Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2014 > October > 31

I recently participated on a webinar panel sponsored by Everbridge and RSA with participants from the medical, transportation and emergency management disciplines where we discussed the Ebola outbreak and impacts to organizations. Each expert had fascinating information to report and there were excellent questions by the 550 person audience on the webinar.

So, what do we know about Ebola? Ebola is a rare and deadly disease caused by infection with a strain of Ebola virus. The 2014 Ebola epidemic is the largest in history, affecting over 10,000 people in multiple West African countries. Ebola is spread through direct contact with blood and body fluids of a person already showing symptoms, but is not spread through the air, water, food, or mosquitoes. The World Health Organization (WHO) provides a data sheet here WHO | Ebola virus disease that is very informative.

The U.S. Centers for Disease Control and Prevention (CDC) reports that the risk of an Ebola outbreak affecting multiple people in the U.S. is very low. The CDC has tried to establish a national standard, recommending that only people who had direct contact with Ebola patients without any protective gear submit to isolation at home for 21 days, the maximum period for symptoms to develop. However, a month after the first confirmed case of Ebola in the U.S., state and local health authorities across the country have imposed a hodgepodge of often conflicting rules.  Some states, such as New York and New Jersey, have gone as far as quarantining all healthy people returning from working with Ebola patients in West Africa. In Minnesota, people being monitored by the state’s health department are banned from going on trips on public transit that last longer than three hours. Others, such as Virginia and Maryland, said they will monitor returning healthcare workers and only quarantine those who had unprotected contact with patients.


The international community is also responding.  For example, North Korea announced it will quarantine foreigners for 21 days over fears of the spread of the Ebola virus, even though no cases of the disease have been reported in the country, or anywhere in Asia, and very few foreigners are allowed to enter.  The Australian government announced that it was canceling non-permanent or temporary visas held by people from the affected countries who were not yet traveling, and that new visa applications would not be processed. If the outbreak is not controlled soon it may continue to have affects on other regions such as Europe, where we are seeing some uncertainty and unrest.

The question is, how does this affect your organization currently or in the near future? Is it affecting third parties you do business with, or key customers?  Looking ahead and putting contingency plans in place relative to the risk to your organization is a smart move. A good place to start is to dust off those pandemic plans you Business Continuity folks probably compiled a few years back during the H1N1 scare. A key step is to understand the potential impact of the Ebola situation (current and future - as much as possible) on your organization and employees, then create an action plan and communications plan accordingly.  For your communications plan, take such action as monitor information from formal authoritative (CDC and WHO) and informal (social media) sources and craft factual information into regular and frequent updates to employees and their families, and external constituents (customers, public, regulators).  The communications could include what is known and unknown, what the organization is doing to stay informed of the situation, how the organization and its employees are affected and how the organization is responding proactively. Include both push (emails, notifications) and self-serve (intranet, company website, social media) communications.  Be honest, factual and frequent.  Avoid rumors.  Showing the company is proactive, actively monitoring and assessing the situation and communicating openly and frequently goes a long way towards reducing uncertainty and concern.


Contact me at if you would like the webinar presentation or have questions.

Following up on my previous blog for the Q3-2014 content release announcement, here’s some additional information on the changes we’ve made to the Archer Control Standards library.


A few months ago we started a project to create a new GRC taxonomy to improve the way the Archer Control Standards library is organized. While the previous categorical groupings loosely served this purpose already we wanted to tighten things up and reset on a new standardized foundation. So we parsed several prevailing standards and control frameworks to aggregate all the various categories and areas of coverage. We then distilled those down into a consolidated set of 57 categorical terms and developed descriptions for each to comprise our new Archer GRC Control Standard taxonomy. The last step was to reclassify each control standard under the new taxonomy which at 1,200+ control standards was no small effort!


This new taxonomy is intended to replace the previous collection of terms that grew over the years with a more concise and descriptive resource to make exploring the Archer Control Standards library easier. You’ll be able to better search and filter for specific areas of coverage as well as more quickly identify and assign ownership based on roles and responsibilities.


Everything needed is included in the Q3-2014 quarterly content release package. A formatted XML import file and set of instructions for implementing this new taxonomy are provided to make it a straight forward data import exercise. Adopting the new taxonomy is not a requirement although it is highly recommended as it will be the embedded standard beginning with version 5.5.2 of the Archer platform due to be released shortly. As such we will only be including the new taxonomy values in the Control Standards import files going forward.


If you have existing workflows, reports, etc., tied to the old values you can keep using those and migrate to the new taxonomy at a later time or use both indefinitely. The release documentation discusses a few scenarios to help illustrate various options and of course you are always welcome to reach out to Customer Support or me personally for any inquiries or assistance.


We hope you find this new GRC taxonomy useful and as always welcome any feedback you have.


All the best,



Hello everybody! This has been one of the most exciting Octobers we’ve had here in Kansas City in a long time as our beloved Royals battled it out in the World Series for the first time in nearly 30 years! Although we came up a little short in the final game, win or lose we’re incredibly proud of our team and what they’ve done for our town.


Now onward to a special Archer content release that includes a big change to the Archer Control Standards Library. I’ll focus on the normal Q3/2014 cumulative content release items here and cover the Control Standards library changes in a separate blog post.


For starters we’ve added FedRAMP to our Authoritative Sources library. It neatly coincides with The specified item was not found. and the The specified item was not found. by virtue of shared mappings to common Archer Control Standards. We also added the 2014 version of the The specified item was not found. published by the Information Security Forum (ISF) with a whopping 9,200+ mappings to Archer Control Standards! This release is just in time for the 25th annual ISF World Congress event around the corner, this year being held in Copenhagen, Denmark.


Other updates include a re-release of the The specified item was not found. with enhanced descriptors to the hierarchical name field values to improve filtering and corrections to some minor errors discovered in a handful of PCI v3 SAQ question records. As in the past this quarterly update includes both new content as well as updates to existing content elements that may already in your library. So you’ll want to pay special attention to the release notes and supplemental documentation before processing them to ensure everything is well understood. Once again the update page with release notes is here and content import packs are available through Customer Support. As always we’re here to answer questions too - whatever you need.




I just got back from NIST’s 6th Cybersecurity Framework Workshop in Tampa and wanted to share some of the really positive signs of progress. This was the sixth workshop, but the first in another sense. By this I mean that it’s been eight months since the release of the framework. This workshop really had the feel that it was the first post-release workshop where a significant number of organizations have had enough time to assimilate the document, message it throughout their organization, plan, implement, debate, etc. For all these reasons, unlike previous sessions, which were more about tinkering with the framework itself, this was a lot more about getting meaningful feedback from the early adopters and discussing the value people have realized by implementing it.


What are the strengths?


Intentional Development

Several panel speakers made the same point that just discussing and planning the use of the CSF had multiple positive results. It forced them to bring stakeholders together that had not been communicating previously. It forced them to define what risk means to each of the stakeholders. Finally, it forced them to define their risk appetites.



While NIST continuously points out that there is no such thing as “CSF-compliant”, many people want to use it for vetting.  This point came up several times in the context of vendor-to-vendor relations and supply-chain, that the CSF could be used for business partners or prospective clients to show each other where they are in their security programs.   One of the panel speakers, who works for a collective that approves funding for large-scale utility investments, said that they want to see evidence of prudent decision making before they invest. They have embraced the CSF as an indicator for prudent decision-making in IT security, an area where they are not experts.



“Flexibility is the core strength of the framework”. This was the most common message of the workshop, repeated by many panel speakers and throughout the working sessions. Tim Casey, a risk executive from the chip-maker Intel, gave several examples of how they tailored the categories and subcategories provided by NIST to their own needs. This included adding an entirely new category: Threat Intelligence. They did all of this while in contact with NIST, who consistently offer the message of “tailor it to work for your organization”. Another panel speaker, from Chevron, specifically cited the DHS CSET tool, a precursor to NIST CSF that also targets critical infrastructure, was not customizable and pointed out that the CSF gave him the flexibility he needed to build the appropriate in-house solution.



How hard is it?

A lot of the questions from the audience to the session panel speakers were around the level of effort in implementing the framework. On this subject, Chris Boyers from AT&T said that “NIST had created a great product, one that industry can largely support”. A more enthusiastic endorsement came from Intel, who said that for their enormous, multi-billion dollar company, that defining their internal process and stakeholders, and completing their first, high-level assessment had taken less than 150 work hours. Most of the audience (including myself) was pretty obviously surprised by that number.


Where is it going?

Ari Schwarz, from the National Security Council, headed off questions about a CSF version 2. He essentially said there was no change in the near future, and to implement it as it stands, don’t wait for v2, etc. I think confusion around this subject comes from the NIST CSF Roadmap which can be found here. These were areas for planned improvement that NIST released almost at the same time that the CSF was released. They were just acknowledging that they knew there were areas that would grow, but that implementation of the CSF would still be valuable in the meantime.


There were also delegates from the UK government and European Union present. The short take away from them: First, the UK likes the CSF and is encouraging its use to its companies. Second, the CSF will be most successful when it’s embraced globally. This is really just a supply chain comment, since we live in a global economy.


Lastly, RSA was present in the tech expo area, which was restricted to only five vendors. We provided demos of our NIST CSF proof of concept. That’s all for now.


Email me with comments or questions or if you would like to a demo of our CSF POC.


Thanks for reading.





Filter Blog

By date: By tag: