Skip navigation
All Places > Products > RSA Archer GRC > Blog
1 2 3 Previous Next

RSA Archer GRC

258 posts

Experienced outdoors people, whether they are campers, hikers, bicyclists or otherwise, know that the first rule of thumb is that you always need to know where you are so you can determine where you are headed.  It is no different with business resiliency (BR) teams.  You need a good sense of Screen Shot 2016-07-18 at 10.24.56 AM.pngwhere you are headed and this starts with what is most important in your organization to protect or recover if it is disrupted. 

 

The best way to determine what is most important is by performing a business impact analysis (BIA).  The BIA is an analytical method to determine what business processes are most critical to achieving your organization’s key objectives.  This includes knowing which business processes produce key products or services, or what strategic objectives they support.  The BIA also helps identify other related information like what dependencies exist between the business process and supporting IT applications and infrastructure, information assets, facilities, suppliers or key human resources.  This information is important because that entire value chain must be planned for and preserved, especially if they are in support of core products or critical strategies.

 

RSA just launched an updated version of the Archer BIA use case as part of our June 2016 6.1 release.  This BIA builds on our existing model and offers:

 

  • An easy to follow questionnaire format
  • Three new categories for strategic, information integrity and information confidentiality impacts
  • Features from the new Archer 6.0 platform, like advanced workflow and enhanced reporting

 

The BIA is ready to use out-of-the-box for each of the participants in the BIA process – business process owners, the BR team and executive reviewers.  The interface is easy to follow.  The built-in workflow follows best practices and regulatory guidance.  Reporting is thorough yet concise so BR teams can see where BIAs need to be performed and easily follow up. 

 

Like those outdoorsy folks I talked about earlier whose first order of business is to know where they are at all times, the Archer BIA will help BR teams, business process owners and executives know at all times what the most important parts of their organizations are and to plan for and protect them.  With limited resources and expensive recovery strategies, this BIA is a must-have to really hone in on what needs to be protected now.  Click here for more information on the BIA Archer BIA 6.1.  You can also reach me at Patrick.potter@rsa.com with questions or feedback.

RSA has introduced two recent, major product updates to enable offering Archer governance, risk and compliance (GRC) solutions by use cases.  We understand that organizations and their GRC disciplines can be in very different places along the maturity spectrum. For example, a compliance function might be much more defined and mature than the risk function.  Our November 2015, 6.0 update was designed to inspire everyone within an organization to own risk, while our June 2015, 6.1 was developed to encourage the thee lines of defense (3LoD) to engage in the risk management process, and inspire every organization to own risk.

 

Screen Shot 2016-07-15 at 1.27.36 PM.png

 

These objectives may sound synonymous, but every organization’s road to GRC maturity is different, and as the graphic above depicts, each GRC function could be at a different point along the journey.  Through our new use case approach, we encourage organizations to start small, but gain quick wins within the context of a long-term strategy. As an example, our Audit Management solution has been organized into three use case offerings that customers can deploy separately, or use them to build upon one another.  They are:

 

Issues Management - to manage issues, gaps and findings with related remediation plans.  Benefits include:

  • A consolidated view into all known issues
  • An organized, managed process to escalate issues
  • Visibility into known risks and efforts to close/address risksScreen Shot 2016-07-15 at 12.41.17 PM.png
  • Workflow to ensure proper sign-off/approval for issues

 

Audit Engagements & Work papers - to manage all audit projects and related work papers.  Benefits include:

  • An audit universe of audit entities
  • Workflow for consistent audits and procedures
  • Self-serve for external auditors for the information they need

 

Audit Planning & Quality - to manage audit risk assessments, the audit plan and quality assurance activities   Benefits include:

  • Workflow and change management for audit planning
  • Audit plans aligned with the organization’s priorities
  • Appropriate personnel are staffed on audits
  • Board-relevant reporting
  • Quality management processes for engagements and audits
  • Risk based audit approach

 

Although Internal Audit (IA) is an established discipline, maturity varies widely depending on many factors, such as adherence to standards, tenure of resources, industry requirements and regulatory scrutiny.  IA departments can use Archer Audit use cases regardless of their maturity because we have offerings that not only provide value (those quick wins) at each level, but also help them move further along the maturity spectrum, not just as a standalone IA function, but in working together with their GRC counterparts.

 

For more information on these use cases and our approach, go to: Audit Management. As always, you can reach me at patrick.potter@rsa.com with any questions or comments.

For the third year in a row, RSA Archer has been named a Leader in Gartner’s Magic Quadrant (MQ) for Business Continuity Management Planning Software (BCMP)!

 

 

Screen Shot 2016-07-11 at 10.50.18 AM.png

 

Gartner states in their report that the business continuity management (BCM) market is changing because “continuity of operations is being seen by organizations as a growing risk that needs to be managed and mitigated.”  Gartner also mentioned they are now seeing organizations focus more on operational resilience versus only “respond and recover” activities. Although the latter is a critical component of a business resiliency (BR) program, teams must focus on how they fit into the organization’s larger operational risk program and approach. Gartner states BCM is in a unique position to address resiliency as part of an operational risk management (ORM) program because of its strategic focus and board-level attention. BCM is also “well-positioned to address not just availability risk, but also the broader set of operational risks” 2

 

In addition to being named a Leader in this MQ, during 2016, RSA Archer has also been named a Leader in Gartner Magic Quadrants for Operational Risk Management, IT Vendor Risk Management, and IT Risk Management. Integrating BCM with other risk management activities is critical to building operational resiliency. This integration must happen organizationally and practically. There is some movement in this area, as evidenced by the results of Gartner’s 2015 survey of the Association of Contingency Planners membership, entitled “What Keeps Them Up at Night.” The results from this survey show that enterprise risk management (ERM) functions are more often becoming the “home” for BCM programs. 3

 

Organizational alignment is a good thing. However, more mature BCM programs also have more mature risk management capabilities, which are aligned with their ORM functions and facilitated by integrated software. There is still room to improve as shown in Gartner’s 2015 BCM Hype Cycle, where Gartner mentions that 48% of surveyed organizations use BCMP software. There is also room to grow overall, as Gartner’s ITScore for Business Continuity Management maturity self-assessment tool shows the average maturity of BCM programs is 2.45 on a scale of 1 to 5. 4

 

BCM is a mature industry that finds itself changing and in need of reinvention.  However, all indications are that BCM will rise to the challenge and continue to contribute, now as part of an organization’s larger ORM and ERM program. RSA Archer’s inclusion as a Leader in the last three consecutive BCMP MQs, as well as our placement as Leaders in all three Gartner MQs for risk management for the second consecutive year, shows that we are uniquely positioned to help organizations rise to the challenge.

 

 

 

Figure 1 Magic Quadrant for Business Continuity Management Software, Worldwide. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC RSA. Gartner does not endorse any vendor; product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

2 Magic Quadrant for Business Continuity Management Planning Software, Worldwide.  Published: 11 July 2016.  Analyst(s): Roberta J. Witty, John P. Morency

3 Members of the Association of Contingency Planners Report on 'What Keeps Them Up at Night'. Published 29 October 2015.  Analyst: Roberta J. Witty

4 ITScore for Business Continuity Management.  Published 31 August 2015.  Analyst(s): Roberta J. Witty, John P. Morency

Skyline-Regular-1393x492.jpg

We have all had that moment walking out of the shopping mall or the airport.  Everyone knows the feeling when that rush of doubt takes hold of our brains.  We stand frozen and frantically wait for our cerebral cortex to do its thing and pluck that single memory out of our vast network of synapses… “Where did I park my car?”   I am pretty sure this momentary lapse of memory has something to do with the radiation levels of the lights in Exit signs.  The frequency that I experience such occurrences couldn’t be the result of distractions from the avalanche of my daily thoughts and surely has nothing to do with my age.

For those of you who have been seeing the communications about RSA Charge, I hope you have not suffered this same tinge of hesitation.   Of course, I am referring to any questions as to the whereabouts the legendary RSA Archer Summit, the premier GRC event of the year.    The Archer Summit is alive and waiting for you – parked in a well-lit, spacious place, protected and ready to go – at RSA Charge.

Last year, the Archer Summit was referred to by name and co-located with RSA Charge as the user event for all RSA products.  This year, we have completed the transition and now refer to entire event as RSA Charge.   RSA Charge harnesses the innovative power of thought-leaders, industry experts and the RSA community, providing you with insightful educational sessions, hands-on training, and valuable expert & peer networking opportunities.

In the tradition of the Archer Summit, we will have many customer led sessions highlighting the most innovative and forward thinking GRC programs.   You will learn how to inspire your organization to own risk.  We will discuss approaches, strategies and recommendations for building organizational capabilities that bring maturity to your overall risk and compliance program.   Case studies ranging from how companies are approaching critical IT Security and IT Risk challenges to how Archer is used to transform compliance programs will give insight that can immediately be applied when you return to your desk after the conference.   Technical presentations, labs and training will dig into the details for beginners and advanced administrators.

This year will be the 13th gathering of Archer customers.  Every year the assembly has gotten bigger and better.  With RSA Charge 2016, you will feel like you walked out to the parking lot and your 2003 Toyota Camry has transformed into a 2016 Tesla Model S.

RSA CHARGE 2016 will take place in New Orleans, LA, from October 25 – 27!  I hope you will mark the date on your calendars and join me in beautiful New Orleans, to experience in-depth sessions, insightful conversations, interactive product experiences, and much more.

For more information or to register, go to http://charge.rsa.com

 

As I mentioned in my last blog, one of the important benefits of our recent release of RSA Archer 6.1 is an alignment of organization maturity with the technology to support it. Building a mature Information Assurance (IA) program in the public sector takes time and commitment.  It requires and is marked by a balance of the right technologies, processes, and people. 
At RSA, we have developed a maturity model that we use a communication tool with our prospects and clients to recommend changes and correlate them to stages of the maturity journey.

 



I very recently did a webcast that walks through this mapping of Public Sector use cases to steps in the maturity model in a detailed. I would encourage you to view that recording here if you’re interested in more information.


With the release of RSA Archer 6.1 we are making individual Public Sector use cases available that align to this maturity journey.  With RSA Archer 6.1, we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their IA program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use. The Public Sector use cases are as follows:
• Plan of Actions and Milestones (POA&M)
• Assessment and Authorization (A&A)
• Continuous Monitoring (CM)


We realize that FISMA and OMB compliance and risk management are not challenges that can be solved simply with technology. They are mission imperatives that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.”
To see how these use cases can enable the stakeholders in your organization to own risk, remember to watch the webcast or you can visit the Public Sector page for general information.  


Thanks for reading.
Email me with comments or questions.
Chris Hoover

 

 

               Community-Selects-campaign-Banner-920x200.jpg

We are pleased to announce the return of 'Community Selects.' Beginning Tuesday, July 5 and running through Tuesday, July 19, you and your GRC peers will be able to 'voice your choice' from the Archer Track submissions described here. The session with the most votes in each Track will automatically be a Community Selects presentation and be included in the RSA Charge 2016 Agenda.

 

The sessions for the 'Community Selects' are only a small subset of the speaking proposals we received; all the other submitted proposals are still under consideration by the Program Committee; notifications will be emailed soon to those garnering a spot on this year's presentation Agenda.

 

So let your voice be heard - this is your chance to 'vote your choice' and have a say in this year's RSA Charge 2016 Agenda for Archer. To vote, simply click on the Proposal Abstracts listed on this link and cast your vote. Remember, one vote per abstract!

In my last blog I discussed the benefits of the of new RSA Archer 6.1 release, aligning an organization’s Operational Risk Management program maturity with the RSA Archer technology to support it.  This holds true for third party governance too.

 

Financial Services organizations are heavily regulated to have a comprehensive third party governance program in place (See OCC Bulletin 2013-29 for example).  Outside of the financial services industry, the regulatory obligations are less pervasive but many business drivers for third party governance are still present:

 

• 42% of companies now describe themselves as highly vulnerable to vendor, supplier, or procurement fraud – (source: Kroll Global Fraud Survey)

• 85% of companies reported suffering at least one supply chain disruption – (source: Zurich Financial Survey)

• 90% of all Foreign Corrupt Practices Act (FCPA) cases involved third-party intermediaries – (source: Corporate Executive Board)

• 76% of data breaches analyzed by TrustWave resulted from a third-party which introduced the security deficiencies that were ultimately exploited – (source: Trustwave Global Security Report)

 

Some organizations may be concerned about supply chain interruption and quality while others may worry about third party corruption or information security.  These organizations are not prepared, have the resources, or even desire to have a third party governance program that addresses all potential third party problems at one time.  They have immediate, pressing concerns with their third parties that they want to address and then grow their governance program over time.  These organization’s third party governance programs are maturing consistent with their own priorities.

 

This is where RSA Archer 6.1 comes in.  With the release of RSA Archer 6.1 we are making individual Third Party Governance use cases available that align to an organization’s maturity journey.  No longer do organizations have to purchase an entire product suite to address the problem.  They only need to spend resources on that technology that is relevant to their program.  This also removes much of the complexity inherent when implementing broad product suites. For organizations on the other end of the maturity spectrum they can put together all of the RSA Archer 6.1 use cases into a broad third party governance program and even interconnect it with their Enterprise and Operational Risk Management programs.

 

RSA Archer 6.1 enables organizations to better take command of their journey, empowering organizations to incrementally build their Third Party Governance program as it matures.  The Third Party Governance -related activities (or use cases) we typically see implemented as organizations build their third party governance program are as follows:

 

Issues Management is a core foundational use case to document audit issues and issues identified by management and external parties.  It captures issues that may arise be identified in the process of third party governance or via other Archer use case implementations.  From this foundation, the following use cases are often enabled.  The exact sequence of the following use cases will depends on your business priorities and resources.

 

Business Impact Analysis is a foundational package for the Third Party Governance program and includes the Business Hierarchy to establish corporate structure and accountability for third party relationships; a business process catalog and a pre-built Business Impact Analysis to identify critical Business processes that are supported by third party relationships.

 

Third Party Catalog is used to document all of an organization’s third party relationships and associated contracts, and to document the named individuals in the organization that are responsible for the relationship.  With the Third Party Catalog you have a system of record for all of your third parties and their related business subsidiaries.

 

Third Party Engagement allows you to catalog all of the products and services being delivered by the third parties in your Third Party Catalog.  You have the capability to perform inherent risk assessments across multiple risk categories and by associating the engagements with the Business Impact Analysis you have visibility into the critical third party products and services which you rely on.  The interconnection between the Third party Catalog and Third Party Engagement allows you to obtain an overall aggregate risk profile of a third party across all of the products and services they deliver to your organization.

 

Third Party Risk Management provides a series of risk assessment questionnaires covering several risk categories (Compliance/Litigation, Financial, Information Security, Reputation, Resiliency, Strategic, Sustainability, and 4th party risk) that can be launched manually to a third party or launched based on the level of inherent risk of each assessed risk category.  Completed questionnaires are scored to derive residual risk of each risk category and supplemental documentation is captured and cataloged for evaluation.  Risk results are depicted for each engagement and are rolled-up across all engagements to depict risk of the third party across all of the engagements they are delivering.  Findings from the vendor engagement can be automatically captured and managed as exceptions or remediation plans can be established and monitored to resolution.

 

Third party Governance brings together all of the use cases, adding a performance monitoring capability so that you can track service level agreement (SLA) metrics you use to evaluate third party performance.  Scorecards can be staged to third parties to collect commitments to remediate performance.

 

Third Party Use Cases vs Maturity.JPGWe realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging all of the affected stakeholders in the third party governance process, you can eliminate administrative inefficiency, improve your understanding of third party risk and performance, and manage third party relationships consistent with your risk appetite and strategic growth objectives.

 

That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.” That is our passion. That is our commitment.

We have all heard the adage that great things come in threes. Stooges. Pigs. Blind Mice. The list goes on and on. I have am very pleased to announce another thrilling combination of three – Gartner Magic Quadrants. EMC (RSA) has been positioned in the leader’s quadrant in three Gartner Magic Quadrants: Operational Risk Management, IT Risk Management and IT Vendor Risk Management.

GRC-Leader-in-Three-MQs-920x200-V8.jpg

Today, every organization is facing risk from multiple angles.   The business must understand and respond to risks within operations on a daily basis.   Third parties, vendors, suppliers and host of other participants in the business create a complex ecosystem that must be managed appropriately.  Finally, IT risks ranging from security to resiliency to technology strategy must be tackled for organizations to fully leverage the immense benefits of technology innovations to drive business growth.     The combination of these three vectors of risk produces a tremendous challenge as companies seek to exploit business opportunities while keeping risk in check.

 

We believe these reports highlight RSA Archer’s commitment in providing organizations with the most comprehensive solution to take command control of your risk.  Through our partnerships with our customers and our continued execution towards the goal of inspiring everyone to own risk, we are honored to be recognized by Gartner as leaders in these markets.

For more information, visit our special Gartner Magic Quadrant page.

We believe organizations today face more risks and changes than they are positioned to keep up with.  Business Continuity Management (BCM) or Business Resiliency (BR) programs are no different. These programs have existed for many years, yet most have not evolved to keep up with the magnitude or velocity of business changes, risks or compliance requirements their organizations face.

 

In order to truly mature from business recovery to driving true resiliency into their organizations, teams must collectively address risks and compliance with their governance, risk and compliance (GRC) programs.  They must take a coordinated, risk-based approach because siloed, BCM-only approaches are not sustainable.  Most BCM teams agree with this, but the most common question is, “where and how do we start?” 

 

The first step is to understand where your BCM program lies on the maturity spectrum versus where you should  be.  The RSA Archer Maturity Model defines five stages as follows:

 

Maturity Model.png

 

The Siloed stage - where many organizations sit today – relies on the constant fire-fighting mode of BCM teams.

Siloed.pngThe focus is mainly on compliance activities and reacting to basic risks such that they cannot see beyond the immediate threats. BCM programs in the Siloed category are usually addressing risks and compliance by themselves.

 

In order to move from Siloed to the next phase, you need to Transition by taking “Compliance stress” off the table and solving regulatory needs in the most efficient and effective manner.  This requires building a cohesive strategy to deal with the basic requirements of doing business by:

 

  • Automating compliance processes and eliminating duplicative efforts and data siloes;
  • focusing on building effective processes such as the business impact analysis (BIA), incident management and recovery planning;
  • and collaborating across IT and business functions to establish connected strategies.

 

Once you free up resources from compliance activities you can start directing those activities to evaluate and respond to risks, which moves you into the Managed stage.  In the Managed stage, you have expanded your visibility into issues through common data repository and analytical capabilities, defined and improving BCM processes, and efficient methods to measure, monitor and report on BCM activities.  Compliance and risk

Managed.png

processes are in an operational state – repeatable, consistent and resulting in solidreporting of gaps or issues. Organizations in this state become aware of the various risks they are juggling and put in individual plans to manage these risks within the context of a broader strategy. The organization understands the risks on its landscape. This progress is  fueled more and more by visibility into risk through metrics and analysis capabilities.

 

In order to move from Managed to Advantaged, organizations need to Transform from recovery planning to driving business resiliency by connecting risk to business value, needs and activities, and moving beyond just managing risk to anticipating the business’ needs.  This allows the organization to stay ahead of emerging threats, and to design controls and plans to deal with the full variety of today’s threats while meeting business objectives - moving the program into the Advantaged stage.

 

In the Advantaged phase, organizations have anticipated and conquered the ‘negative’ risk landscape through prescriptive and pre-emptive measures and are poised to help the business explore the opportunity, or positive Advantaged.pngrisk, landscape.  A good example is of an organization who improved from an over 40-day process to perform risk assessments on new products and services to a six day turnaround. This enabled business executives to evaluate new business opportunities (i.e., positive risks) more quickly.  This is what it means to manage risk at the pace of your business.

 

RSA Archer’s BR solutions enable organizations to automate much of their planning and execution, focus on addressing risks effectively and become a “business-enabler”.  Our latest Archer release, 6.1 in June 2016, enables organizations to implement individual use cases that help them move up the maturity spectrum.  Look for my next blog where I describe the use cases and how they can benefit your BR program as you advance toward business resiliency.

For those of you who don’t know me, I am Anya.  And, I have been part of the Archer team for almost 10 years.  Not only that, but I have also spent all of these 10 years being part of Archer support in various capacities.  Tenure like that is almost unheard of in this day and age, and some may think that I am a relic in my thinking, but I will tell you why I have done it.

 

My background was not in service.  Yet, when I joined the Archer team and began my journey in support, I was amazed at the focus the company put on customers and their satisfaction.  Of course, in support we focus on solving technical problems, but I believe it goes much further than that.  We, as a business, have always focused on making our customers successful.  And, that was always at the core of what we were doing.

 

For me, that has struck something that I have not been able to shake off or get bored with for this long of a time.  And, while that has always been the fabric of our being here, it has taken on a renewed life as we have formed a Total Customer Experience (TCE) forum to ensure that we don’t only preserve this approach, but instill it as a culture to each and every person who walks through our doors.

 

Focusing on customer experience is not limited to a particular team.  Of course our Professional Service teams try to ensure that customer satisfaction is maximized when planning and building out a project; of course our support engineers focus on solving the problems so that customers are more successful.  But customer experience begins before the first call to a vendor is made and is present throughout the lifecycle of the relationship.  It involves everything from our community and marketing materials, to our admin who is greeting people at the door of our office buildings. 

 

As part of our TCE forum, we are focusing on every interaction we have with our customers and examining all of our processes.  We are working to ensure that we are operating with customers’ goals and experience in mind.  As with anything, there are some quick wins and short term opportunities, but there are also big things to work on over time.  This is definitely a journey.  But, my hope is, that it is a journey that we all take together and through it become even better partners and advocates of each other.

 

It has been my focus to ensure that we in support do everything possible to make our customers successful for almost 10 years now.  And now, I am so excited to spread that focus to the whole team.  If you have any thoughts or ideas to share about your experience (good or bad), opportunities for our focus, or ideas to consider – please do. 

 

Thank you!

 

An important benefit from our recent release of RSA Archer 6.1 is an alignment of organization maturity with the technology to support it. Building a mature IT and Security Risk Management program takes time and commitment.  It requires and is marked by a balance of the right technologies, processes, and people. 
The progression of an organization’s IT and Security Risk Management program maturity can be characterized in stages:

Siloed
Less-mature organizations are typically very reactive and compliance-oriented. They attack individual risks and compliance initiatives within an isolated strategy. Their strategy relies on the constant fire-fighting modes of their front line and functional employees.  Their focus is so much on compliance and tactical risks that they cannot see beyond the immediate. 
Organizations at this level have the basic capabilities to detect and remediate threats and defects and they can manage incidents, but their tools and process are siloed. This leads to poor reporting and visibility and maximum pain and stress for the security admins. Another effect of this culture is that the organization is exposed to individual threats and defects for longer than necessary.

Managed
In order to transition from the Siloed to the Managed stage of maturity, organizations need to focus on integration between tools and how to use automation where possible to streamline assessments and compliance activities.  When tools and people are better integrated and share data more freely, visibility is improved, new insight s can be made, and these insights lead to better decision making.
Another hallmark of this stage of maturity is the transition from compliance-driven to risk-driven. This means that instead of prioritizing things based on which compliance activity is due (or overdue), decisions are made using meaningful security metrics (ex: what can I fix right now that is introducing the most risk?) For these reasons, the Managed stage of maturity is the point where processes become more repeatable, consistent, and less painful for the security team to perform.

Advantaged
In order to transform an organizations program from Managed to Advantaged, organizations need to manage known and unknown risk, and identify new business opportunities.  They do root cause analyses to prevent repeats of findings. They also need to strive to roll business context into all risk decisions.  Lastly, the frequency of control assessments needs to change based on this business context. This means that the Advantaged organization has a risk view that is current and complete but does not overwhelm the staff.
An organization in this position is now ready to realize the competitive advantage of harnessing risk – beating competitors to market, launching new products and services with calculated efficiencies, avoiding those major issues that affect reputations and the bottom line.  Organizations in this phase focus on speaking “business language” instead of “risk language”. 



With the release of RSA Archer 6.1 we are making individual IT and Security Risk Management use cases available that align to this maturity journey.  
Recognizing the fact that risk management programs go through multiple stages of maturity, maturing over time, with RSA Archer 6.1 we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their IT and Security Risk Management program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use. The IT and Security Risk Management -related activities (or use cases) we typically see implemented as organizations build their risk management program are as follows:

RSA Archer IT and Security Policy Program Management
provides the framework for establishing a scalable and flexible environment to manage corporate and regulatory policies and ensure alignment with compliance obligations. This includes documenting policies and standards, assigning ownership, and mapping policies to key business areas and objectives. Out-of-the-box content includes the most current security frameworks and control catalogs, such as the ISO 27000 series, COBIT 5, NIST 800 series, and PCI-DSS.

RSA Archer IT Controls Assurance
provides the ability to assess and report on the performance of controls across all IT assets and automate control assessment and monitoring.

RSA Archer IT Security Vulnerabilities Program
offers security teams a big data approach to identify and prioritize high risk threats. Proactively manage IT security risks by combining asset business context, actionable threat intelligence, vulnerability assessment results, and comprehensive workflows in one place. IT assets can be cataloged with a full business context overlay to prioritize scanning and response. The consolidated research platform for vulnerability management enables centralized tracking and remediation of related issues.

RSA Archer IT Risk Management
enables you to comprehensively catalog organizational hierarchies and IT assets to ensure all business critical connections are documented and understood in the proper context of IT risk management. This use case forms the basis for completeness when populating the included Risk Register with all relevant IT risks. Pre-built IT risk assessments, threat assessment methodology, and IT control repository enable you to document and assess IT controls.

RSA Archer PCI Management
enables organizations to streamline the compliance process, simplify stakeholder participation, and reduce overall compliance effort and cost. It allows organizations to jumpstart a PCI compliance program by conducting continuous assessments and providing visibility to manage and mitigate risk. PCI Management guides merchants through the completion of relevant self-assessment questionnaires (SAQs). It also provides packaging and export of compliance program results and attestation articles in a properly formatted PCI Report on Compliance (ROC) for easy submission and review.

RSA Archer Security Incident Management
enables you to address security alerts through managed processes designed to effectively escalate, investigate, and resolve security incidents. Organizational and IT assets can be centrally cataloged with a full business context overlay to drive appropriate prioritization of security events. Built-in workflows streamline the process and enable teams to work effectively through their defined incident response and triage procedures. Any issues related to incident investigations can be tracked and managed in a centralized portal to enable full visibility and reporting.

RSA Archer Security Operations and Breach Management
enables you to centrally catalog organizational and IT assets, to establish a full business context overlay to drive incident prioritization.  Built-in workflows and reporting for security incidents enable security managers to stay on top of the most pressing issues. Best practices and procedures for incident handling help security analysts effectively and efficiently triage alerts. Any issues related to incident investigations can be tracked and managed in a centralized portal, enabling full visibility and reporting. Finally, the security operations manager can effectively monitor key performance indicators, measure control efficacy, and manage the overall SOC team.

RSA Archer IT Regulatory Management
provides organizations with the necessary tools and capabilities to document external regulatory obligations. Organizations can establish a systematic review and approval process for tracking changes to regulatory obligations, understand the business impact, and prioritize a response.

RSA Archer Information Security Management System (ISMS)
allows you to quickly scope your information security management system (ISMS) and document your Statement of Applicability for reporting and certification. You can also catalog individual resources related to your ISMS, including information assets, applications, business processes, devices, and facilities, and document and maintain related policies, standards, and risks. This centralized view of your ISMS makes it easier to understand asset relationships and manage changes to the infrastructure. Issues identified during assessments can be centrally tracked to ensure remediation efforts for gaps are consistently documented and monitored and effectively addressed.
 
The RSA Archer IT and Security Risk Management solution pulls all of the use cases mentioned above to enable greater business context, greater cohesion between the elements of the program, and better visibility.

We realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone in IT security and risk processes, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.”

 

For more information about RSA Archer IT&SRM, click here.

 

Thanks for reading.
Email me with comments or questions.

RSA Archer is very excited to be recognized by Gartner once again as a Leader in the 2016 Magic Quadrant for IT Risk Management! Of the nearly dozen vendors evaluated, RSA was cited as the vendor with the highest rating for "Ability to Execute".  According to Gartner, "RSA Archer's fulfillment of critical needs, customer understanding, and insight into primary buyer identification are among the best-observed in the market."

 

This exciting accomplishment comes on the heels of similar leadership positions announced in the IT Vendor Risk and Operational Risk Management Magic Quadrants earlier this year. Together these represent a true market-leading ability that Archer's customers have to manage business and IT operational risk programs effectively to accomplish their goals.

 

2016 itrm mq.png

We're doubly excited for this announcement as it actually reflects an evaluation of a prior version of Archer (v5.5.3). And today our current v6.1 takes Archer's core capabilities several levels further!

 

We also offer a sincere thank you to our customers for sharing their valuable insights and experiences with Gartner directly. It isn't difficult to find vendors in any market preaching the importance of their customers whether they practice that or not. However here at RSA Archer our customers really do define our success and our large community of active users is at the heart of how we drive the product forward. Gartner specifically recognized us for actively gathering & considering customer input in our strategy and design decisions. Our redesigned user interface and new pricing model are just two examples of the transformational product outputs our customers have helped inspire.

 

Whether you're new to GRC or managing a successful program already, I encourge you to review Gartner's full report. Many valuable market insights and important elements to consider throughout all stages of GRC program maturity can be found. And we are standing by to engage with you and answer any questions you have as we continue our mission to inspire everyone to own risk. And if you haven't already, be sure to register for 2016 RSA Charge, October 25-27 in New Orleans. This year promises to be the biggest event ever! Hope to see you there and best wishes!

 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC RSA. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

In part I of this blog, I described the typical maturity progression of an Operational Risk Management Program.

 

Recognizing the fact that risk management programs go through multiple stages of maturity, maturing over time, with RSA Archer 6.1, we have aligned our solution use cases with the maturity journey.  In this way, customers are acquiring just the right amount of technology to enable their Operational Risk Management program as they need it.  They are not biting off more than they can chew or over purchasing functionality they may never use.

 

RSA Archer 6.1 enables organizations to better take command of their GRC Journey, empowering organizations to incrementally build their Operational Risk Management program as it matures.  The Operational Risk Management-related activities (or use cases) we typically see implemented as organizations build their risk management program are as follows:

 

Issues Management is a core foundational use case to document and manage audit issues and issues identified by management and external parties.  It captures issues that may arise through the implementation of other use cases.  From this foundation, the following use cases are often enabled.  The exact sequence of the following use cases depends on your business priorities and resources.

 

Risk Catalog is also a foundational use case for organizations that only want a central location to document their risks, typically moving from an EXCEL or Sharepoint based approach.  With Risk Catalog you get a place to document your organization’s risk and roll granular risk statements up to intermediate and enterprise risk statements.  You also get basic qualitative risk assessment.  You do not get several element of a more robust risk register that provide greater business context through association with business processes, internal controls, and other risk treatment.

 

Top-Down Risk Assessment gives you the capability to catalog and associate your business processes, risks, and controls to better understand business activities and the internal control framework.  You can assess the inherent and residual risk of each risk register record using qualitative and monetary values across multiple risk categories.  Furthermore, risk register records can be aggregated and rolled up to intermediate and enterprise risk statements and reporting allows you the capability to drill through records to understand the business context and drivers of risk

Loss Event Management gives you a means to capture internal losses, near misses, and relevant external loss events, perform root cause analysis, execute workflow to communicate,  analyze, and approve losses, calibrate external loss events, and produce numerous relevant loss reports

 

Key Indicator Management allows you to document key risk, control, performance, and business indicators.  Indicator values can be collected from source systems or via manual input from data owners.  In any case, you can oversee that all data is collected in a timely manner and that missing data and indicators outside acceptable limits are communicated and addressed in an appropriate and timely manner.

 

Bottom-Up Risk Assessment allows you the capability to perform consistent risk assessments on projects and activities such as new and changing business processes, products and services, M&As, and fraud incidents. Questionnaires can be created and repeatedly used to ensure all items in scope are being considered consistently.

 

The Operational Risk Management use case pulls all of these other use cases together to enable greater business context and introduces a purpose built solution to initiate and manage self-assessments. Three different kinds of assessments can be automatically created (Control self-assessments (CSAs),  Risk and Control self-assessments (RCSAs), and Process, Risk, and Control Assessments (pRCSAs)) and distributed to the first line of defense (business unit managers), for completion through the use of an intuitive interface.  The overall status of the assessment campaign can be monitored by the second line of defense and when assessments are completed, they are routed to the designated second line of defense persons to review, challenge, and reroute, if needed.  At the completion of the assessment campaign, when all assessments have been approved by the 2ND line of defense, the results are automatically updated to the risk and control registers.  Lastly, the Operational Risk Management use case provides a means to document and manage your organizations insurance program and understand which risks are being transferred and whether the coverage is adequate.

 

By integrating Adjacent use cases available from RSA Archer you can create an Enterprise view of risk

 

OpsRisk 6.1 Use Cases vs Maturity.JPG

 

We realize that risk management is not a challenge that can be solved simply with technology. It is a business imperative that must be addressed through a shift in focus, priority and culture within your organization, making risk management part of how everyone in your organization thinks and acts. By engaging everyone in the risk process, you can eliminate operational inefficiency and achieve your most strategic growth objectives. That’s why our collective mission at RSA Archer is to “Inspire Everyone to Own Risk.” That is our passion. That is our commitment.

An important benefit from our release of RSA Archer 6.1 this week is an alignment of organization maturity with the technology to support it.

 

Building a good Operational Risk Management program takes time.  It requires a commitment from executive management to make it happen, human resources to administer the program, capital to acquire necessary technology, and a culture of engagement from the affected stakeholders.  Some heavily regulated organizations may mature their programs more quickly to satisfy regulatory demands while others are driven to respond to a big loss, incident in the news, or by best practices around strategy and enterprise risk management.

 

The progression of an organization’s Operational Risk Management program maturity can be characterized in stages:

 

Compliance

Organizations just starting a program are typically very Compliance oriented, attacking individual risks and compliance initiatives within an isolated strategy. Their strategy relies on the constant fire-fighting modes of their front line and functional employees.  Their focus is so much on compliance and tactical risks that they cannot see beyond the immediate.  They are hunkered down in the trenches too scared to move forward or relying on old fashioned approaches that may get the job done but will never keep pace with today’s market.  These organizations need to take “Compliance” off the table and solve the regulatory and industry needs in a more efficient and effective manner.  This requires automating compliance and building a cohesive strategy to deal with the ‘basic requirements’ of doing business.

 

Managed

In order to transition from a Compliance focus to a Managed stage of maturity, organizations need to reduce compliance costs through automation and reallocate budgets to gain resources and risk visibility.  Organizations in the Risk Managed stage have solved (or are considerably on their way to solving) the ‘advanced requirements’ of Compliance.   They have common policies, standards and controls, an effective control infrastructure and efficient methods to measure, monitor and report on their compliance state.  Organizations in this stage need to become aware of the various risks they are juggling and put in individual plans to manage these risks within the context of a broader strategy. Organizations need to understand the risks in their landscape and be navigating (or at least identifying changes) to avoid major issues.   This progress is being fueled more and more by visibility into risk through metrics and analysis capabilities.

 

Advantaged

In order to transform an organizations program from Risk Managed to Opportunity Advantaged, organizations need to manage known and unknown risk, and identify new business opportunities.  The Opportunity Advantaged organization has mapped out and conquered the risk landscape and are poised to explore the Opportunity Landscape.  These organizations are now ready to realize the competitive advantage of harnessing risk – beating competitors to market, launching new products and services with calculated efficiencies, avoiding those major issues that affect reputations and the bottom line.  Organizations in this phase focus on speaking “business language” instead of “risk language”.  They are able to identify and respond to emerging risks ahead of the curve – using common taxonomies, common approaches, finely-tuned decision making processes and most importantly DATA to support their conclusions.

 

Take Command of Your Journey.JPG

 

With the release of RSA Archer 6.1 we are making individual Operational Risk Management use cases available that align to this maturity journey.  Please look for The Operational Risk Management Journey (part II) to learn how you can take advantage of this new approach.

RSA Archer GRC 6 (6.0) was launched in November 2015 under the theme “Inspire Everyone to Own Risk.”  GRC 6 focused on providing organizations with an industry leading GRC platform to transform risk management by engaging everyone within an organization in the risk process. Today, organizations must implement the “three lines of defense,” making risk part of corporate culture at every level, in every role. The enhanced user experience, advanced workflow and task-driven dashboards introduced with GRC 6 allow business users to quickly and easily understand and complete their assigned risk-related tasks using a centralized platform.

 

I am very pleased to announce the launch of RSA Archer GRC 6.1.  This release takes the theme of “Inspire Everyone to Own Risk” to the next level. Through the implementation of integrated use cases, GRC 6.1 enables organizations of all sizes, regardless of the level of maturity in their GRC program, to implement RSA’s enterprise-class GRC platform. While the journey to risk and compliance maturity varies by organization, RSA Archer’s use case approach, newly implemented in GRC 6.1, nurtures successful risk and compliance programs by enabling customers to start small, seek quick wins, and plot a long-term risk and compliance strategy based on their organization’s objectives.

 

Key highlights of this release:

Our solution areas – Audit Management, Business Resiliency, IT & Security Risk Management, Enterprise & Operational Risk Management, Regulatory & Corporate Compliance Management, Third Party Governance, and Public Sector Solutions – are now comprised of individual use cases designed to solve specific risk and compliance needs. We have implemented a Maturity driven Use Case approach to help organizations of all sizes and business needs realize their risk management strategies:

RSA Archer Solutions - transparent.png

Click graphic for a detailed view

  • Foundation use cases provide a starting point for organizations that are just beginning their GRC journey. These use cases enable organizations to move away from spreadsheets to gain efficiency, accountability and visibility in managing issues and risks.
  • Managed use cases provide organizations that have more mature GRC programs the ability to connect processes to collaborate across several risk functions within the business, integrate multiple data sources, and focus on building repeatable, consistent processes that bring consolidated risk visibility to the organization.
  • Advantaged use cases transform risk into a competitive advantage for the organization. These use cases allow your program to connect risks to business objectives, enabling an open dialog and the visibility necessary to move beyond managing risk to anticipating the business’ needs.

 

All RSA Archer solutions and use cases have undergone updates with the new user interface and features of GRC 6.1. In addition, we’re introducing enhanced functionality for:

  • Business Impact Analysis – a Foundation use case that offers robust assessments allowing business process owners to understand the criticality of their processes based on seven impact categories: financial, compliance, data integrity, data confidentiality, strategic, reputation, and operational.
  • Issues Management – a Foundation use case that engages control owners to own risks and issues related to their business domains. Control owners can manage findings, remediation plans and handle exception requests in one central location, and use Advanced Workflow capabilities to route issues to the right team.
  • Operational Risk Management – an Advantaged use case for the RSA Archer Enterprise & Operational Risk Management solution, it now offers additional assessment targets to allow a risk manager to initiate Control Self-Assessment (CSA), Risk and Control Self-Assessment (RCSA) or Process, Risk and Control Self-Assessment (pRCSA) campaigns focused on business process, business unit, or product/service.
  • Information Security Management System (ISMS) – a use case designed specifically to manage the ISO:27001/2 certification process for organizations implementing the internationally recognized information security standard.

 

A company’s success hinges on its ability to drive growth across the business.  With growth comes risk.  Every growth strategy depends on leveraging today’s constantly shifting technology landscape intrinsically linking cyber and business risk.  RSA Archer, as a recognized leader in both operational and IT risk, enables effective risk management practices that address cyber risk and business risk on equal terms and provide a consolidated view of risk to executives and practitioners.   Built on a common, centralized RSA Archer GRC Platform, RSA Archer GRC 6.1 enables all organizations to own risk with a broad offering of use cases based on risk type -- cyber risk, operational risk, regulatory compliance, business resiliency, third party governance, and audit -- as well as the level of maturity of the organization’s GRC efforts.

 

We have created a host of resources to learn more about this release.  To start, watch our Solution videos to get more information on the RSA Archer Suite of GRC solutions.   For customers and partners, the best place to start is the “Everything 6.1” page on RSA Link.   From videos to white papers to data sheets, this page is a launching point for you to investigate everything that RSA Archer 6.1 offers.  In addition, we have several upcoming webcasts and Tech Huddles highlighting new use cases and features.