Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2015 > March

When it comes to IT risk management approaches few things can spark more debate than the use of standards. To explore that is to ponder another alphabetic quagmire of acronyms, categories, and random numeric designations. So which one’s the best? Is there even such a thing as “best”? My answer is always the same. The best one is the one that’s best for you. In other words it depends.


The reality is you rarely have a choice. If your business accepts credit cards in any significant volume of transactions then PCI compliance becomes a business requirement. Want to set yourself apart in Europe? Perhaps ISO-27001 certification is en vogue. Opening a new power plant? Welcome to the electric world of NERC enforcement. It’s the same story throughout every industry and geo. The list goes on.


We operate in a world of multiple standards and requirements and rapid change. How can you find efficiencies and cut through duplicate work? When you already have your hands full with meeting the requirements you don't want to struggle with the mechanics of managing them on top of it. That's why we’ve gone to such lengths to transform the “ask once answer many” dream into reality by wrestling this problem into workable solutions that make the process of IT risk and compliance easier.


Gartner’s most recent IT Risk Management Magic Quadrant once again named RSA Archer a GRC industry leader, which we're excited and proud to say makes us the only leader in all four major evaluations (the other three being IT Vendor Risk, Business Continuity, and Operational Risk). In an MQ report two years ago Gartner flattered us with an unexpected notation in their analysis about the extensive breadth and depth of Archer’s embedded content libraries. I say unexpected because it’s not a specifically weighted category they rank separately, but rather an additional observation they chose to make on their own and share with their readers independently. We were humbled to say the least but also delighted in the validation of the conscious decisions we’ve made over the years to invest in those aspects of Archer.


One of the more tangible aspects of Archer’s GRC libraries is the inclusion of many large format technology related standards. Make no mistake, it’s a TON of work to process and map those together. The past few years brought an interesting turn of events in their revision timing. Most major IT related standards are published by totally separate entities and consortiums, each according to their own schedules. Since the development of those standards is often collaborative and even political, delays can occur causing official releases to slip by a year or longer, which is exactly what happened for a few of them.


The result was a rare perfect storm of circumstances that dropped new versions of COBIT, PCI, ISO 27001, NIST 800-53, and the ISF's Standard of Good Practice on the collective market all within about 18 months of each other, plus a major revision to HIPAA and ongoing NERC changes to boot! This was unprecedented and if you have to maintain compliance with more than one of those, chances were you were scrambling. So we marshalled resources and hustled up in order to have all of them fully mapped and ready to go shortly after their release. Because of the unique way we enable IT risk and compliance in Archer, the result was to enable our customers to quickly adapt to any combination of those changes without missing a beat.


We’ve always recognized two of the most powerful resources we can give customers are flexible options and the freedom to make Archer their own. We do this with a fundamental appreciation that they too have a choice in the market. So when they choose us we take our commitment very seriously to give them the best tools we can to drive their information risk and compliance programs effectively. One of the great things about Gartner’s approach to industry analytics is the emphasis placed on independent customer validation and opinions. Our customers continue to have a profound influence on the direction of Archer and they challenge us in the most fantastic ways. That alone really is its own reward. But undisputed GRC market leadership feels pretty good too.


Please visit Steve and Patrick’s blogs for additional insights, and check out our Community page for more information on the MQ series.



Gartner, Magic Quadrant for Business Continuity Management Planning Software, Roberta J. Witty an John P. Morency, 27 August 2014.

Gartner, Magic Quadrant for IT Risk Management, Paul E. Proctor and John A. Wheeler, 10 March 2015.

Gartner, Magic Quadrant for IT Vendor Risk Management, Christopher Ambrose et. al., 29 October 2014.

Gartner, Magic Quadrant for Operational Risk Management, John A. Wheeler and Paul E. Proctor, 15 December 2014.

Hello everybody! 2015 has us off and running with several big updates headed your way!


First and foremost, NIST 800-53A Revision 4 is ready to rock in Archer. If you’re unfamiliar with 53A (Assessment), it’s the companion to the 800-53 base standard that NIST publishes to assist with assessing control performance. NIST changed their approach to 53A this time around and made it much more granular. As such this latest version is a monster, having grown from only 600+ elements to over 3,000! We consumed this beast as a single set of Archer Control Procedures mapped to both the 800-53 Authoritative Source as well as Archer Control Standards to enable you to drive a fully tailored compliance program using NIST 800-53 Rev 4.


We also have an update to the FedRAMP authoritative source we released last year with additional control requirements and mappings to Archer Control Standards.


For those of you in financial services we have a new collection of assessments with over 1,400 questions targeting a variety of major regulatory requirements, including mortgage origination and disclosure, truth in lending, and more.


Lastly we have the latest [DEAD LINK]SIG 2015 Lite assessment available, this time mapped to Archer Control Standards. This is a great Question Library resource to enhance the already comprehensive 3rd party risk assessments available out of the box in the Archer Vendor Management solution.


Since this quarterly update includes both new content as well as updates to existing content elements that may already in your library, you’ll want to pay special attention to the release notes and supplemental documentation before processing them to ensure everything is well understood. The update page with release notes is here and content import packs are available through Customer Support. As always we’re here to answer questions too - whatever you need!


See how Archer stacks the deck in your favor with the latest customer and industry news here.


And please check out the latest blog from my buddy and fellow GRC Strategist, Patrick Potter.


Happy Spring!!



Taking risk is necessary in today’s business world. Cultivating the data and orchestrating the information to enable a risk decision is a critical step for management to make an informed choice. GRC supports the business environment much like a well tuned instrument panel supports flying a plane. See the cover story in CIOReview which highlights how Verterim is enabling clients to fine tune their GRC instrument panel and take that calculated risk.

Have you heard the term, "a rising tide lifts all boats"? It's an aphorism that refers to the broad, 109140positive effect that benefits all participants of something such as a strengthening economy or a particular public program.  For example, as the economy improves, theoretically so does the prosperity of businesses and individuals.  Here's another example that's near and dear to my heart.  Business resiliency (BR) is the ability an organization has developed to quickly adapt to disruptions while maintaining continuous business operations and IT systems, and safeguarding people, assets and reputation. The more resilient an organization is, the better their strategy execution, profitability, sustainability, competitiveness and innovation.  BR also lifts the tide for other factors, like risks. What I mean is generally, a resilient organization does a better job at identifying, measuring and mitigating risk than one who is not.

The most recent Gartner Magic Quadrant for IT Risk Management evaluated governance, risk and compliance (GRC) software (and coincidentally names RSA as a leader) that perform IT risk management.  When we think of BR, we usually relate it to the "business" and don't necessarily correlate BR to IT risk or as a factor in reducing IT risks.  However, let's try to separate the two.  Gartner states that the definition of IT risks for the purpose of their report are those within the scope and responsibility of IT, the IT department or IT dependencies.  Now, let's identify those business processes or functions within any given organization that don't rely on IT systems or the IT department.  Wait, I'm counting....uh, zero. In this day and age, the business has become synonymous with IT systems and capabilities.

In a 2015 study by Protiviti, a global internal audit consulting organization, on top risks cited by executives and boards, they included among top strategic risks - the rapid speed of disruptive innovations and new technologies, mobile applications and other internet-based technologies; and operational threats such as information security and big data - with cyber threats being a top five risk.  These are all IT risks but each has deep business implications.

BR is not only a trait of successful organizations, but is also a risk mitigation strategy and approach to address business and IT risks.  BR speaks directly to the heart of IT risk management by implementing strategies and tactical steps to mitigate the risk of IT dependencies that can create uncertainty in daily tactical business activities; reducing IT risk events resulting from inadequate or failed internal processes, people or systems; and improving the availability of services, including incident management and disaster recovery.

I'm proud that RSA was again named a leader and we have the capabilities to help organizations build business resiliency and address business and IT risks.  Send me your thoughts at  Also, check out our Community page for more information on the MQ series.

Execution.  What is your reaction to this word?  If you were part of the ruling monarchy during the age of the Revolutions, you probably weren’t a big fan of this word.  If you were part of the lower class BEFORE the age of the Revolutions, you probably weren't a big fan either.   Some words create an immediate image in our minds when we see it.  Execution is one of them.  Dessert is another – wonderful when we want something sweet, not so wonderful when we are trying to cut back on calories.  Some words instantaneously conjure up positive or negative connotations all depending on one’s current mood and frame of reference.


But I digress, let’s go back to Execution.  In my current mood and frame of reference, Execution is a tremendously positive word.  Why?  Because execution is the most important thing when it comes to being successful.   Execution is the difference between a goal and an accomplishment. Execution is the difference between a perfectly performed triple Salchow jump and a broken ankle.  Execution is the difference between black dots on a page and Beethoven’s 5th symphony.   Execution is where it is at, where it happens, where achievements are realized


Last week, Gartner released its IT Risk Management Magic Quadrant and I am pleased to announce EMC (RSA)’s placement as a leader in this space.   One of the major benefits in this report is the emphasis Gartner placed on customer input, validation and opinions.  The report focused much on customer experiences and the tangible results evidenced by their implementations.  We are proud, and thankful, that our customers reported such a high level of success resulting in our stellar position – especially when it comes to Execution.

We all understand the immense importance of technology in our lives today.  And we all see the headlines today.  There is a shadow hanging over our technological advances.  IT Risk has walked onto the center stage of every business.  In fact, it hasn’t walked. It has executed a perfect triple Salchow jump into the spotlight for boards and shareholders at companies worldwide.  And hence, the Execution of managing IT risk has to be top notch.


RSA Archer’s execution towards building a comprehensive strategy in helping our customers implement a sustainable, relevant IT risk program has been many years in the making.  Starting with our roots in security policy and compliance management, we have constantly pursued other components to respond to the ‘ever changing IT risk landscape’.  As cliché as that phrase is, it is still accurate as a guiding principle to our strategy.  The additions of Vulnerability Risk Management and Security Operations Management and continued integrations into the broader RSA portfolio have expanded our capabilities and the Gartner Magic Quadrant is definitive evidence.   We don’t take RSA’s mission of ‘Relentlessly pursuing Trust in the Digital World’ lightly.  RSA Archer is a vibrant, critical piece of that strategy and we continue to execute towards that goal.


In the Magic Quadrant report, Gartner outlines the critical capabilities of an IT Risk program.  This important point of view can help you frame your strategy.  The Magic Quadrant report also validates our commitment in being a leader of IT Risk Management solution providers as we were positioned highest for ability to execute.  This Magic Quadrant report comes on the heels of other Gartner reports highlighting areas of risk: Operational Risk, IT Vendor Risk and Business Continuity.   RSA Archer has been noted as a leader in all of these reports.  If you contemplate the most pressing risks of companies today, IT, Operational, Third Party and Resiliency risks top the list.  The Gartner series of MQs outline the market for risk management solution providers.  I recommend researching those reports.  As an RSA Archer customer, know you have a partner that is working hard to execute on a vision and strategy that will make you a success in managing risk across the enterprise.


Check out our Community page for more information on the MQ series.




Gartner, Magic Quadrant for Business Continuity Management Planning Software, Roberta J. Witty an John P. Morency, 27 August 2014.

Gartner, Magic Quadrant for IT Risk Management, Paul E. Proctor and John A. Wheeler, 10 March 2015.

Gartner, Magic Quadrant for IT Vendor Risk Management, Christopher Ambrose et. al., 29 October 2014.

Gartner, Magic Quadrant for Operational Risk Management, John A. Wheeler and Paul E. Proctor, 15 December 2014.

A customer (large bank) has been doing inquiries with several of us recently in conjunction with a major project they have to revamp their internal polices and standards and reset their foundation in Archer. A member of their team (let’s call him “Bob”) posed an interesting question about whether there was a specific standard (e.g. authoritative source) that fellow Archer customers in the financial services industry seemed to prefer above others to guide their policy and control development. It’s an interesting question and while the viewpoint I gave in my response seemed to resonate pretty well, it’s also sparked a productive dialog which in fact is still ongoing. I’ve only included the initial exchange below but I wanted to share in the hopes you might help expand the conversation by sharing your own insights at the bottom of this blog.


How would you answer? What’s your approach been to this same issue? Do you share a similar viewpoint or see things totally differently? What advice would you give?


His initial question:

“…what would be helpful as we are structuring our way ahead is to understand what Archer is seeing its financial services industry clients use…as the industry reference model for…policies.”


My response:

Hi <Bob>


Nice to meet you. I can’t say there’s a universal playbook that everybody follows. I would wager if you were able to distill a typical financial services policy program down to its essence you’d likely find a lot of alignment and overlap to major standards like ISO 27001, COBIT, etc. This is probably not surprising nor should it be, considering that despite being different down in the weeds, at a higher level most of those standards have a lot in common. Some are broader and some more technical but ultimately I think many of the core principles that embody a healthy information security and assurance program are fairly universal.


The other thing that’s become universal is the increased need for a rationalization to risk. I believe this is a better foundation to build upon. Absent anything else, international standards are always a great place to start, but they’re never a universal fit. And for larger more mature organizations the expectations have shifted. A risk based approach rooted in sound principles (which may or may not be directly inspired by external standards) is going to yield the best overall result (“best” meaning most complete, most accurate, and most operationally sound and efficient). An organization that maintains a healthy risk-based view of things can easily overlay standards and know where they stand. But an organization that relies only on a specific standard and otherwise lacks that embedded risk intelligence is more likely to encounter issues and miss opportunities to capitalize on operational advantages.


For what it’s worth the default policy set in Archer was originally largely ISO based. That doesn’t mean it’s taken directly from ISO but rather it aligns with the core principles ISO 27001 covers, as well as some influence from ITIL, FFIEC, HIPAA, PCI, etc. Our Control Standards library also reflects these linkages but at a more detailed level and across a much wider set of authoritative sources including more extensive technical standards like NIST 800-53.


Personally if I had to pick only one standard to serve as the backbone for my program I’d probably pick NIST 800-53, primarily because it’s so prescriptive and technically detailed and already has a companion control assessment guide (53A) – both of which are free. I find it’s easier to abstract up from something like that than to take a higher level abstract source like COBIT and go the other direction deeper into the technical stack without additional guidance. However 800-53 is an intimidating beast that can be overwhelming without the right resources and maturity established which is why I also like PCI as a starting point. It’s certainly not perfect either but it is fairly compact, organized across distinct principle areas, sufficiently technical to get started, and often a business requirement anyway. I like that it slants toward technical security and despite its focus on credit card data I don’t think it’s a stretch to substitute other things (like “PII” for a health care org) and arrive at similar conclusions for what types of controls and policies make good sense to implement in most cases. Plus it’s also free and includes assessment content (the SAQs) that can easily be used internally for risk assessment activities.


Something else to consider from the above is any hard business requirement such as specific certifications or other industry-specific needs. If the organization must be ISO 27001 certified or will always be measured against certain FFIEC guidance then those should definitely be factored into the program design. But again I think a lot of that comes down to tailoring and even in those cases I would still challenge the organization to operate from the perspective of a risk-centered program and fill in compliance reporting gaps as needed for specific obligations. <COMPANY X> was PCI compliant as were <COMPANY Y> and <COMPANY Z>. How much would it have mattered if they were also ISO certified? There are too many asymmetric business threats that can get overshadowed when the tail wags the dog which can happen more easily if too much focus is on the “what” (ISO 27001, etc.) versus the “why” and “how” (transforming from risk managed to risk advantaged).


Hope this helps give some background and my perspective. Let me know if there’s anything else I can help with.



Ok Archer Community, I’d love to get your take below! And keep an eye out for exciting new content headed your way soon!

Filter Blog

By date: By tag: