Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2016 > March
2016

Our mission is to make your risk and compliance job easier, and your feedback plays a key role in guiding how we continue to enhance RSA Archer features and functionality. Based on customer feedback, today we’re announcing the availability of several new RSA Archer product releases:

 

RSA Vulnerability Risk Management Release 1.2 provides added support and certified integrations with:

  • McAfee Vulnerability Manager v7.5
  • QualysGuard Vulnerability Manager v5.13.40-1
  • Rapid7 v6.1.8
  • Tenable Nessus v6.5.4
  • Tenable Security Center v5.1.0.

It also includes an upgrade to MapR 4.1.

 

RSA Security Operations Management 1.3 translations are available for all supported languages, including French, Spanish, German, Italian, Portuguese, Russian, Japanese, and simplified Chinese.

 

RSA Archer PCI Management 3.1 includes updates to align with the PCI Standard. These updates streamline the compliance process, simplify stakeholder participation, and reduce overall compliance effort and cost. New and updated features include:

  • Support for multiple, simultaneous compliance project activities
  • Updated content with mappings to the PCI DSS authoritative source, control standards, control procedures and assessment questions
  • 3 new roles/personas:  PCI Project Team, Internal Compliance Stakeholders, Executive Sponsor
  • Updated PCI self-assessment questionnaires (SAQ), new data feeds, ROC report mail merge template, and simplified package installation

 

Last but not least, RSA Archer GRC Platform Release 5.5 SP4 delivers enhanced functionality to improve your experience for all Archer solutions, including:

  • Bulk user reassignment, allowing all records for a specific user to be reassigned to one or more users to prevent orphaned records
  • Attachment of multiple documents to a record, saving time and effort when attaching a large number of files
  • Removal of Java Runtime Environment (JRE) from the installer, allowing you to proceed with the install with no JRE installed on the servers, if you don’t want Gemfire
  • Log messages and data feed improvements, including formula validation of data feed calculations and the ability to execute a data feed via an API call
  • Expose history log data via API call
  • Inline edit improvements for the flat display option for searches with relationships to another application or level within the display field
  • Enhanced Archer Control Panel reporting, allowing Archer administrators to access additional statistics

 

 

And of course we’re still riding high on the excitement and exceptional customer feedback we’ve received for RSA Archer GRC 6. It makes all of our hard work worthwhile to know we’re making a difference, and we’re really looking forwardto moving the needle for our customers and the industry with the general availability release of RSA Archer GRC Platform Release 6.1 in the coming months.

 

Onward and upward!

Connections Image.jpg

In the past couple of months, I have had the privilege of attending the RSA Conference and OpRisk North America.  Across these two events I met many CISOs and Operational Risk Managers and got to take a look at some complimentary vendor products.  What I think I heard as a common theme is that practitioners are becoming frustrated with the use of questionnaires as the primary means of performing risk and control assessments.  In particular, third party risk managers are becoming increasingly skeptical that questionnaires are a reliable way to evaluate the internal control environment of their third parties.  Getting questionnaires completed has become more of a paper chase and compliance exercise.

 

The market seems to be responding to these frustrations in a number of ways, some of value and some not so much:

 

• To reduce the significant time spent distributing and collecting questionnaire results, some vendors are popping up with information exchange networks.  The theory is that if all third parties would answer a common questionnaire and deposit it centrally, it could be made available to their clients. For third parties, only one questionnaire has to be completed and it’s a one-stop-shop for clients looking for risk and control information about their third parties.  The problem is that many organizations do not want to participate in exchanges because of legal issues.  In short, third parties provide information to their clients on a negotiated basis.  How much and what type of information provided introduces litigation risk.  Third parties don’t want to provide any more information than they have to and clients want as much information as they can get.  Unfortunately, clients can’t agree on a common set of information to collect from third parties and third parties selectively decide which clients get what information.  Except for extremely large organizations that can force their third parties into an information exchange, adoption has been poor.  If your organization is thinking about participating in an information exchange, check with legal counsel first.

 

• A few credit scoring vendors such as D&B have been around a long time and they provide value to third party managers concerned about whether their critical third parties might go out of business due to financial problems.  Instead of gathering third party financial statements and performing credit assessments themselves, they can rely on the ratings of the credit scoring vendor.  This is particularly helpful when evaluating the credit worthiness of privately held companies and small businesses.

 

• To understand the control culture of a third party and sometimes the integrity of its principals, information supplied by organizations such as Lexis Nexis, Bloomberg, and Advisen can be helpful.

 

• To understand how well a third party has been managing its information security, Advisen can tell you about the history of breaches and losses a company has experienced, QuadMetrics calculates the odds a company will be breached and BitSight and SecurityScorecard provides security rankings on organizations.

 

I am sure there are many more information providers than those I have mentioned.  My point is that viable alternatives are emerging to replace questionnaires altogether or at least supplement them with external information.  Many organizations use some or all of these kinds of data feeds every day.  Mature organizations are bringing this kind of information into their third party governance solutions like RSA Archer, to obtain a holistic, more defensible view of the risk and performance of their third parties.  Not just any GRC solution can be easily adapted to accommodate such integration, like RSA Archer.  If this is the direction you are headed with your program and you're not using Archer, make sure you validate the integration and configurability capabilities of your chosen GRC platform.

Hello everybody! March is a notoriously unpredictable weather month here in the midwest. Many times we've been tricked into thinking an early Spring is upon us only to get hit with a frigid snowy blast. However with such a mild winter so far and so many things starting to bloom it's hard not to feel like Spring is here. Plus the honor of receiving the 2016 SC Magazine Excellence Award for "Best Regulatory Compliance Solution" has also put some extra spring in our step!

 

Just as March brings us closer to Winter's retreat, it also brings us another Archer content library update. The timing seems all the more fitting given the recent move to our new RSA Link Community platform that sprung into action a few weeks ago (ok, last pun I promise). This bundle is a cumulative bundle of Q4-2015 and Q1-2016 items including a much-anticipated NERC-CIP update.

 

Our NERC-CIP v5 release features a full update to the CIP family of content. This is the first update to take advantage of NERC content restructuring effort we did previously, to create better alignment within Archer and the ability to roll out updates to various NERC requirement families independently and much more efficiently. This latest NERC-CIP update also includes the compliance measurement elements specified in the standard in addition to the base requirements. Please consult the release notes prior to importing this NERC update as it is configured to overwrite the existing version in your libraries.

 

A number of updates to our FFIEC content set appear this time too. Our previous cumulative update included the latest FFIEC Business Continuity Planning Booklet. This time we're including additional updates to other FFIEC booklets and the addition of new ones not previously available in Archer, such as the E-Banking booklet.

 

NIST SP 800-82 Revision 2 is also included in this quarterly bundle. This is NIST's latest Special Publication for addressing security in Industrial Control Systems (E.g. SCADA).

 

Lastly, for existing customers that have previously implemented the Archer UCF (Unified Compliance Framework) solution, we have a full update to those UCF solution content libraries.

 

Once again the Community update page with release notes can be found here, and the content import packs themselves are obtained from Customer Support. I always highly encourage customers to review the release notes carefully before jumping in.

 

As always we’re here to answer questions too - whatever you need. And believe it or not it's time to start planning for the 2016 Archer Customer Summit! Check out the registration page for more info!

 

 

Mason

@masonkarrer

As this week’s RSA Conference 2016 wraps up, I’m struck by the transformation of this security conference over the past 10+ years. First, the enormity of RSA Conference, with early projections of more than 39,000 participants, is staggering compared with attendance 10+ years ago that was less than half that number.

 

Another striking difference is the people attending this conference today.  In the early to mid-2000s, RSA Conference drew a very technically savvy crowd.  Typical attire was relatively geeky t-shirts (with hysterical technical statements), jeans, and “Chucks.”  The security professional at that time was personified in the media and within organizations as “the Chicken Littles” of IT. Unfortunately, our “sky is falling” attitude  didn’t garner the type of attention we needed to help executives understand that cyber risks were inevitable and they needed to pay attention –  NOW.

 

Fast forward to 2016: today’s crowd is still dressed in t-shirts, jeans and “Chucks,” but you also see plenty of sport coats, khakis and suits. Not only are security professionals here to learn about the latest technology, but they’ve brought their IT management teams, business management teams, and C-level executives. These teams “get” that because cyber risks are business risks, they need to learn more about how to both avoid and address those risks. In addition, vendors are explaining their amazing technology here at the RSA Conference, using “Risk” as a shared concern and bridge between technical teams and executives.RSA Booth.JPG

 

Executives know that the digital technology strategies they’ve employed to grow their organizations have also introduced some level of risk. And they understand now more than ever that in order to be successful, they need a unified view of risk that factors in both cyber and business risk to drive their strategic business decisions. Coming to terms with the reality of today’s complex and changing risk landscape, security professionals, IT teams, executives and business management all understand that everyone within the organization must own risk.

 

Security teams now have a seat at the management table, as well as the attention of their executives. While I know all of us old school security folk try very hard not to pull out our “I told you so” card from “the sky is falling” days, we’re witnessing a revolution in “risk ownership” and it is evident here at RSA Conference 2016.

We are pleased to announce that RSA Archer has been awarded the SC Magazine 2016 Excellence Award for offering the best regulatory compliance solution!

Archer had to demonstrate that our solution helps organizations comply with specific regulatory requirements in the health care, retail, educational, financial services and government markets. Archer also had to demonstrate that we help customers meet mandates in such legislation as HIPAA, SOX, GLBA, FISMA, and in guidelines noted by the likes of the FFIEC and the PCI Security Standards Council. Archer had to offer references of customers who are engaged in, or have already completed, real, fully fledged deployments, and to address specific questions posed to us during the judging process.  This was a rigorous yet worthwhile review of our solution and we sincerely thank SC Magazine for this honor. 

Hundreds of RSA customers have been using our regulatory compliance capabilities for many years and we are proud to offer these critical capabilities to a market that not only needs them but has been our partner in building and maturing our solution to be what it is today.

Once again, a sincere thanks to SC Magazine and the many faithful RSA Archer customers that trust us to help them mature their regulatory compliance capabilities.

Screen Shot 2016-03-02 at 4.22.04 PM.png

Filter Blog

By date: By tag: