.  


My speaking topic at the conference was business resiliency.  A key underlying tenet is having an understanding of what is most important to your organization - and this starts at the top.  For example, (the most critical) products/services provided to customers; the business processes that produce them; supporting IT systems; and the information assets produced or used in that product/service.   Determining what is critical starts at the highest levels and can be determined through business impact analyses (BIA).


Let me share an example and a caution.  Not all information is created equal (or equally important).  For example, Coca Cola’s recipe for Coke is, safe to say, very critical to them, whereas a lower tier vendor’s contract details probably isn’t as critical. Now, these examples are obvious and most companies intuitively know what their most importation information assets are, and maybe have an inkling of what is on the lower end of the scale.  But, what about what is in between?  Herein lies the rub - of the hundreds of information assets organizations produce and use, do they know which of those are critical?  Which of these information assets are undervalued and therefore under-protected?  Which require special compliance considerations?  This all presents exposure and risk. 


There are many implications on information assets across the spectrum of governance, risk and compliance (GRC) activities.  For example, which risks or threats could impact your information; what compliance requirements such as privacy considerations require that you take certain protective steps and implement controls, and could result in penalties if not done; or which vendors have access to your (critical) information and what are they doing with it, and are they protecting it.  Given the far-reaching implications to your organization across many use cases, these GRC activities related to information assets should be coordinated at some level. This blog highlights just a few examples of the exposures our organizations face due to not properly evaluating criticality of and exposures to our information assets. 


I took this picture at the Spy Museum of a Trojan horse exhibit, which depicts the infamous method Greek soldiers used to infiltrate the City of Troy and win the Trojan War.  In today’s world, the goal is access to information.  Now, a Trojan malicious computer program is used to gain unauthorized access to a computer and access personal or proprietary information.  Information assets are the lifeblood of our organizations and we must remember that their proper use, management and protection enables our power to compete and thrive.



Planning to join us for RSA Charge, but missed the early bird discount period? Well, you’re in luck! Register online with code 8C6THRWBCKAUG, between August 25 – 31, to take advantage of a special discount promotion: 


The conference registration package includes access to keynotes, Archer super sessions, breakouts, birds-of-a-feather sessions, hands-on labs, and the Innovation Zone. It also includes your access to evening events, as well as a continental breakfast and lunch on Wednesday and Thursday.


Remember, you only have until Aug. 31 to take advantage of the 'Throwback Thursday' rate of $595.  Don't delay ...


We hope we see you in New Orleans Oct. 25-27, 2016! 

I was travelling to a user meeting last week and going through Logan airport in Boston, I saw very long lines at some Delta counters. This was on Wednesday, 3 full days after the IT system outage that grounded almost 500 flights on Sunday morning and they were still feeling the damages from that outage. Earlier this year, Southwest had to cancel 2300 flights after one router in one of its data centers failed, that’s thousands of grounded passengers for one incident. That’s a lot of angry customers, a lot of bad publicity and a huge operations burden to get back to normal.


I thought this was a good reminder to never consider risk in a vacuum, especially risk for your IT assets. A recurring conversation I have with customers is the separation of IT Risk, Security and Vulnerabilities Management from Enterprise GRC. You can argue that the processes are different, the technologies are different and the people using them are different, and you’d be right. An Operational Risk Manager and an IT Security Analyst do not do the same job, but, they pursue the same goal.


IT resources in an organization are there to support a business process and deliver a business outcome. A risk to an IT asset, say a router from an airline data center, is a risk that could derail the entire operations of the whole company for a whole day. I’d say that qualifies as a major risk. And yet, the only way you can assess the router’s risk correctly is by going beyond the IT resource itself and assessing the business process it supports, the criticality of the asset to the process and the criticality of the process to the operations. The router in itself is not critical; it’s a fairly simple IT asset, easy to replace, containing decent monitoring. It’s only critical because its failure would ground thousands of planes.


When considering recovery plans and controls you need to have plans and controls for the asset AND the affected processes. Otherwise it would be like slipping on a patch of ice and breaking your leg, then only working on removing the ice. You should probably get your leg fixed at some point. Context matters and downstream dependencies matter. How can you have a board level discussion when considering only the IT side? It won’t mean anything to the board that routers have a medium-high risk of failing. On the other hand, if you tell them that a router failure could result in 2300 grounded planes, it might be easier to get their attention.

Hello everybody! The bad news is there's more Summer behind us than ahead of us. I hope yours has been as enjoyable as mine has been. And here in the midwest at least it's pretty hot still. So plenty of warm weather left before it turns cold. The good news is we're less than 80 days away from RSA Charge 2016! The other good news is we have another major content resource available for your library, PCI DSS v3.2!


Just like the previous v3.1 content, we've worked very hard to ensure this latest version is as robust and tightknit as possible. Alone it's a fully functional content set to drive PCI compliance activities. Add our specialized PCI solution functionality to the mix and together the two provide a powerful resource to efficiently manage PCI compliance programs of any size. A separate update will follow for the PCI solution itself, so stay tuned for that.


As far as the content goes, this latest version includes additions to the following core libraries:

  • Authoritative Sources
  • Control Procedures
  • Question Library


Everything is cross-mapped and the Authoritative Source also has 700+ mappings to Archer Control Standards.


The content updates themselves can be obtained from Customer Support. As always, we're here to answer any questions you have. And please don't forget to register for RSA Charge 2016! You don't want to miss out!




Experienced outdoors people, whether they are campers, hikers, bicyclists or otherwise, know that the first rule of thumb is that you always need to know where you are so you can determine where you are headed.  It is no different with business resiliency (BR) teams.  You need a good sense of Screen Shot 2016-07-18 at 10.24.56 AM.pngwhere you are headed and this starts with what is most important in your organization to protect or recover if it is disrupted. 


The best way to determine what is most important is by performing a business impact analysis (BIA).  The BIA is an analytical method to determine what business processes are most critical to achieving your organization’s key objectives.  This includes knowing which business processes produce key products or services, or what strategic objectives they support.  The BIA also helps identify other related information like what dependencies exist between the business process and supporting IT applications and infrastructure, information assets, facilities, suppliers or key human resources.  This information is important because that entire value chain must be planned for and preserved, especially if they are in support of core products or critical strategies.


RSA just launched an updated version of the Archer BIA use case as part of our June 2016 6.1 release.  This BIA builds on our existing model and offers:


  • An easy to follow questionnaire format
  • Three new categories for strategic, information integrity and information confidentiality impacts
  • Features from the new Archer 6.0 platform, like advanced workflow and enhanced reporting


The BIA is ready to use out-of-the-box for each of the participants in the BIA process – business process owners, the BR team and executive reviewers.  The interface is easy to follow.  The built-in workflow follows best practices and regulatory guidance.  Reporting is thorough yet concise so BR teams can see where BIAs need to be performed and easily follow up. 


Like those outdoorsy folks I talked about earlier whose first order of business is to know where they are at all times, the Archer BIA will help BR teams, business process owners and executives know at all times what the most important parts of their organizations are and to plan for and protect them.  With limited resources and expensive recovery strategies, this BIA is a must-have to really hone in on what needs to be protected now.  Click here for more information on the BIA Archer BIA 6.1.  You can also reach me at with questions or feedback.

RSA has introduced two recent, major product updates to enable offering Archer governance, risk and compliance (GRC) solutions by use cases.  We understand that organizations and their GRC disciplines can be in very different places along the maturity spectrum. For example, a compliance function might be much more defined and mature than the risk function.  Our November 2015, 6.0 update was designed to inspire everyone within an organization to own risk, while our June 2015, 6.1 was developed to encourage the thee lines of defense (3LoD) to engage in the risk management process, and inspire every organization to own risk.


Screen Shot 2016-07-15 at 1.27.36 PM.png


These objectives may sound synonymous, but every organization’s road to GRC maturity is different, and as the graphic above depicts, each GRC function could be at a different point along the journey.  Through our new use case approach, we encourage organizations to start small, but gain quick wins within the context of a long-term strategy. As an example, our Audit Management solution has been organized into three use case offerings that customers can deploy separately, or use them to build upon one another.  They are:


Issues Management - to manage issues, gaps and findings with related remediation plans.  Benefits include:

  • A consolidated view into all known issues
  • An organized, managed process to escalate issues
  • Visibility into known risks and efforts to close/address risksScreen Shot 2016-07-15 at 12.41.17 PM.png
  • Workflow to ensure proper sign-off/approval for issues


Audit Engagements & Work papers - to manage all audit projects and related work papers.  Benefits include:

  • An audit universe of audit entities
  • Workflow for consistent audits and procedures
  • Self-serve for external auditors for the information they need


Audit Planning & Quality - to manage audit risk assessments, the audit plan and quality assurance activities   Benefits include:

  • Workflow and change management for audit planning
  • Audit plans aligned with the organization’s priorities
  • Appropriate personnel are staffed on audits
  • Board-relevant reporting
  • Quality management processes for engagements and audits
  • Risk based audit approach


Although Internal Audit (IA) is an established discipline, maturity varies widely depending on many factors, such as adherence to standards, tenure of resources, industry requirements and regulatory scrutiny.  IA departments can use Archer Audit use cases regardless of their maturity because we have offerings that not only provide value (those quick wins) at each level, but also help them move further along the maturity spectrum, not just as a standalone IA function, but in working together with their GRC counterparts.


For more information on these use cases and our approach, go to: Audit Management. As always, you can reach me at with any questions or comments.