Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > May

Well, we're in the final lap (in horse racing terms) and I'm excited to be writing my final blog before we kick off the 2014 RSA Archer Summit in 11 days! It's been fun giving you a "virtual tour" of this year's Summit location at the JW Marriott Resort and Spa in Phoenix, Arizona.  This picture of Los Cedros is where we will host an evening event on 85827Wednesday night for our attendees (hence the horse analogy).  It is going to be a night you won't forget!


Even more awesome will be the lineup of events, speakers (most are Archer customers just like you), learning opportunities and so much more that you'll be able to take advantage of by attending the Summit.  We're on track to have record-breaking attendance this year, which means more of your peers will be here so the networking opportunities will be phenomenal.  I'm excited to be hosting two working group sessions (Audit and BCM, respectively) on Tuesday in addition to many other working groups Archer folks are leading. You'll have unlimited access to our Archer experts, GRC strategists and other members of the Archer team - well worth the cost of attending the Summit alone.


If this is your first Summit, come and see what all the hoopla is about.  This is the leading GRC event in the industry.  If you've attended Summit before, you know what I mean!  I could go on and on...


Oh, and come see a preview of our new Audit Management solution coming June 24, 2014!  If you have any questions, don't hesitate to email me at, and I'll see you at the Summit!

I often get asked for advice on manipulating content in and out of Archer, how to relate certain things & build reports, etc. Somebody recently asked the following and I figured hey, why not blog the answer.


“I’d like to do a review of my PCI control standards offline in Excel. What’s the best way to do this?”


Great question…This is part of a broader topic around working with mappings in Archer. The tips I outline here will work for a single authoritative source, multiple authoritative sources, and pretty much any other situation involving similar applications in Archer.


First recall that Archer’s Authoritative Sources application is what we call “leveled” meaning it has a hierarchy as opposed to a flat application which doesn’t. (Actually flat apps are essentially leveled apps with only one level but that’s beside the point.) The purpose of a leveled app is to provide a means for representing the native hierarchical structure common to most narrative documents such as structured standards, policies, and so on. The top level is usually a single record that describes the source such as “Payment Card Industry Data Security Standard v3.0”. The next level down might take a similar form to a table of contents and the remaining child levels will then contain the rest of the structural text. The leveled application structure allows us to deconstruct the source into its granular constituent components which is useful for clarifying the context of individual statements within the source.


Therefore when we map authoritative sources to Archer’s Control Standards library we typically map at the lowest levels meaning the most granular elements since the mappings are intended to reflect contextual relationships. Using PCI as an example if we were to merely identify all the Archer control standards that related to all of the individual aspects of PCI and lump those into a single cross-reference at the top level we’d obscure a lot of useful information. You’d only see the top level record and several hundred related control standards but no visibility into the context of why one thing is mapped to another. You may also obscure performance measurement by hampering the ability to inform findings, risks, and other upstream and downstream operational elements that may be tied to those standards.


Establishing the mapping connections further down at the lowest levels eliminates this issue. So when you view an individual record like PCI:8.2.6 which describes a requirement around setting first-time passwords, suddenly the related mapping to Archer control standard 308 (“Initial Passwords”) makes a lot more sense. Furthermore if you have individual stakeholder ownership assigned to different control standards it’s much easier to translate that ownership up to the external requirements those folks are also responsible for. Or, go the other way and identify specific compliance objectives and then easily correlate the related control standards, policies, and so on that drive compliance against those stated objectives.


So back to the original question about analyzing these offline and continuing with PCI as our example, PCI has mappings in its bottom two levels (Section and Sub Section). So both levels need to be considered in the analysis. Starting from the Authoritative Sources application click “Advanced Search“, then click “Add New Relationship” in the left dialog box and choose “Control Standards”. This creates an n-tier report which is really just a fancy way of saying you want Archer to crawl the cross-reference relationship between Authoritative Sources and Control Standards so you can include additional fields from the Control Standards library in your output. Next choose your desired fields to include in the report such as Source Name, Topic ID, Topic Name, Section ID, Section Name, etc. (Note: I’m stopping at the Section level for a reason.) Now scroll down in the left-had field selector and grab some fields from Control Standards such as Standard ID, Standard Name, Description, and Owner, or whichever ones you want.




Now add a new filter criterion to “Filter By Record” from the Source level and in the filter value dialog click the selector button & find the authoritative source(s) you want to include. Set the report type to “Column – Flat” in the Display options and click the Search button. Archer will return a flat list of the authoritative sources you selected (including native structure) down to the section level along with any control standard(s) a given section record is mapped to, each on its own row.




By default this will also include unmapped records too. You can optionally check the “Enforce Relationships” box to strip those out but I find sometimes it’s better to keep them in so I can also see anything that isn’t mapped. Plus it’s easy to filter them out in Excel later anyway.




Export the results to Excel format or a CSV file and then go back and modify the Archer search criteria. Add the Sub Section ID and Sub Section Name fields from the field picker on the left and remove the section level fields on the right by clicking the “X” button next to each one. Leave the Control Standards fields you chose for the first report alone and run the search again. Export those results to a second file. Open both files in Excel and then paste the contents from one into the other to render a single flat list of all mappings for that authoritative source (I usually paste the Sub Section records to the end of the Section file but the order doesn’t really matter). You can use these same techniques for any leveled application scenario.



Note that if a control standard has been mapped more than once it will appear multiple times in the list. Use Excel’s highlight duplicates feature on the Standard ID or Standard Name column to color code the duplicates and filter them down further if needed for pivot table analysis or whatever you want to do. Don’t forget you can already do tons of analysis like this in Archer too but sometimes it’s nice to take it offline to the beach or...ahem, wherever you choose to be productive outside of the office.



That does it for this issue of the content mailbag. Got some tricks of your own to share? We’d love to hear them! And keep an eye out for exciting new content headed your way soon!











It has been over 10 years ago since California took a stand to advocate and enact privacy controls through SB 1386.   When that law came into effect, companies now had mandatory reporting requirements for any compromise of personal information of a resident of California. State by state, subsequent privacy laws cascaded across the U.S. The resulting increase in visibility on privacy concerns has continued to impact organizations especially in light of the massive data breaches the industry has seen. While the new laws did not stop the compromise of personal information, the legislation, along with industry standards such as Payment Card Industry’s Data Security Standard, paved the way and compelled organizations to start taking security seriously.


On May 6th, a new set of dominos may have been set up to fall. New York State’s Department of Financial Services (DFS) announced a new cyber security assessment  criteria for banks operating within the state. As the financial capital of the U.S., and arguably the world, this announcement may signal another round of state driven legislation or regulatory mandates that again raises the bar for security. The report issued by the DFS highlights the growing threat environment facing financial institutions citing large denial of service attacks, data breaches and other financial crimes as reported through a survey of depository institutions.


One interesting aspect of the NYS DFS Report is that, according to the survey, almost 90% of the institutions reported having an information security framework in place that addresses policies, awareness and training, risk management concepts, security audits and incident monitoring and response. Additionally, ‘a vast majority of the institutions – irrespective of size – reported utilizing some or all’ of the traditional security technologies such as anti-virus, firewalls, Intrusion detection/prevention systems, vulnerability scanning and encryption. In fact, when you read the report, most of the organizations seem to be doing all the right things. So why the interest in increasing oversight? The obvious answer is things continue to change and we continue to see issues and threats rising.


In my last blog, I cited the SEC’s announcement targeting cyber security at financial institutions. The New York state initiative is yet another vector of regulatory scrutiny that financial institutions must face. The impact is obvious for financial institutions affected by these announcements.   What does this mean for other companies?


If history repeats, other states may follow suit creating another round of state driven mandates for scrutinizing information and cyber security programs perhaps driven by industry sector, perhaps driven by business models, perhaps as additions to privacy laws. Companies could potentially face compliance reviews against not only state privacy laws but state cyber-security (or whatever term they use) laws placing another burden on an already saturated regulatory environment.   If the NY DFS report is any indicator, this means companies need to be able to clearly articulate:

  • Security framework including policies, standards, training and awareness and risk management methodologies
  • Technology architecture and infrastructure
  • Resiliency and disaster recovery controls
  • Vendor and Third party risk management
  • Corporate governance structure and reporting
  • Budget and investment in security


In essence, companies will need to be able to quickly demonstrate the effectiveness of their security implementations against another set of benchmarks. For those companies that thought they dodged the state privacy laws since they don’t capture personal data, think again – it may have just delayed needing to comply with security requirements from the different states.


What this translates into is another driver to ensure security programs are managed and have maturing visions. Policies and standards need to be an active part of the program. Security operations must have the visibility and capabilities to detect and respond to active threats. The organization must be proactive in identifying deficiencies and weaknesses and closing gaps. And finally, the security function must be able to clearly demonstrate the overall effectiveness of security controls across the enterprise. Sounds like a job for Intelligence Driven Security.


On a side note, check out the latest Security for Business Innovation Council report focusing on Strategic Technologies highlighting:

  • Accelerated investment in technologies designed for building better anticipatory defenses and improving business productivity.
  • Three strategic areas for technology investment to dramatically strengthen security capabilities as cyber threat resiliency, end-user experience optimization and cloud security.
  • Recommendations to successfully navigate new technology deployments and maximize security investments.

These reports always give excellent insight into the minds of CISOs and may you think  through some of the challenges in your organization.

A few weeks ago, the SEC issued a Risk Alert regarding their OCIE Cybersecurity Initiative to provide more information on their review and analysis of security controls across major financial institutions.  One component of this campaign is the deeper inspection of security policies and procedures.  As the backbone for any security program, policies and procedures define expectations and clarify regulatory and corporate obligations and should provide clear, actionable and demonstrable requirements for the greater organization.  In many cases, security issues can be traced back to a failure in implementing controls that are articulated in organizational security policies.  While policies may seem as a 'passive' part of the security strategy, it is a fundamental element that has a significant impact on the success of managing security risk.


The announcement by the SEC highlights this importance of policies and the supporting procedures driven by corporate requirements.  However, the policies - the documents themselves - are only Step 1 in the process.  A well-constructed, organized and comprehensive set of standards and procedures provides a window into how broad and deep the organization is thinking about security.   But reviewing and inspecting these policies without carrying forward into the actual implementation results is merely a type of beauty pageant.  "My, what lovely policies you have."  While the foundation is laid within the policies and procedures, it is the fingers on the keyboards; the defenses around the castle; the people, processes and technologies that bring those words on a page alive.  Security teams need to win the beauty pageant, but once they are wearing the tiara, they must ensure they are good ambassadors of the crown.


Drive policies through implementation:  Once requirements are defined within policies and standards are set, operational procedures must be reflective of the risk appetites of the organization.  Procedures should be associated with the standards such that there is a clear alignment between requirements and the actual manifestation of the controls within operations.


Connect policies to risks:  Another element of the SEC's announcement is a 'risk-based' approach to controls.  Policies, standards and procedures should be also connected to some common, living set of risks.  For security, some of these risks are pretty straightforward - unauthorized access, disclosure of data, misuse of data, availability of systems, etc.   But those risks need to be put into the context of the business to then support a risk based approach - which ideally articulates the value of controls and the impact of failure of controls in business terms.


Follow through with compliance:  Policies are 'made' for compliance.  A policy is near useless if it doesn't articulate a requirement that can be measured, tracked or validated.  Compliance should be focused not just on what the organization HAS to do (due to regulatory obligations) but also what the organization WANTS to do (to manage risk and meet business objectives.)  A compliance strategy that measures and tracks controls, is driven by risk and provides the business with a visibility into the state of controls will not only meet regulatory requirements but drive better business decisions and build confidence in the organization's ability to manage risk.


The SEC's announcement validates the importance of setting policies and procedures and makes this an elementary facet of security management.  Security 'traditionalists' are all trained on creating solid policies and procedures.  The SEC has reinforced this foundation.  The key is to not fall into the trap of winning the beauty pageant where your controls are only skin deep.  Building a program that is sustainable, realistic and impactful to the organization should be the ultimate objective - not just the sash and diamond tiara of the Policy Beauty Pageant.

Relationship Visualization:  A powerful new view to risk and compliance data and relationships

Studies suggest that 90 percent of what we learn occurs visually. That’s not hard to believe when you realize how much more our attention is drawn to graphs and images rather than text and figures. “A picture is worth 1,000 words” could not be more true.83810


For risk and process owners, it isn’t just how much you can learn visually that’s critical – it’s also how much more quickly you can process GRC information in order to take necessary action.


You spend considerable time analyzing n-tier compliance reports trying to relate risks to assets and identify controls that require attention or assessment. The ability to more easily understand data objects and their relationships allows you to make greater sense of increasingly complex risk and compliance data. Most importantly, your time is valuable.  You need to identify and solve risk and compliance problems much more quickly.


Simpler, smarter and faster? Sign me up!


We think you’ll be as excited as we are about Relationship Visualization, a powerful new feature in our latest release of the RSA Archer GRC Platform that can be used in all RSA Archer Solutions.


Relationship Visualization allows you to quickly understand relationships between risk and compliance data records by visually depicting the connections between these elements. You can quickly navigate relationships to get right to the key attributes and commonalities between data objects, and identify the business impact, risk and scope -- or “universe”-- that’s impacted by each object.


With just the click of your mouse, Relationship Visualization gives you a visual depiction of GRC data objects and relationships. This view can reveal patterns that could go unnoticed in a standard report and helps analysts identify and escalate high risk issues to assure they are addressed.

When you pack for a fun and exciting trip you always bring your favorite things - right?  Well, attending the RSA Archer Summit on June 10 – 12 in Phoenix, Arizona is no different.  You’ll want to bring your sunglasses, comfy shorts, golf clubs, swim suit and of course your chaps and spurs (wait until you experience the Wednesday evening Arabian horse event - unbelievable!).  More importantly, since this is the premier GRC event in the industry, you’ll want to bring some other things too:

  • Your thirst for GRC knowledge and Archer technology
  • Your interesting and challenging use cases
  • Your desire to network as much as possible with your Archer and customer peers - as a bonus, you’ll be mingling with me, your friendly Phoenix/Archer Summit guide


To make your trip even more productive and enjoyable, we’re bringing a few things for you too….Meet & Greet breaks, Working Groups on BCM, Compliance, Operational Risk, Audit, Regulatory Change, and IT Security Risk to name a few, and all-day Archer Roadmap sessions.  And that’s just the first day!


We’re also bringing the best customer-led presentations on the hottest GRC topics you’ve requested, such as:

  • Vulnerability Management: Simple Techniques for Dealing with Big Data (eBay)
  • Using RSA Archer in a Global Company (Shell)
  • Archer & SAP: Coca-Cola Unlocks Hidden Savings with Complementary eGRC Tools (Coca Cola)
  • Measurement = Understanding; Using Metrics to Build GRC (Starbucks)


There are just too many sessions to list here (8 tracks with dozens of presentations!), but all are equally fantastic.  You will also be impressed with “top gun” key note speakers, unparalleled networking time, innovative solution demonstration stations, and deep dive technical training. We thought of everything to delight and inspire you. Oh, also come and see my session on the morning of Wednesday, June 11 for our unveiling of the new Audit Management 5 Solution!  I would love to meet and talk personally with you about it.

83716Since we are ending the Summit at mid-day on Thursday, you will have plenty of time to stay for a long, relaxing weekend. As for me, I am surprising my wife Maryann with some fun time at the Phoenix JW Marriot Desert Ridge Resort and Spa. (shhh, don't tell her...)


So, bring your best questions and your GRC challenges, and pack your explorer’s mentality. (That’s our Summit theme this year—Harnessing Risk, Exploring Opportunity.) We are here to address it all. Remember to bring plenty of business cards for networking, and a thirst for all things Archer GRC. We'll see you in June at the 2014 RSA Archer Summit!

Continuous monitoring (CM) continues to be a hot topic in the information assurance world. DHS CDM and CMaaS purchases and planning continue to lumber forward.  Version 2 of our CM solution will launch this year and reflects the latest thinking in CM risk scoring and presentation.


So, I wanted to make some updates to a three-part blog on continuous monitoring I did last year.


I have decided to create a three-part series of white papers on the subject to allow for greater detail and to include some reference tables. There were a lot of things I couldn’t cover in enough detail and some new developments have unfolded in the meantime.


Part 1 covers common misconceptions and provides definitions, an introduction and brief history of CM and is available here.


Part 2 in this series will address monitoring strategy including the frequency and method of assessments, and will be available in early June.


Part 3 will cover strategies for managing assessment costs and will be available in late June.


Lastly, there is still plenty of time to register for RSA Archer’s 2014 GRC Summit.  I will be at the summit, giving demonstrations of our forthcoming A&A and CM version 2 solutions. Hope to see you there!



As always, please email me with comments or questions




Filter Blog

By date: By tag: