Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 Previous Next

RSA Archer Suite

332 posts

At this year's RSA Charge, it was amazing to me to see so many Compliance, Risk and Security professionals in one place, learning from subject matter experts and each other through technical deep dives and business-driven use cases focused on delivering best practice and lessons learned.  I had the opportunity to speak with so many RSA customers and was inspired by the great work they are doing.    


One of the highlights of the event was that over 100 RSA customers got up on stage during RSA Charge to present their unique use case and the challenges and opportunities they have addressed with the help of RSA solutions.  Thank you for sending us your feedback; it is great to see that overall you felt that the sessions were impactful and of value. 


During RSA Charge you completed evaluations for the sessions that you attended.  These provide us great information, including what sessions you enjoyed the most – you confirmed that one presentation from each RSA Suite clearly stood out as being the BEST! 


Out of 92 outstanding Breakout sessions that took place on Wednesday, October 17 and Thursday, October 18 winners were selected by RSA Charge 2017 attendees for being best overall in:


  • Overall Value
  • Presentation Skills
  • Credibility/Knowledge
  • Engaging/Interactive
  • Avoided Commercialization
  • Relevance


We would like to announce, recognize and sincerely thank the recipients of the RSA CHARGE 2017 Best in Show Award:


            RSA Archer Suite Best in Show Award:

Deanne Dinslage, Sr. Archer Systems Administrator, Assistant Vice President, Bank of the West & Andrea Dollen, Manager, True8 Solutions            

Beyond the Customer - Making RSA Archer Suite Work for YOU! - Tired of hours of documentation for minutes of build?  Let me show you how to use RSA Archer Suite to do this in a few clicks with better results!


RSA Fraud & Risk Intelligence Suite Best in Show Award:

Damon Marracini, Vice President, Citi; Michael O’Connor, eCommerce Principal Product Marketing Manager, RSA; Greg Zaharchuk, Fraud Investigator, Vanguard; Qasim Zaidi, Cyber Process Manager, Capital One; Alma Zohar, Web Threat Detection Product Manager, RSA

Tales from the Trenches: Using Web Threat Detection to Fight Fraud - Learn how RSA Web Threat Detection is helping customers fight real-world cyber fraud.


RSA NetWitness Suite Best in Show Award:

Sean Catlett, SVP, Emerging Services, Optiv

Building a Modern Security Program:  Or… “If I Had to Start Over, What Would I Do?” – Discussion on keys to building your SOC and defending your enterprise using orchestration and automation.


RSA SecurID Suite Best in Show Award:

Michael Duncan, Program/Process Manager, Ameritas Life Insurance Corp; Lisa Ferraro, Developer, Ameritas Life Insurance Corp; Ravi Makam, Principal Consultant, Optiv

Insights and Lessons Learned from Upgrading RSA Identity Governance and Lifecycle and Going Virtual - Ameritas Life Insurance Corporation and Optiv Discuss Upgrading to RSA Identity Governance and Lifecycle Version 7.0.1 and go from a hard appliance to VM's to take advantage of new product capabilities.


Congratulations to all the Best in Show Award winners – RSA Charge 2017 attendees selected these from over 92 sessions!  Great job and thank you!

In regulated industries such as financial services, banking, insurance, and energy, periodic examinations by regulators and auditors are a regular occurrence. They might follow up on a workers compensation complaint; investigate misleading marketing and advertising of products, fraudulent sales practices, or inappropriate underwriting practices; complete a periodic SEC or FINRA exam; or follow up on violations found in a previous exam.


These regulatory examinations can result in costly penalties and fines and unwanted publicity. For example, in 2017 alone, the Financial Industry Regulatory Authority (FINRA) alone has assigned more than $31 million in fines and restitution.


In addition, the process of identifying, locating, and gathering all required documentation for the examiners is a time consuming and often manual process. The data required is owned by a variety of teams across the organization, which requires a great deal of coordination to collect. There are also many systems used to capture necessary evidence and retain records.  Once the exam is complete, tracking the progress and completion of exam findings and remediation actions is executed using email and spreadsheets providing little visibility on findings status and progress.


All of these challenges can be addressed with RSA Archer technology. This week, RSA Archer released the RSA Archer Exam Management app-pack on the RSA Exchange. This new app-pack helps organizations prepare for, document, and manage the processes for conducting a regulatory examination. It provides a centralized process to manage scoping, data collection, collaboration, and the post-analysis phase of an exam. Organizations can:

  • Track the phases of an exam
  • Assign, collect, and track information requests
  • Log hours worked on each phase
  • Maintain visibility into related loss eventsRSA Archer Exam Management - Exam Manager Dashboard


Using RSA Archer Exam Management, organizations benefit with the ability to:

  • Simplify collaboration and the data collection process of evidence for regulatory examinations
  • Reduce the amount of time it takes to prepare for and respond to regulatory examinations
  • Eliminate duplicate requests for information
  • Increase likelihood examiner receives accurate and complete information
  • Efficiently identify and communicate with Information Owners
  • Improve exam finding remediation
  • Enable exam owners analyze past examination results and trends to augment preparation and response to current and future exams
  • Provide visibility into exam and findings status as well as post exam data analysis to identify key trends and patterns
  • Analyze staffing costs to justify required headcount for future exams


Interested in learning more about the RSA Archer Exam Management app-pack?  Join us for a Free Friday Tech Huddle on December 1, 2017. In addition, a demonstration video for this app-pack is available on the RSA Exchange. Check it out and let us know what you think! 


RSA Archer Exam Management - Exam Record

As promised, we’re ready to offer our quarterly release for the RSA Exchange!


If you haven’t heard, the new and improved RSA Exchange helps you easily access and download best-practice ODA App-Packs, Integrations and Tools & Utilities on the RSA Exchangeofferings created by RSA and RSA SecurWorld partners, known as App-Packs, via the RSA Link online community. It also highlights RSA Ready certified Integrations that enable you to pass risk data between the RSA Archer Platform and third party offerings, as well as Tools & Utilities to help administrators manage the Platform.


First, I’d like to welcome two new partners to the RSA Exchange Technology Partner Program. This program enables RSA SecurWorld Partners to develop and offer best practice App-Packs and Tools & Utilities on the RSA Exchange. RSA Exchange Release R2 includes the first offerings from our RSA SecurWorld partners:


I am very excited to bring our partner’s offerings to you and help begin our partner’s journey with the RSA Exchange. Be sure to check out them out on the RSA Exchange.


At RSA Charge 2017 last month, I heard many stories about your risk and compliance successes, as well as the amazing response your organizations have had to GRC programs using RSA Archer technology.  One of the most common questions was “how do you handle the large volume of enhancement and new use case requests?”  Many organizations have created an on-demand application (ODA) to handle these requests.  In addition, RSA Archer has been asked to help provide a more formal process for handling the data collections process for regulatory examinations. To help address these business issues, RSA Exchange Release R2 introduces two new App-Packs:

  • RSA Archer Support Requests captures end user requests and recommendations for enhancing RSA Archer business processes and use cases. Organizations can easily manage their business teams’ ideas for process improvements and innovations by enabling end users to submit business process changes, ideas for new reports, requests to delete records, proposals for updating dashboards and iViews, specifications for enhancing application layouts, requests for user access, and more.
  •  RSA Archer Exam Management  helps organizations prepare for, document, and manage the processes for conducting an audit examination. This offering provides a centralized process to efficiently manage scoping, data collection, collaboration, and the post analysis phase of an exam. Organizations can track the phases of an exam; assign, collect, and track information requests; log hours worked on each phase; and maintain visibility into related loss events.


RSA Exchange Release R2 also highlights several new RSA Ready-certified integrations:


Interested in learning more about these offerings? If you are planning to attend the RSA Archer Summit in London this week, drop by the RSA Exchange demo pod to learn more! We also invite you to join us for a Free Friday Tech Huddle on December 1, 2017 that will highlight these offerings.  And, as always, you can visit the RSA Exchange for all of the details.

Anya Kricsfeld

Launching RSA Ideas

Posted by Anya Kricsfeld Employee Oct 31, 2017

For years RSA has been in business of providing best-in-class security products and services to you, our customers.  I am proud to be surrounded by extremely intelligent and creative coworkers who amaze me with their knowledge, imagination, and ability to make abstract a reality on daily basis.  However, I am even more astounded by the unending well of new ideas I see coming from our customer community every time I interact with or observe an interaction between us and you.  You are the true inspiration and driving force of our innovation.  We build products that solve your problems, we offer services that help you, and everything we do - we do with you and your success in mind.


This is why I am happy to officially introduce you to a new way to harvest and crowdsource our collective ideas together.  This month, we have launched new idea pages on our RSA Link Community:


These destination pages are places for you to show off your creativity and need, to suggest ways that would improve our offerings to help you be more successful.  It is also the place where you can collaborate on your ideas with other like-minded individuals and vote on ideas suggested by others.


We have a great customer community, let’s harness its creative power to see what we can come up with together.


For more information, please check out the following FAQs:


The theme of the latest RSA Archer 6.3 release is “Privacy, Resiliency and Flexibility”.  I can’t think of three better words to describe some of the biggest challenges organizations of all size and shape face today. In this blog I’ll focus on Resiliency.


Resiliency is the ability to quickly bounce back from a crisis, large or small.  Bouncing back implies two aspects: one, not completely breaking upon impact; and two, having the mechanism to quickly recover and resume activity.  Resiliency may entail heroic efforts, but what is more important are the plans, processes and practices that enable organizations to be prepared to quickly bounce back when a crisis hits.


One barrier to building resiliency is lack of coordination.  In any organization, there are siloes - separate departments, processes, systems and information.  Even within a Business Resiliency program, there are siloes – such as separate teams that handle daily incidents, perform business continuity and IT disaster recovery, and that manage crisis events.  This separateness impedes coordination, reduces the ability of the organization to be resilient and forces them to rely on those heroic efforts I mentioned.  Effective coordination is especially crucial in dealing with incidents and crisis events.


Incidents are the day-to-day occurrences that happen in any organization, such as minor employee, physical or IT events.  Most organizations handle enough of these that their processes are very standard so these incidents don’t create much disturbance.  However, where some damage can occur is when these incidents turn into crises, and when incident management teams are not coordinated enough with crisis management management teams to ensure an effective handoff.  Some reasons for the lack of coordination might include:


  • Separate teams. As mentioned in the organization, there are typically separate teams that manage incidents and crisis events. This slows down and often hinders the process of transition the incident to a crisis event, and when dealing with a crisis, minutes often matter.
  • Confusing Communications. Communications surrounding an incident usually involves a small group of individuals directly involved in the incident resolution and it is very prescribed and basic.  However, communication changes drastically during a crisis event, and may very quickly extend to much larger groups like employees and executives, or external parties like regulators, law enforcement and emergency personnel.  It becomes much more complex and ad hoc making the transition difficult.
  • Multiple Systems. Different systems are often used to manage incidents and crisis events.  This may be due to different teams acquiring them or the focus of these point solutions.  This causes a lack of coordination because information is housed in different systems and is not connected to paint the bigger picture, such as what caused the event and its evolution.  This is critical during a crisis event because having the history of the event, those involved and next steps housed in one system helps crisis teams to not miss critical elements and is vital to better managing the event.


Updates to the RSA Archer Incident Management and Crisis Management use cases in the 6.3 release have been added to significantly help with these issues and enable better coordination between incident and crisis teams.  Workflow, discussion forums, event tracking, post-event analysis, and reporting and dashboards have all been developed to enable incident and crisis teams to:


  • Manage the event as one and ensure a more seamless handoff from the incident team to the crisis team
  • Provide a holistic history of the incident and related crisis event so teams can see the bigger picture around the event, make better decisions, and help in planning for subsequent events
  • Reduce confusion between incident and crisis teams with workflow and user roles that help with decision-making, crisis declaration, and transition.


These updates will help disparate resiliency teams improve their management of disruptive events from their inception to closure.  Other departments will also find value in these use cases.  For example, resiliency risk has risen to the Board level in recent years and is also on the radar of most regulators and auditors. As such business risk management teams also have a vested interest in better managing the resiliency of the organization.


Siloes will continue to exist because organizations are complex, however, resiliency can be strengthened by creating more effective and seamless handoffs between siloed areas. These critical updates in the RSA Archer Incident Management and Crisis Management use cases can help reduce resiliency risk to the organization.

On behalf of my co-author, Corey Carpenter, greetings from RSA® Charge in Dallas, TX, the biggest GRC stampede around! We're knee deep in exciting announcements this year, including several new partner interoperability offerings. And of course let's not forget the official launch of RSA Archer® 6.3, with the latest additions to our Regulatory & Corporate Compliance solution domain: RSA Archer Data Governance and RSA Archer Privacy Program Management!


For many years, organizations have wrestled with the daunting task of protecting data in their business operations. The forthcoming European Union (EU) General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, has gathered much attention and is certainly a hot topic of conversation around RSA Charge this week. The EU-GDPR places an increased emphasis on the importance of managing EU resident personal data and the consequences for failing to adequately do so.


The concepts of data governance and protection, while not new, have been pushed to another level under the EU-GDPR as organizations must ensure they clearly understand and adequately protect the EU resident personal data that they collect and use, and retain it appropriately with an increased accountability and transparency to consumers. While this aspect of GDPR may represent a "new normal" for many organizations, to a large extent we believe it merely reinforces what practitioners in the information security and risk domains have known for years. Whether the exercise is driven by regulatory exposure through EU-GDPR, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), or other similar standards; or simply battling the general risks that information thieves pose to everyone, the concept of data protection has always been critical in managing overall information risk.


As organizations in every market continue to face the ongoing risk of data breaches and the devastating fallout that can occur, in many respects compliance obligations merely underscore an already pressing business need to proactively maintain vigilant operational security processes and due care as critical elements of a sound risk management program. Whether the target is personally identifiable information, or corporate intellectual property, the techniques and approaches are often similar. In today's world of high stakes information thievery and corporate espionage, organizations must protect all types of sensitive data to survive.


Establishing effective controls to protect sensitive information begins with a clear understanding of what those information assets are. Where do they live? How are they used? How does that sensitive data flow into and out of our organization? How are third parties involved? How long should we keep the data? Questions like these may seem simple enough, but they often reveal a complex web of interconnected data siloes that companies struggle to understand and protect.


Enter RSA Archer Data Governance and RSA Archer Privacy Program Management…


RSA Archer Data Governance is designed to help document and understand the flow of key information assets in an organization. What are the entry points for that data? Is it collected through an internal process or third party? Where is it stored, sent, and shared? These types of important details can be documented and tied to the appropriate Notice/Consent statements using RSA Archer Data Governance. As sensitive data is processed and moved from system to system, those critical data flows can be clearly understood and documented, along with relevant data retention and disposal requirements. With a complete picture of the entire data environment, the organization is empowered to demonstrate proper governance and accountability.

RSA Archer Privacy Program Management is designed to help organizations assess the privacy impacts of their data environments and measure the resulting risks. As organizations communicate with regulators to answer questions, respond to inquiries, or even declare a data breach, they can utilize RSA Archer Privacy Program Management to document and manage those communications. For organizations still working through the process of documenting their data environments, this use case also can assist in understanding data inventory scope boundaries through questionnaires to key stakeholders such as application and information processing owners.


Did you know that companies with mature risk management programs are measurably more profitable? How would information like that resonate with your executive management? There's no better place to explore these topics with global experts than right here at RSA Charge, the largest GRC gathering on the planet! Stop by the demo pods in between your learning sessions for a look at the latest and greatest features in RSA Archer 6.3. You can also follow #RSACharge to catch trending conversation topics this week on Twitter.

By now, you may have heard the good news – RSA Archer release 6.3 is now available! RSA Charge 2017 (Oct. 17-19, 2017 in Dallas, TX) is the ideal occasion for us to release our latest software with a bang.

RSA Archer release 6.3 includes two new use cases RSA Archer Data Governance and RSA Archer Privacy Program Management,  platform enhancements, and updates to Business Resiliency, Public Sector and Payment Card Industry (PCI) use casesLook for additional blog posts in the coming days and weeks for a deeper dive into this Release 6.3 functionality.


Use Case Enhancements

Regulatory and Corporate Compliance

Release 6.3 introduces two new use cases as part of the solution, RSA Archer Data Governance and RSA Archer Privacy Program Management. These new use cases will assist companies in managing the requirements set forth by applicable privacy regulations, including the GDPR regulation. PCI Management has also been updated to address the most recent PCI standard release, 3.2.

Business Resiliency

RSA Archer Business Resiliency use cases received a comprehensive upgrade to better help companies manage disruption and crises. Terminology and workflows have been realigned to better support the crisis management process and new out-of-the-box notifications and test plans will help with the velocity of the business continuity management process.

Public Sector

The Public Sector use case updates will improve customer efficiency as well as usability with ICS and SCADA controls. Specifically, the RSA Archer Assessment & Authorization (A&A) use case has improved usability through the use of advanced workflow. This will reduce the time and effort needed to assess information systems, maintain control documentation and manage remediation efforts.

Platform Enhancements

This release has several enhancements to the RSA Archer platform.  Some highlights include:


RSA Archer Administrators will now have access to a new dashboard that will provide insights into system health and activity. They will be able to report on system events such as data feed performance and user activity to improve troubleshooting, system maintenance and operations.


There are also several enhancements that aim to reduce the number of clicks necessary to perform tasks. For instance:

  • ‘Bulk Record Operations’, where a user can now select and update multiple records at once;
  • ‘Direct to Edit’ where a user can open a record in edit mode in one click; and
  • ‘ Save & Close’ where a user can save his work and go back to the previous screen in a single click.

From an appearance perspective, if you want to match your application to your own corporate branding and design, you will have a lot more options to play with and levers to push. RSA Archer 6.3 expands color configuration capability. Administrators can now configure the User Interface to match their corporate branding and design, as well as customize page and field border colors.  

This release contains other improvements as well so check out the release documentation to get the details.  As mentioned early, there will be new posts for a deeper dive into some of these items. Additionally, we invite you to join us for Free Friday Tech Huddles on 6.3 features - Please check back for details.

For more details, read the Press Release or visit the 6.3 Subspace on the RSA Archer community.


The National Infrastructure Advisory Council (NIAC) published their draft report discussing ways to reduce the complex risks associated with cyber threats within critical infrastructure sectors. Cybersecurity risks or threats expose the complexity and connectivity of our critical infrastructure systems placing national security, economy, and public safety at risk. According to the NIAC report, “cyber destruction of computer systems that control vital infrastructure like power grids, dams, waterways, air traffic control, transportation and the financial sector is inevitable without immediate efforts by government and the private sector to substantially boost efforts to protect those systems. If they fail to do so, they will have missed a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack.”


The U.S. government has been working to bring some order to this crisis. In an effort to help government agencies and the private sector, NIST (National Institute of Standards and Technology) developed a risk-based Cybersecurity Framework to provide industry standards and best practices to help manage cybersecurity risks. In May 2017, the U.S. Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was signed, holding agencies accountable for managing cybersecurity risks.


Why Implement a Cybersecurity Framework?

With so many IT and security initiatives afoot, why is this specific Cybersecurity Framework a priority?


First, it’s no longer an optional, nice-to-have program to augment your cyber risk arsenal. The recent executive order makes NIST Cybersecurity Framework compulsory for all government agencies. Private sector organizations that are categorized as one of the sixteen critical infrastructure sectors are recommended to put the appropriate measures in place to improve the cybersecurity posture of their organization.


What’s required of those organizations? The framework sets out to help organizations:

  • Identify the elements or desired outcomes for maturing a cybersecurity program;
  • Provides a method to assess and measure against the desired state;
  • Measure progress and address findings or gaps in the program; and
  • Communicate the cybersecurity posture in a meaningful way to management


Second, the Cybersecurity Framework provides a common language with which both technical and non-technical personnel can come to an understanding on the organization’s cyber risk. Terminology like Identify, Protect, Detect, Respond and Recover formulate the tenants of categorization for the program which is usable across all industry segments as well as the government sectors.  And best of all, the language, numeration, and progress is all focused on reducing RISK. The guidelines are not requiring specific technology or hardware to solve the problem.


Finally, the NIST guidelines set in place a continuous improvement process for reviewing, assessing and managing an organization’s cybersecurity program. Threats and technology change. Organizational priorities change. And therefore, our approach to handling cyber risk must adapt to those changes on a continuous basis.


Regardless of organizational size or cybersecurity sophistication, organizations can apply the NIST Cybersecurity Framework principles and best practices of risk management to improve cybersecurity and resiliency of their critical infrastructure


RSA Archer is here to help!

With the first release of the RSA Exchange on August 22, we introduced the RSA Archer Cybersecurity Framework Management  App-Pack. This new offering provides government agencies and private sector businesses a method to assess and measure their cybersecurity posture, address gaps, and report on cybersecurity in a meaningful way that is understood by all stakeholders.


RSA Archer Cybersecurity Framework Management enables profile owners to catalog the current state, prioritize and scope profile elements, and define their desired or targeted state outcomes for their organization’s cybersecurity program. Assessors then evaluate these profiles against the NIST Cybersecurity Framework categories. Previous assessments can be archived for comparison with the current profile and measure progress. Reports and dashboards provide clear insight to the cybersecurity current state and progress being made toward the desired cybersecurity state.


Interested in learning more about the RSA Archer Cybersecurity Framework Management app-pack?  Check out the video and implementation guide on the RSA Exchange. In addition, the RSA Exchange team will feature the RSA Archer Cybersecurity Framework Management app-pack at RSA Charge. Come visit us next week, October 17-19, at the RSA Exchange demo pod in the RSA Charge Innovation Zone to learn more about this offering!

It’s back and it’s better than ever! Introducing the bigger and better RSA Exchange, formerly known as the RSA Archer Exchange or RSA Archer Focused Solutions.


RSA Archer use cases provide the foundation to help you quickly get risk management programs up and running. But oftentimes, your program requires an industry or geographic-specific business process outside the scope of RSA Archer use cases. You then create new applications from scratch using on-demand applications (ODAs) to manage adjacent or supporting risk and compliance processes.

RSA Exchange Offering Types


The new and improved RSA Exchange helps you easily access and download best-practice ODA offerings created by RSA and RSA SecurWorld partners, known as App-Packs, via the RSA Link online community. In addition, RSA Exchange highlights RSA Ready certified Integrations that enable you to pass risk data between the RSA Archer Platform and third party offerings, as well as Tools & Utilities to help administrators manage the Platform.


In our first release of the RSA Exchange, we introduced two new App-Packs:

  • RSA Archer Cybersecurity Framework Management - providing government agencies and private sector businesses a method to assess and measure their cybersecurity posture, address gaps, and report on cybersecurity in a meaningful way that is understood by all stakeholders
  • RSA Archer Project Management - offering a simple framework for managing multiple large-scale projects simultaneously, accounting for milestone scope and delivery timelines within the allotted budget, and documenting team tasks and related expenses


RSA Exchange App-Packs leverage ODAs for licensing. Each of these offerings indicates pre-requisite use cases and the number of required ODAs.


The RSA Exchange Release R1 also highlights several new RSA Ready-certified integrations including:


And there are more to come! The RSA Exchange is an integral part of the RSA Archer ecosystem, providing a faster and more flexible development cycle for RSA and RSA partners to deliver value-add offerings for your RSA Archer implementation. Look for new offerings and updates to our existing offerings on a quarterly basis.


Interested in learning more about the RSA Exchange offerings? Check out the site to learn more about the great offerings mentioned above. In addition, the RSA Exchange team will at RSA Charge! Come visit us next week, October 17-19, at the RSA Exchange demo pod in the RSA Charge Innovation Zone to learn more!

I’ve been grappling the past couple of weeks over the definition of a third party.  Typically, we would say that a third party is an organization with whom you have entered into a contract to provide your organization a product or service.  In this sense the credit bureau, Equifax, is a third party to Financial Institutions (FIs) because the credit bureau is providing consumer credit scores to the FIs so they can make decisions on whether to extend credit to consumers.  And while most every FI regularly reports to credit bureaus on the status of their customer’s loan repayments (on time, past due, amount of credit extended, opening a new account, etc.), I would venture to guess that not many FIs seriously contemplated the broader threat they posed.  Similarly, all publicly traded companies were supplying confidential financial information to the SEC but probably didn’t seriously consider the threats that extended beyond the simple delivery of financial information.


The significant risk emerging from these two scenarios is not that the FI’s customer information supplied to Equifax was breached or that the publicly traded company’s financial information was breached.  Rather, that if a credit bureau was breached, the probability and impact increased of future loan charge-offs from fraudulent loans and depositor reimbursements from unauthorized account takeover.  And, in the case of the SEC, the real risk was not the unauthorized access of financial information but the effect of front-running on stock prices.


Are these examples of a new third party risk management paradigm, black swans, or just a call for more comprehensive third party risk assessment?  Both of these examples present information security risk but in the case of the credit bureau, it presents greater future credit and fraud risk; and in the case of the SEC presents greater stock price risk.  If risk managers are to anticipate these kinds of risk, they need to apply broad brush scenario analysis to understand the breadth and magnitude of risk.  Perhaps no longer is a simple questionnaire good enough to scope the range of risks to be considered when evaluating a third party.  As these examples illustrate, information security risk can be much more than unauthorized access to customer and company information.  It is the related business risk that emerges from the unauthorized access.  Let me know what you think.

As the saying goes, “Everything is BIGGER in Texas”.











Hilton Anatole in Dallas, Texas

And RSA Charge!


This event is the biggest gathering of the RSA Archer community and risk professionals in the world. And the RSA team is ecstatic that we get to host this BIG event in the BIG state of Texas.


As a teenager, I spent my summers visiting my sister who worked and lived in Dallas. We toured the 6th Floor Museum, Six Flags, the Dallas Zoo, Reunion Tower, the Fort Worth Botanical Gardens, and J.R.’s ranch, Southfork from the hit TV show Dallas. There are so many BIG and fun attractions to guide your stay while you’re in the Dallas - Fort Worth area for RSA Charge. I’m very excited to plant my boots back in this great city that holds so many memories.


In addition to the boundless hospitality and attractions of Dallas, the RSA Charge event brings together the foremost thought leaders to tackle one of the BIGGEST topics for executives and board of directors – RISK. Whether we are talking about cyber risk, operational risk, third party risk, audit risks, resiliency risks, compliance risks, and more, the RSA Archer community at RSA Charge can discuss how they are addressing risk within their organization, learn best practices from their peers, and make new connections to help continue their organization’s risk management journey.


I have the privilege of overseeing the Risk and Compliance track Taking Command of Your Risk Management Journey. Sessions for this track are focused on approaches, strategies and recommendations to help build and mature your risk and compliance program. Over the years, I’ve watched the topics for this track mature as your programs and the risk community have matured. The sessions in this track are very well attended as our speakers are seasoned risk pros. And this year’s line-up is BIG! Here are a few highlights:

  • Our friends from AIG, ME Bank, and the BPAY Group will discuss how they are balancing their risk journey;
  • A financial services risk manager will share how their organization demonstrated value to senior leadership;
  • Lockton Companies and RSA will discuss the benefits of mitigating risk through cyber insurance;
  • Berkshire Bank and US Bank will highlight their change request programs; and
  • Duke Energy, Verizon, Raiffeisen Bank, and EY will talk about how they are using an Agile approach when implementing risk programs.


There are so many great topics in the Taking Command of Your Risk Management Journey track. Be sure to check them out and add these great sessions to your agenda. Not registered yet? Visit the RSA Charge site to register, schedule hotel accommodations, review sessions, and more.


I’ve been attending and moderating sessions for this BIG event since 2009. Having reviewed the sessions for this year’s event, I know that this is a BIG opportunity for you to learn from the best in the risk management industry and get the most out of your technology investment. I look forward to seeing you in Dallas!


RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17-19 at the Hilton Anatole in Dallas, Texas.

My first (and only) trip to Dallas, TX was as a high school junior to attend the Future Business Leaders of America National Leadership Conference. It was two action-packed days spent connecting with hundreds of amazingly talented and motivated youth, just beginning to embark on our professional journeys, attending sessions and learning valuable skills from notable industry professionals. I find it only fitting that my second trip to Dallas (now many years later) will be spent this time with hundreds of amazingly talented and motivated professionals, sharing ideas about business driven security, risk and compliance, and networking with fellow practitioners at RSA Charge. RSA Charge will bring together the best and brightest GRC professionals at the Hilton Anatole in Dallas, October 17-19.


This year will mark my seventh year attending RSA Charge and it never ceases to impress me. For the past three years I have had the pleasure of overseeing the Archer Technical session track. The Archer Technical and Advanced Technical tracks are geared toward Archer administrators who want to expand their knowledge of the RSA Archer platform and learn creative ways to further extend its capabilities. From new Archer admins just starting out, to seasoned Archer experts, there is something for everyone. You can attend sessions delivered by our own RSA Archer engineers, who will be covering the newest features and functionality in the product. (It’s one of the rare occasions you can encounter our engineers out in the wild, and they’re more than happy to talk shop with you.) We also have customer-led sessions delivered by fellow RSA Archer admins who will share tips for managing the Archer platform, lessons learned, and highlight their own custom implementations that expanded the power of the RSA Archer framework. I’ve seen some of the most innovative ideas come from our customers and partners!


Here are a few of the highlights in the RSA Archer Technical track:

  • Hear Humana talk about how they migrated their business processes from a sunsetting system into RSA Archer.

  • Learn how U.S. Bank used the workflow capabilities in RSA Archer to centralize previously isolated processes across different internal teams and manage critical documentation through an integration with SharePoint.

  • Get a first look at new RSA Archer Platform 6.3 features, including our System Administrator dashboard for monitoring your RSA Archer deployment and new Bulk Record Operations that make it even easier to update your data in Archer.

  • Attend the “Stump an Admin” session where you’ll have the opportunity to seek answers to your own questions about the RSA Archer platform from a panel of veteran Archer Administrators. Can you stump the admins?

See the full Archer Technical track agenda here. And if that’s not enough, explore all of our other tracks in the full agenda!


The RSA Archer community is a vast network of technical and business professionals who have a genuine desire to support each other and share their knowledge and expertise. Many attendees have been coming to RSA Charge (and its predecessor, the Archer Summit) for years. It’s a culture and atmosphere unlike any other. Whether you are new to RSA Archer or you’ve been with us for years, there are sessions, working groups, hands-on labs, social events and more for you. If you haven’t yet registered, what are you waiting for? Follow this link to register now! If this will be your very first RSA Charge experience, welcome to the RSA Archer family. Prepare to be inspired. See you in Dallas!


RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17-19 at the Hilton Anatole in Dallas, Texas.

Mason Karrer

Back in the Saddle

Posted by Mason Karrer Employee Sep 12, 2017

Did you know IDC reported that companies with active GRC programs resolve their security breaches 63% faster and are 33% more efficient at assessing their risks? Would you like to hear directly from leading companies achieving those kinds of GRC successes? This year RSA Charge is rolling through the Big-D...Dallas, TX!! In the land of "go big or go home," the world's largest gathering of GRC professionals is shaping up to be bigger and better than ever! Registration for the October 17-19 event is filling up fast. Don't miss out!


Consider the following: According to a PWC study, 62% of companies expect cyber risk to cause disruption in the next 3 years. EY also released research showing that 86% of respondents did not believe their cybersecurity functions fully meet the organization’s needs. And the cost of data breaches is projected to exceed $2T globally by 2019 according to Juniper Research. What do these stats have in common? They all describe some aspect of business risk associated with the use of technology. That's why one of the RSA Charge tracks I'm most excited about this year is called "Managing Technology Risk in Your Business". This track will focus on those unique challenges that emerge where the business and technology risk environments intersect (and occasionally collide).


The customer submissions for this year's sessions are once again truly outstanding! Customer presenters from all over the globe will be onsite to speak on a variety of topics such as assessing risk on specific technology assets, normalizing risk and compliance reporting, addressing the human element of technology risk, and much more. It's so incredible how many inspiring stories and ideas our customer community has to share. Whether you're a seasoned pro or just beginning your GRC journey and looking for the basics, you won't be disappointed. RSA Charge has something for everyone, from executive roundtables to operational hands-on labs and demos. Plus, nearly every session is customer-led! What a truly awesome community!!!


Did you know that companies with mature risk management programs are measurably more profitable? RSA Charge being the largest GRC gathering on the planet is a great place to start learning how! If you haven't registered already, I highly encourage you to get on it before it's too late! The full schedule can be viewed here, and the registration page here. Several resources have also been uploaded on the RSA Charge website to assist with trip planning, etc. Need help justifying the cost? No problem! Several resources are available including an ROI calculator and more. Look forward to seein ya'll in Dallas real soon!


RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17-19 at the Hilton Anatole in Dallas, Texas.

This year’s RSA Charge event is definitely one not to miss. If you have not yet registered please do so today to secure the Discount Rate of $745, saving you $200 through September 15. Registration on the RSA Charge 2017 website couldn’t be easier.


Still on the fence? Check out the Full Agenda with over 90 sessions, 35 hands-on labs, and 140+ thought leader industry experts you’ll agree this is the premier event on RSA Business-Driven Security™ solutions. You can also take this opportunity to build your own personal business-driven security experience for Charge.


Looking for another way to save on your RSA Charge registration fee? Register for one of the RSA University’s pre-Charge courses being offered at discounted course rates, and enjoy the Early Bird Discount registration fee of only $645, good until the official start of Charge on Oct. 17. But don’t wait too long; class size is limited and filling up fast. Click here to see the Pre-Charge Course Schedule and to receive a special discount code.


Another way to save: Friends with Benefits! They say sharing is caring, so ‘already registered’ RSA Charge attendees can now share the love by forwarding this code to a peer or colleague and he/she will receive $100 off the current $745 registration fee by using this code from you: FRIENDS17


And, finally, in case there are still some doubters amongst you, watch these two RSA Charge videos – you’ll be convinced that RSA Charge 2017 is the place to be seen and heard, Oct. 17-19 @ Hilton Hotel Anatole, Dallas. See you soon!


RSA President Rohit Ghai 

RSA Archer Vice President David Walter


RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17 – 19 at the Hilton Anatole in Dallas, Texas.


Upgrade from 5.x to 6.x With RSA Professional Services:

We can all agree that upgrading to 6.x before EOPS for 5.x kicks in on December 31 makes sense. Now it can also make sound fiscal sense too. Now, due to popular demand for the Professional Services upgrade offers, we have extended the date through February 4, 2018.


RSA Professional Services (PS) is offering two special discounts on upgrade services in order to help you make the most of the transition. Why go it alone?


Offer #1: 20% off the RSA readiness assessment and upgrade for up to three environments ($14,800 after discount)


Offer #2: 30% off a bundled purchase of RSA’s readiness assessment and upgrade for a single environment ($8,400 after discount)


Key Benefits of working with RSA PS include:

  • Ensures your environment is optimized for the latest RSA Archer upgrade
  • Work with professionals who have helped others successfully navigate the upgrade process and have insights into potential roadblocks*
  • Successful deployment of the RSA Archer software upgrade into production in a reduced timeframe by following RSA-recommended best practices    Note: May take up to 30 days for Professional Services to staff for committed work order


Read RSA Archer GRC Upgrade Services to learn more; Offer expires February 4, 2018. Contact your local Existing Accounts Representative for more information.



Upgrading to 6.x Without Professional Services Support:

With EOPS on Dec. 31 for 5.x, the window of opportunity is closing. For those customers who wish to complete the 6.x upgrade journey without PS Support, there are several steps that are required to complete the task:


Step #1: Review the Release 6.1 and Release 6.2 subspaces on RSA Link

Step #2: Complete the Release 6.x pre-upgrade survey

Step #3: RSA Archer will review the survey information, generate, and deliver your new Release 6.x License Key, required for post-upgrade operations

Step #4: Download and install Release 6.x, execute your upgrade plan, and go live

Step #5: Notify RSA Archer that your upgrade is complete


Read RSA Upgrade Process to learn more. Contact your local Existing Accounts Representative for more information.