Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > January

In a prior blog, I talked about Internal Audit's (IA) need for independence and the balance to working with other Governance, Risk and Compliance (GRC) functions. In this new world, IA is no longer the only oversight function in an organization, and IA’s need for independence sometimes runs up against the requirement (per IIA Standard 2100) to coordinate activities of and communicate Governance, Risk and Compliance (GRC) information among the board, external and internal auditors, and management.


For example, two primary areas of concern to IA are the understanding of risks and testing of controls. Examples of other oversight functions monitoring and testing controls, in addition to IA, include internal control and compliance organizations.  In addition to these internal control groups is the expansion of risk management functions, including enterprise risk management (ERM) and operations risk management (ORM).  IA was historically the source of broad risk evaluation while other risk groups, such as credit and fraud, focused on their specialized areas of risk.  However, similar to control oversight, risk oversight functions have also expanded, adding to the robustness of risk information but also to the confusion over coverage, scope, approaches and priorities. This hasn’t been an easy transition, with separate organizations, varying approaches and levels of maturity, different toolsets, and sometimes competing priorities.


A question in the minds of many IA groups has been, “what functions should IA perform versus what should other oversight groups do”? Gartner raises this dilemma in their September 13, 2013 research entitled, “How to Differentiate and Align the Roles of Security and Internal Audit”, stating that there is confusion regarding the potential overlap between the roles of information security and IA, which leads to conflict and dysfunctional information risk management.


In this equation, there is a related question that IA must ask, which is, “how can and should we leverage other GRC functions to help accomplish our mission more effectively and efficiently”? This has become a necessity in this day of cost cutting and having to prove
ongoing worth to the organization.  This can be a positive factor as IA strives to expand their reach and influence without increasing staff count.  Two areas that IA usually struggles with coverage and efficacy are around the need for dynamic risk assessment and continuous controls monitoring.  For example, IA typically performs their audit universe risk assessment once per year, but the company and its risks continue to evolve, sometimes unbeknownst to IA.  IA needs a better way to be alerted to changing risks and then adjust their audit plans to best use their resources in performing audit engagements against the highest risk areas.  By working with an ORM or ERM function, IA can leverage their ongoing risk identification, measurement and monitoring activities to determine which risks they need to respond to by adjusting their audit plans.  Another area IA can leverage are compliance groups who may have control monitoring measures in place that IA can rely on to ensure key controls are evaluated and continue to function effectively on an ongoing basis.  Control failures found by internal controls groups may also alert IA to where they need to focus more attention.  Regardless of an organization’s ability or readiness, the conversation has evolved to the point that IA and GRC will have to learn to work together to stay competitive, achieve their objectives, reduce costs and maximize results.


Alongside the need for independence is a competing priority for IA to be a “partner” with management.  As directed by IIA standards, IA reports to the board of directors and senior management.  To contrast the Standards quoted earlier, “Internal auditing is an independent, objective assurance and consulting activity…”  The challenge for IA groups is how to strike the right balance between independence and partnership.


The formalization of GRC as an operating framework has begun to force the discussion around how IA and other oversight functions can work together toward common goals, and has increased the opportunities for IA to partner with management.  The GRC Reference Architecture represents the alignment of organizational elements and processes under a GRC framework.  The framework unifies the functional and topical elements of GRC with some tangible end results.  By aligning approaches, programs, resources
and efforts of interrelated GRC processes, this can result in improvements in visibility, efficiency, accountability and collaboration, which are needed to optimize business outcomes.   (See white paper on the RSA Archer GRC Architecture for more information.)


To illustrate, a prominent U.S. based insurance company was starting up a new IA function, “insourcing” the function after having used an external audit firm for several years.  After staffing the IA function, one of the first steps was to align their risk methodologies and approaches with the company’s ORM function. During the process, some areas of their methodologies and approaches were modified with input from IA. This proved beneficial by having agreed upon approaches for identifying and evaluating risks and impacts; aligning resources to perform further analysis and related audit procedures; better communication and agreement on findings that resulted from ORM analysis and IA testing procedures; and resulting remediation activities.  IA felt they could better rely on the ORM group and vice versa.


Alignment of these varied GRC functions, processes, approaches, methodologies, goals, objectives, programs and resources takes many forms. This could include adopting similar risk assessment approaches and methodologies, or combining control testing. Alignment is an important activity as its benefits include better resource utilization, improved coverage of risks and controls, and other synergies.  Another important step in alignment includes identifying and assessing the differences and challenges between the aligning functions. The next installment of this blog series will talk about the the growing pains of alignment

I was very excited about the release of RSA Archer’s enhanced mobile capabilities last week. This is a huge step toward unlocking the potential of RSA Archer in today’s distributed, mobile workplace. Here’s a brief rundown on this latest RSA Archer Platform feature and some tips for how to take full advantage of it.


What is it?
RSA Archer GRC Mobile combines a new mobile application with Archer platform enhancements to enable you to easily leverage assessments and content from any Archer Solution remotely on your iOS mobile device.


What can you do with it?
RSA Archer GRC Mobile allows you to perform any kind of assessment against a defined target in Archer. This simple concept can drastically transform time-consuming operational chores into efficient, value-added processes that significantly reduce overhead and cost. Here are just a few customer examples already in play.


Facility Assessments
One of our large customers with thousands of locations around the world is currently piloting a program to complete weekly onsite facility assessments using Archer Mobile. Since Internet connectivity is nonexistent in most of their locations, it’s impossible to log into Archer directly to do the assessments. So they have been limited to performing them using the original word processor (paper & pen) and then manually re-entering the results later. Talk about painful!


With Archer’s new GRC Mobile app local managers and their teams can actually walk around their locations completing the assessments in real-time, as well as capture additional details and evidence on the spot. What happens if they get interrupted by a priority like overseeing a loading dock delivery? No problem, they can simply pick up later where they left off and sync the rest of the results when they’re done.



Not only does this new mobile approach yield efficiency gains it also establishes a stronger gated process to improve data integrity. Since the assessment forms are pre-configured, managers can more easily delegate the completion of certain sections to staff members without the need for direct interaction or supervision. Paper pushing and duplicate efforts are eliminated. Everyone wins.


Compliance Evaluations
A transportation customer anticipates Archer Mobile will drastically improve the speed and reliability of aircraft safety audits performed around the world. Their planes can’t operate without a current inspection and every minute an otherwise perfectly good aircraft sits on the ground costs the airline money. The inspection interval varies depending on the type of aircraft, duty roster, maintenance schedule, etc. Imagine trying to coordinate this for an entire fleet of planes and inspectors globally!


With Archer’s new mobile capabilities global safety inspectors can centralize the inspection effort while working in their local language. Since they’re able to easily capture notes and attach images as evidence on the spot as part of the documentation, they reduce downtime required to collate and submit responses. Planes are cleared for service operations faster so they can spend more time in the air earning revenue. Plus the increased operational efficiency and reduced administrative overhead translates to direct cost savings.


Onsite Audits
A large financial services client plans to leverage Archer Mobile to support internal audit activities such as capturing self-assessment results and reducing the paper trail for audit evidence. Auditors can guide business owners and team members through completing the assessments in person while onsite rather than having to chase them down remotely afterward. The ability to aggregate evidence into a single system of record more quickly means less time in the field and less follow up required. Reducing the administrative overhead for audits means they can be wrapped up faster and with less hassle which benefits everyone involved.


How does it work?
The RSA Archer GRC Mobile application is available for download from the Apple iTunes store. Mobile capabilities can be enabled on any Archer Platform instance v5.4 SP1 or later once a separate mobile license has been applied. Both are free. In terms of platform changes you’ll see new layout options to support mobile versions of questionnaires. The original layout builder has been renamed “Web Layout” and a new “Mobile Layout” tab appears when you check the option to make your questionnaire “Mobile Ready.”


You can drag and include many field types onto the mobile layout. Since the mobile assessments are content-driven they can be developed and displayed in any language on the mobile app. Security features include encryption, access control, secure wipe and more.


What should you do next?
Explore! The examples above are tip of the iceberg for how RSA Archer’s new mobile capabilities can quickly make a difference in a company’s operations. The potential for additional creative implementations is much broader. Remember, Archer Mobile is really just an extensible front end to the Archer Questionnaire feature, which itself possesses many of the same capabilities as a full-blown Archer application. So there’s plenty of latitude to adapt it to non-traditional and even esoteric use cases.


Additional resources are available if you’re interested in learning more about RSA Archer GRC Mobile. An overview is posted on the RSA Link ArcherGRC Community as well as the Platform 5.4 SP1 documentation that provides detailed information about how to enable these mobile capabilities for your instance. Check it out and let us know how you are planning to take your GRC program mobile!

Describing to a lay person how a “hack” happens is not an easy discussion.   Like many of you, I have fielded over the years multitudes of inquiries from friends and family when something big hits the news.  Since I am the “security guy”, I have to explain how a big company could be hacked and so many personal records be stolen.   At some point in the conversation – after phishing, malware, software vulnerabilities and exploits have glazed over their eyes - I turn on the “analogy” machine and simply talk about ninjas breaking into castles through an open window, absconding with the crown jewels and the night guard noticing the broken lock on the treasury’s door.  Then I tell them “update your virus software, don’t click on ANYTHING in an email, unplug your router, forget the Internet and go back to pen, paper, manual checkbooks and weekly visits to the bank to take out ONLY the money you will need for that week.”  Seriously though, the news events are no joking matter.  Like I said in my first blog in this series, these hacks are not victimless crimes.


It is hard to describe to the lay person, even a tech savvy one, about today’s threats and the bad guys.   Even IT people have trouble grasping some of the security issues that are challenging today’s security organizations.

1)   The flood of events and alerts security teams must look at is tremendousIn addition to perimeter and signature based security systems, to protect against today’s advanced threats you need network and host visibility.  You add all of that up and the security team has to deal with millions of events to try to find the alerts that actually mean something.  Too much data is flowing at them - creating noise that hides real attacks.

2)   Alerts start piling up and the incident response team, since they don’t yet know the business impact of these alerts, end up firefighting incident after incident.  The latest alert gets the most attention but it might not represent a true threat.

3)   The old ‘incident response team’ is not going to cut it against today’s adversary. A successful strategy to defend against today’s threats requires more than just ad-hoc analysts putting out fires.  Companies need skilled resources such as Level 1 and Level 2 analysts, threat analysts and security response managers working in a defined framework.

Because of the flood of alerts, the lack of context and the constant firefighting, the security team has a tremendous challenge to understand the business risk. Without the proper context around these alerts and incidents, the security team can end up chasing the wrong issues or miss the big issues simply as they struggle to keep up.   The organization then is at greater risk because the team cannot prioritize security threats.


So the people on the front line of this battle have a lot on their shoulders.   Not only is there a tremendous technical challenge, they are also faced with satisfying some critical people within the organization.  First, the CISO wants to know is this process performing the way it should be and if there are any major disasters brewing.  Next, other Risk and Compliance functions want to know where IT security risks fall into the big picture and if there are any possible compliance issues.  And finally, the business wants assurance that the most precious assets are protected.


Where to start?


This is such a recurring theme that I feel that I should just post one statement and then link every blog I write to it but I will say it again.   It has to start with understanding assets.   The more a security team understands the assets involved in a possible threat event, the more appropriate the response will be. Too often the security operations teams are disconnected from processes that identify critical business assets such as business continuity impact analyses and core compliance initiatives.  Those lists of mission critical systems and repositories of regulatory or confidential data have to get into the hands of the people looking at that flood of security alerts.


This asset understanding is only one dimension though to solving the priority problem.  Business context (what the asset means in business terms) must be coupled with threat intelligence (what the possible attack means) to determine the priority and focus security resources on the right issues.  This is what will turn an alert from ‘failed logins on’ to ‘automated attack on production database storing customer information’ or ‘malware on an laptop’ to ‘malware that can be used to launch leapfrog attacks to critical systems on a system admin’s laptop’.   The priority of security alerts depends on multiple factors and these dimensions must be quickly given to the security analyst to triage the alert properly.


No matter how hard a company tries, some ninja is going to get into some window and head straight toward the crown jewels.  The trick is to know when that ninja has crossed that window ledge, where the crown jewels are located and how soon that treasury door will be breached.  Take a look at how our new Security Operations Management module for RSA Archer tackles these, and more, challenges.

Hello everybody! Happy 2014! We are very pleased to announce the RSA Archer eGRC Content Library quarterly bundle is now available.


Santa’s content helpers kept busy through Christmas and right up to the last day of the year to bring you some exciting new content. With the brief holiday break behind us it’s time to get back to work! So let’s jump into these enhancements to the Archer content library.


Earlier last quarter we released the 2013 version of the Information Security Forum’s Standard of Good Practice. We wanted to get that in your hands ahead of the ISF’s annual World Congress event in Paris. For the remainder of the quarter we turned our attention to three major new items which I know you’ve been eagerly anticipating. We’re very pleased to bring these to you first and only through Archer.


Here's a snapshot of the Q4 quarter's full bundle:


Authoritative Sources:

  • [DEAD LINK /docs/DOC-15651]Information Security Forum Standard of Good Practice 2013
    • 8,886 mappings to Archer Control Standards
  • ISO/IEC [DEAD LINK /docs/DOC-15608]27001 and [DEAD LINK /docs/DOC-15609]27002
    • 585 mappings to Archer Control Standards
    • 27002 as mapped Control Procedure content
    • ISO/IEC 27001 Question Library content to drive targeted questionnaires
  • [DEAD LINK /docs/DOC-32101]NIST Cybersecurity Framework
    • 3,337 mappings to Archer Control Standards
  • [DEAD LINK /docs/DOC-32040]Payment Card Industry DSS v3.0
    • 588 mappings to Archer Control Standards
    • Mapped companion Control Procedure content


Control Standards Library: 45 updates, 1 new control standard


Control Procedures Library: 500 new control procedures

  • ISO/IEC 27002
  • PCI DSS v3.0


Question Library: 204 new questions

  • ISO/IEC 27001 questionnaire pack


Special note: ISO/IEC 27001 & 27002 and the ISF SoGP are restricted by third party license so are not included in the bundled import packs. Separate imports are provided for those items.


The Release Notes for this quarter are posted on the RSA Archer Exchange and content import packs are available through Customer Support.

Last week, a security flaw was uncovered in the X Windows system that has sat unnoticed almost 22 years.   According to the advisory ‘This bug appears to have been introduced in the initial RCS version 1.1 checked in on 1991/05/10, and is thus believed to be present in every X11 release starting with X11R5 up to the current libXfont 1.4.6.’   Now I consider myself a semi-grizzled veteran but 22 years ago, I hadn’t even started my security career.   In my last blog, I talked about the ongoing feud between the White Hat(fields) and the McCriminals.   It is these types of issues that rise up and remind us that this feud is a constant battle that involves both new and old cracks in our castle walls.


Vulnerabilities rarely make top IT news – but a 22 year old vulnerability is a bit rare.  So on the happenchance that it makes some ripples in your CIO’s immediate attention, you could be faced with the inevitable question of “Are we affected?  What’s the story around this?  What other 22 year old security flaws might we be facing?”


Staying on top of this type of intelligence is critical to maintaining a proactive stance and is what drives security teams to maintain vigilance.  I wrote blogs last year about the importance of Vulnerability Risk Management (VRM).  A VRM program that is an active part of the security posture can use this intelligence to launch preemptive strikes against this vulnerability.  What systems are running X windows?  What systems are listening on port 20? Which of those systems are most critical to the business?  Given this is a *nix based vulnerability, the probability that the affected systems are part of critical infrastructure is pretty good.  A well-functioning VRM program (as I described it in the previous blogs) should be able to give a solid picture on the possible attack vectors and vulnerable systems.


This intel should then turn around and inform security operations – those individuals watching for active attacks.   Until the fix is available and rolled out, the monitoring infrastructure can be ratcheted up on those critical devices ensuring that if something does go south, the reaction is planned and swift.  There are other controls that can be adjusted while this vulnerability is investigated and resolved – the main idea is to get the wheels in motion and be prepared.


Now – to my Castor and Pollux reference in my title:  Castor and Pollux are the names of the two twins of the “Gemini” in Greek Mythology and thus represent the two headed security approach involving proactive measures (such as Vulnerability Risk Management) and reactive preparations (such as an agile Security Operations strategy) that are absolutely necessary today.  Vulnerabilities pop on the radar from all sources – some lying dormant for decades to be uncovered; some introduced with the latest code – and a security organization that is thinking in terms of a balanced approach is best positioned to address shifting priorities.

  • Potential threat and attack vectors must be identified and responded to as fast as possible.  A Vulnerability Risk Management program is a critical mechanism for this.
  • Actual active attacks must also be identified and responded to as fast as possible.  A Security Operations Management strategy is the main device necessary for this.

Most security organizations are locked in a constant struggle and traveling on the journey of a security strategy to put these two complimentary approaches in place.   I think it is fitting that travellers and sailors appealed to Castor and Pollux for safe journeys and the twins were also regarded as supporters of athletes and thus petitioned by those engaged in athletic contests.   Those that found favor to the Gemini were thought to be aided in in moments of crisis.  Given the ongoing war most security organizations are locked in against malicious adversaries, Castor and Pollux are fitting patrons.


For thoughts on Castor (Vulnerability Risk Management), see my previous blog series (1, 2, 3).  For more thoughts on Pollux (Security Operations), stay tuned.  Meanwhile, check out details on our Security Operations Management module.

Late last Summer, RIMS and Advisen published the results of their joint 2013 Enterprise Risk Management Survey in which they reported that ERM has reached “critical mass…the point in time within the adoption curve that the sheer number of adopters assures that continued adoption…becomes self-sustaining and creates further growth.”  When an organization like RIMS (founded in 1950, representing over 3,500 organizations and 11,000 risk management professionals in more than 60 countries) makes a statement like this, it’s worth taking note. 


The rationale for adopting ERM has been around for a very long time. COSO laid out the advantage of ERM in their seminal 2004 publication of the Enterprise Risk Management-Integrated Framework, stating that “value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return, goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.”  Well, it has taken a while but it looks like this value proposition is finally being widely recognized.  More and more organizations are coming to the realization that managing risk in silos (such as Financial, Regulatory Compliance, Market, Operational, Strategic, Info Security, Reputation) results in incomplete and incongruent risk knowledge and misaligned governance.


For organizations that have not yet fully embraced ERM, critical mass means there will be growing pressure to do so.  Questions from rating agencies, investors, regulators, boards of directors, and C-Suite executives will become more frequent and pronounced: “Everybody else is doing it, why aren’t you?”, “Why is our program behind in comparison to others?”, “Is the organization truly well run?”, “What are we missing?”  These kinds of questions will burden management and boards, increasing regulatory scrutiny and micro-management, and potentially affecting shareholder value.


However, this isn’t just about keeping up with the Jones’s, chasing the management fad de jour, or keeping the regulators and analysts off your back, it’s about recognizing that this ERM-stuff is the secret sauce to balance objectives, risk (bad things and opportunity cost), and resources along an efficient frontier where an organization is able to obtain the best possible expected level of return for the level of risk it is willing to take.  ERM helps to maximize the performance and competitiveness of the organization within the context of the objectives it has chosen to pursue.


Stakeholders in organizations practicing effective ERM will continue to be the beneficiaries of success, with fewer surprises and more consistent earnings and strategy execution. For those that have not yet boarded the ERM train, there will be increasing motivation to buy a ticket.  The good news is that late comers benefit from lessons learned from early adopters and standards setting bodies, and they capitalize on ERM capabilities enabled via technology solutions. Unfortunately, for those individuals tasked with risk management responsibilities, you can get to the train station too late.  It’s not that that these organizations won’t board a train at all, but they just might not be boarding with the folks that couldn't get them to the station in time to catch an earlier train.

Over the holidays between frantic last minute shopping, eggnog and family get-togethers, I caught up on some of my NetFlix queue and watched the TV mini-series “Hatfields and McCoys”.   I am not sure of its complete historical accuracy but the series was a deep inspection on how a conflict can spiral into complete and utter insanity very quickly.  By the end, I felt sorry for all of the characters – there were no winners in the feud.  There were only people who threw away their lives (or parts of their lives) based on the fundamental disagreement of two men – each making a decision based on his own principles.  The resulting conflict was of devastating proportions.


Last year at this time, I opened 2013 with a blog series on “Next Generation Security Operations”.  I highlighted some of the major issues we saw in 2012 with the rising sophistication of the adversaries, the increase of malware and the resulting serious data breaches.  I spoke of the need for “Telescopes for the Lookouts” on the castle wall, the evolving security incident response needs, all of the adjacent security processes that should be part of the picture and the need to fuse proactive and reactive measures together for a more coordinated approach to the security defense cycle.  I sure wish I could start this year off with a different story but the feud rages on between the “White Hat-fields and the McCriminals”.


The White Hat-fields have, over the years, deployed many different technologies that either protect or monitor systems against security threats.  All of these systems generate system logs tracking security events.  The incident response team whose responsibility it is to monitor these events and respond to security threats then tracks these individual incidents and investigates.  Incidents can vary wildly from an individual infected machine to a major data breach.  Through diligence and the tenacity of a Kentucky coon hound, the White Hat-fields track down each incident, determine its cause and resolve the issue. The McCriminals have the same tenacity in finding new ways to craft attacks, new avenues to exploit and new targets to assault.   I won’t go into the details – there is much already said about this – and any research into the latest malware attacks highlights this.   Just like the Hatfield/McCoy feud, the conflict storms on.


2013 was a year of tough questions for security.  Between the Snowden controversies and the massive data breaches reported over the year, the debate on what is necessary to maintain security came to the forefront of ordinary people's conversations.  I have heard in the past that computer crime was a victimless crime.   But that notion is woefully wrong.  Those who, with great angst and anxiety, watch their bank and credit card statements because of a hack are victims.  The countless security people who spent time away from their families wrestling against attacks are victims.  When one looks at the financial and personal costs associated with these data breaches to real people – not just the financial institutions - it is not a victimless crime anymore.


There is a growing sentiment in security that the White Hat-fields need to rethink how they go about this feud.  I cite our latest SBIC (Security Business Innovation Council) report – “Transforming Information Security: Future-Proofing Processes” - as simple evidence.   When have you seen a paper on improving IT security include the word “Business” in 3 of the 5 main points?  Not one of the main points includes "firewall", "Intrusion Detection" or even the word "Technology".

  • Shift focus from technical assets to critical business processes
  • Institute business estimates of Cybersecurity risks
  • Establish a Business-centric Risk Assessment process
  • Set a course for evidence-based controls assurance
  • Develop informed data-collection methods

This report, and many others like it, represents a tipping point in the world of technical security.  The clarity with which security must understand the business today is beyond paramount importance.  It is part of survival.


My next series of blogs will talk about changes we need to undertake within Security Operations to arm the White Hat-fields with something other than tenacity.  As the McCriminals prepare for this coming year, so must the White Hat-fields. The feud continues.

Filter Blog

By date: By tag: