Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2017 > October
Anya Kricsfeld

Launching RSA Ideas

Posted by Anya Kricsfeld Employee Oct 31, 2017

For years RSA has been in business of providing best-in-class security products and services to you, our customers.  I am proud to be surrounded by extremely intelligent and creative coworkers who amaze me with their knowledge, imagination, and ability to make abstract a reality on daily basis.  However, I am even more astounded by the unending well of new ideas I see coming from our customer community every time I interact with or observe an interaction between us and you.  You are the true inspiration and driving force of our innovation.  We build products that solve your problems, we offer services that help you, and everything we do - we do with you and your success in mind.


This is why I am happy to officially introduce you to a new way to harvest and crowdsource our collective ideas together.  This month, we have launched new idea pages on our RSA Link Community:


These destination pages are places for you to show off your creativity and need, to suggest ways that would improve our offerings to help you be more successful.  It is also the place where you can collaborate on your ideas with other like-minded individuals and vote on ideas suggested by others.


We have a great customer community, let’s harness its creative power to see what we can come up with together.


For more information, please check out the following FAQs:


The theme of the latest RSA Archer 6.3 release is “Privacy, Resiliency and Flexibility”.  I can’t think of three better words to describe some of the biggest challenges organizations of all size and shape face today. In this blog I’ll focus on Resiliency.


Resiliency is the ability to quickly bounce back from a crisis, large or small.  Bouncing back implies two aspects: one, not completely breaking upon impact; and two, having the mechanism to quickly recover and resume activity.  Resiliency may entail heroic efforts, but what is more important are the plans, processes and practices that enable organizations to be prepared to quickly bounce back when a crisis hits.


One barrier to building resiliency is lack of coordination.  In any organization, there are siloes - separate departments, processes, systems and information.  Even within a Business Resiliency program, there are siloes – such as separate teams that handle daily incidents, perform business continuity and IT disaster recovery, and that manage crisis events.  This separateness impedes coordination, reduces the ability of the organization to be resilient and forces them to rely on those heroic efforts I mentioned.  Effective coordination is especially crucial in dealing with incidents and crisis events.


Incidents are the day-to-day occurrences that happen in any organization, such as minor employee, physical or IT events.  Most organizations handle enough of these that their processes are very standard so these incidents don’t create much disturbance.  However, where some damage can occur is when these incidents turn into crises, and when incident management teams are not coordinated enough with crisis management management teams to ensure an effective handoff.  Some reasons for the lack of coordination might include:


  • Separate teams. As mentioned in the organization, there are typically separate teams that manage incidents and crisis events. This slows down and often hinders the process of transition the incident to a crisis event, and when dealing with a crisis, minutes often matter.
  • Confusing Communications. Communications surrounding an incident usually involves a small group of individuals directly involved in the incident resolution and it is very prescribed and basic.  However, communication changes drastically during a crisis event, and may very quickly extend to much larger groups like employees and executives, or external parties like regulators, law enforcement and emergency personnel.  It becomes much more complex and ad hoc making the transition difficult.
  • Multiple Systems. Different systems are often used to manage incidents and crisis events.  This may be due to different teams acquiring them or the focus of these point solutions.  This causes a lack of coordination because information is housed in different systems and is not connected to paint the bigger picture, such as what caused the event and its evolution.  This is critical during a crisis event because having the history of the event, those involved and next steps housed in one system helps crisis teams to not miss critical elements and is vital to better managing the event.


Updates to the RSA Archer Incident Management and Crisis Management use cases in the 6.3 release have been added to significantly help with these issues and enable better coordination between incident and crisis teams.  Workflow, discussion forums, event tracking, post-event analysis, and reporting and dashboards have all been developed to enable incident and crisis teams to:


  • Manage the event as one and ensure a more seamless handoff from the incident team to the crisis team
  • Provide a holistic history of the incident and related crisis event so teams can see the bigger picture around the event, make better decisions, and help in planning for subsequent events
  • Reduce confusion between incident and crisis teams with workflow and user roles that help with decision-making, crisis declaration, and transition.


These updates will help disparate resiliency teams improve their management of disruptive events from their inception to closure.  Other departments will also find value in these use cases.  For example, resiliency risk has risen to the Board level in recent years and is also on the radar of most regulators and auditors. As such business risk management teams also have a vested interest in better managing the resiliency of the organization.


Siloes will continue to exist because organizations are complex, however, resiliency can be strengthened by creating more effective and seamless handoffs between siloed areas. These critical updates in the RSA Archer Incident Management and Crisis Management use cases can help reduce resiliency risk to the organization.

On behalf of my co-author, Corey Carpenter, greetings from RSA® Charge in Dallas, TX, the biggest GRC stampede around! We're knee deep in exciting announcements this year, including several new partner interoperability offerings. And of course let's not forget the official launch of RSA Archer® 6.3, with the latest additions to our Regulatory & Corporate Compliance solution domain: RSA Archer Data Governance and RSA Archer Privacy Program Management!


For many years, organizations have wrestled with the daunting task of protecting data in their business operations. The forthcoming European Union (EU) General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, has gathered much attention and is certainly a hot topic of conversation around RSA Charge this week. The EU-GDPR places an increased emphasis on the importance of managing EU resident personal data and the consequences for failing to adequately do so.


The concepts of data governance and protection, while not new, have been pushed to another level under the EU-GDPR as organizations must ensure they clearly understand and adequately protect the EU resident personal data that they collect and use, and retain it appropriately with an increased accountability and transparency to consumers. While this aspect of GDPR may represent a "new normal" for many organizations, to a large extent we believe it merely reinforces what practitioners in the information security and risk domains have known for years. Whether the exercise is driven by regulatory exposure through EU-GDPR, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), or other similar standards; or simply battling the general risks that information thieves pose to everyone, the concept of data protection has always been critical in managing overall information risk.


As organizations in every market continue to face the ongoing risk of data breaches and the devastating fallout that can occur, in many respects compliance obligations merely underscore an already pressing business need to proactively maintain vigilant operational security processes and due care as critical elements of a sound risk management program. Whether the target is personally identifiable information, or corporate intellectual property, the techniques and approaches are often similar. In today's world of high stakes information thievery and corporate espionage, organizations must protect all types of sensitive data to survive.


Establishing effective controls to protect sensitive information begins with a clear understanding of what those information assets are. Where do they live? How are they used? How does that sensitive data flow into and out of our organization? How are third parties involved? How long should we keep the data? Questions like these may seem simple enough, but they often reveal a complex web of interconnected data siloes that companies struggle to understand and protect.


Enter RSA Archer Data Governance and RSA Archer Privacy Program Management…


RSA Archer Data Governance is designed to help document and understand the flow of key information assets in an organization. What are the entry points for that data? Is it collected through an internal process or third party? Where is it stored, sent, and shared? These types of important details can be documented and tied to the appropriate Notice/Consent statements using RSA Archer Data Governance. As sensitive data is processed and moved from system to system, those critical data flows can be clearly understood and documented, along with relevant data retention and disposal requirements. With a complete picture of the entire data environment, the organization is empowered to demonstrate proper governance and accountability.

RSA Archer Privacy Program Management is designed to help organizations assess the privacy impacts of their data environments and measure the resulting risks. As organizations communicate with regulators to answer questions, respond to inquiries, or even declare a data breach, they can utilize RSA Archer Privacy Program Management to document and manage those communications. For organizations still working through the process of documenting their data environments, this use case also can assist in understanding data inventory scope boundaries through questionnaires to key stakeholders such as application and information processing owners.


Did you know that companies with mature risk management programs are measurably more profitable? How would information like that resonate with your executive management? There's no better place to explore these topics with global experts than right here at RSA Charge, the largest GRC gathering on the planet! Stop by the demo pods in between your learning sessions for a look at the latest and greatest features in RSA Archer 6.3. You can also follow #RSACharge to catch trending conversation topics this week on Twitter.

By now, you may have heard the good news – RSA Archer release 6.3 is now available! RSA Charge 2017 (Oct. 17-19, 2017 in Dallas, TX) is the ideal occasion for us to release our latest software with a bang.

RSA Archer release 6.3 includes two new use cases RSA Archer Data Governance and RSA Archer Privacy Program Management,  platform enhancements, and updates to Business Resiliency, Public Sector and Payment Card Industry (PCI) use casesLook for additional blog posts in the coming days and weeks for a deeper dive into this Release 6.3 functionality.


Use Case Enhancements

Regulatory and Corporate Compliance

Release 6.3 introduces two new use cases as part of the solution, RSA Archer Data Governance and RSA Archer Privacy Program Management. These new use cases will assist companies in managing the requirements set forth by applicable privacy regulations, including the GDPR regulation. PCI Management has also been updated to address the most recent PCI standard release, 3.2.

Business Resiliency

RSA Archer Business Resiliency use cases received a comprehensive upgrade to better help companies manage disruption and crises. Terminology and workflows have been realigned to better support the crisis management process and new out-of-the-box notifications and test plans will help with the velocity of the business continuity management process.

Public Sector

The Public Sector use case updates will improve customer efficiency as well as usability with ICS and SCADA controls. Specifically, the RSA Archer Assessment & Authorization (A&A) use case has improved usability through the use of advanced workflow. This will reduce the time and effort needed to assess information systems, maintain control documentation and manage remediation efforts.

Platform Enhancements

This release has several enhancements to the RSA Archer platform.  Some highlights include:


RSA Archer Administrators will now have access to a new dashboard that will provide insights into system health and activity. They will be able to report on system events such as data feed performance and user activity to improve troubleshooting, system maintenance and operations.


There are also several enhancements that aim to reduce the number of clicks necessary to perform tasks. For instance:

  • ‘Bulk Record Operations’, where a user can now select and update multiple records at once;
  • ‘Direct to Edit’ where a user can open a record in edit mode in one click; and
  • ‘ Save & Close’ where a user can save his work and go back to the previous screen in a single click.

From an appearance perspective, if you want to match your application to your own corporate branding and design, you will have a lot more options to play with and levers to push. RSA Archer 6.3 expands color configuration capability. Administrators can now configure the User Interface to match their corporate branding and design, as well as customize page and field border colors.  

This release contains other improvements as well so check out the release documentation to get the details.  As mentioned early, there will be new posts for a deeper dive into some of these items. Additionally, we invite you to join us for Free Friday Tech Huddles on 6.3 features - Please check back for details.

For more details, read the Press Release or visit the 6.3 Subspace on the RSA Archer community.


The National Infrastructure Advisory Council (NIAC) published their draft report discussing ways to reduce the complex risks associated with cyber threats within critical infrastructure sectors. Cybersecurity risks or threats expose the complexity and connectivity of our critical infrastructure systems placing national security, economy, and public safety at risk. According to the NIAC report, “cyber destruction of computer systems that control vital infrastructure like power grids, dams, waterways, air traffic control, transportation and the financial sector is inevitable without immediate efforts by government and the private sector to substantially boost efforts to protect those systems. If they fail to do so, they will have missed a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack.”


The U.S. government has been working to bring some order to this crisis. In an effort to help government agencies and the private sector, NIST (National Institute of Standards and Technology) developed a risk-based Cybersecurity Framework to provide industry standards and best practices to help manage cybersecurity risks. In May 2017, the U.S. Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was signed, holding agencies accountable for managing cybersecurity risks.


Why Implement a Cybersecurity Framework?

With so many IT and security initiatives afoot, why is this specific Cybersecurity Framework a priority?


First, it’s no longer an optional, nice-to-have program to augment your cyber risk arsenal. The recent executive order makes NIST Cybersecurity Framework compulsory for all government agencies. Private sector organizations that are categorized as one of the sixteen critical infrastructure sectors are recommended to put the appropriate measures in place to improve the cybersecurity posture of their organization.


What’s required of those organizations? The framework sets out to help organizations:

  • Identify the elements or desired outcomes for maturing a cybersecurity program;
  • Provides a method to assess and measure against the desired state;
  • Measure progress and address findings or gaps in the program; and
  • Communicate the cybersecurity posture in a meaningful way to management


Second, the Cybersecurity Framework provides a common language with which both technical and non-technical personnel can come to an understanding on the organization’s cyber risk. Terminology like Identify, Protect, Detect, Respond and Recover formulate the tenants of categorization for the program which is usable across all industry segments as well as the government sectors.  And best of all, the language, numeration, and progress is all focused on reducing RISK. The guidelines are not requiring specific technology or hardware to solve the problem.


Finally, the NIST guidelines set in place a continuous improvement process for reviewing, assessing and managing an organization’s cybersecurity program. Threats and technology change. Organizational priorities change. And therefore, our approach to handling cyber risk must adapt to those changes on a continuous basis.


Regardless of organizational size or cybersecurity sophistication, organizations can apply the NIST Cybersecurity Framework principles and best practices of risk management to improve cybersecurity and resiliency of their critical infrastructure


RSA Archer is here to help!

With the first release of the RSA Exchange on August 22, we introduced the RSA Archer Cybersecurity Framework Management  App-Pack. This new offering provides government agencies and private sector businesses a method to assess and measure their cybersecurity posture, address gaps, and report on cybersecurity in a meaningful way that is understood by all stakeholders.


RSA Archer Cybersecurity Framework Management enables profile owners to catalog the current state, prioritize and scope profile elements, and define their desired or targeted state outcomes for their organization’s cybersecurity program. Assessors then evaluate these profiles against the NIST Cybersecurity Framework categories. Previous assessments can be archived for comparison with the current profile and measure progress. Reports and dashboards provide clear insight to the cybersecurity current state and progress being made toward the desired cybersecurity state.


Interested in learning more about the RSA Archer Cybersecurity Framework Management app-pack?  Check out the video and implementation guide on the RSA Exchange. In addition, the RSA Exchange team will feature the RSA Archer Cybersecurity Framework Management app-pack at RSA Charge. Come visit us next week, October 17-19, at the RSA Exchange demo pod in the RSA Charge Innovation Zone to learn more about this offering!

It’s back and it’s better than ever! Introducing the bigger and better RSA Exchange, formerly known as the RSA Archer Exchange or RSA Archer Focused Solutions.


RSA Archer use cases provide the foundation to help you quickly get risk management programs up and running. But oftentimes, your program requires an industry or geographic-specific business process outside the scope of RSA Archer use cases. You then create new applications from scratch using on-demand applications (ODAs) to manage adjacent or supporting risk and compliance processes.

RSA Exchange Offering Types


The new and improved RSA Exchange helps you easily access and download best-practice ODA offerings created by RSA and RSA SecurWorld partners, known as App-Packs, via the RSA Link online community. In addition, RSA Exchange highlights RSA Ready certified Integrations that enable you to pass risk data between the RSA Archer Platform and third party offerings, as well as Tools & Utilities to help administrators manage the Platform.


In our first release of the RSA Exchange, we introduced two new App-Packs:

  • RSA Archer Cybersecurity Framework Management - providing government agencies and private sector businesses a method to assess and measure their cybersecurity posture, address gaps, and report on cybersecurity in a meaningful way that is understood by all stakeholders
  • RSA Archer Project Management - offering a simple framework for managing multiple large-scale projects simultaneously, accounting for milestone scope and delivery timelines within the allotted budget, and documenting team tasks and related expenses


RSA Exchange App-Packs leverage ODAs for licensing. Each of these offerings indicates pre-requisite use cases and the number of required ODAs.


The RSA Exchange Release R1 also highlights several new RSA Ready-certified integrations including:


And there are more to come! The RSA Exchange is an integral part of the RSA Archer ecosystem, providing a faster and more flexible development cycle for RSA and RSA partners to deliver value-add offerings for your RSA Archer implementation. Look for new offerings and updates to our existing offerings on a quarterly basis.


Interested in learning more about the RSA Exchange offerings? Check out the site to learn more about the great offerings mentioned above. In addition, the RSA Exchange team will at RSA Charge! Come visit us next week, October 17-19, at the RSA Exchange demo pod in the RSA Charge Innovation Zone to learn more!

Filter Blog

By date: By tag: