Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2018 > April

With data breaches increasing at a record pace, an Information Security Management System (ISMS) has transformed from an IT buzzword into a necessity for most organizations. According to a report recently released by the Identify Theft Resource Center, there were nearly 1,600 data breaches reported in the United States in 2017. This represents an increase of 44% from figures reported in 2016.  More alarming is the average cost of a breach, estimated to be roughly $3.6 million per incident, according to a report conducted by Ponemon Institute. These numbers are only expected to increase in 2018, necessitating a proactive approach to cybersecurity.


To address the increasing occurrence of data breaches, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) published an updated version of ISO 27001 in 2013. Part of the ISO 27000 family of standards, ISO 27001 outlines the policies, processes, and procedures required to implement an ISMS. Regardless of organizational size or type, ISMS can be applied to secure information assets and manage information in all its forms. Organizations that meet these standards may pursue ISO 27001 certification following a successful audit. Not only is certification useful for protecting valuable data and information assets, but ISO 27001 covers many of the requirements necessary to adhere to the new General Data Protection Regulation (GDPR) that will be in effect May 25, 2018.


ISMS Dashboard

ISMS Dashboard


To account for updates to ISO 27001, we have released an enhancement to our Information Security Management System offering in version 6.4, released last week. Features new to the release include:

  • Automatic risk scoping that allows for the simultaneous generation of ISMS risk and control records.
  • ISMS Risks application that generates a snapshot of each risk facing ISMS assets at a point in time.
  • ISMS Controls application that catalogs all control procedures applied to risks.
  • ISMS Audit application that provides a taxonomy for reviewing risks and controls, generating findings, and applying exception requests.
  • ISO 27001 questionnaire that identifies key gaps in the organization’s risk posture.
  • Ability to apply ISO 27002 control procedures to mitigate inherent risks.
  • Personas and record permissions necessary to managing an ISMS and enforcing role-based access control.
  • Generation of a Statement of Applicability that can be provided to external auditors for ISO 27001 certification.

 General Information

ISMS General Information Section


There are three components crucial to managing an ISMS:   

  • Determining key organizational assets                               
  • Identifying potential risks
  • Applying mitigating controls                        


As an organizational ISMS continues to evolve, these components must be regularly evaluated and refined to ensure risks facing crucial assets are properly mitigated. The RSA Archer ISMS use case sits at the convergence of these components, allowing users to seamlessly scope assets and stakeholders, manage inherent risk, and apply mitigating controls from a library of ISO 27002 content.


With RSA Archer ISMS users can:

  • Protect the confidentiality, availability, and integrity of data
  • Reduce costs associated with information security
  • Provide a centrally managed framework for information security
  • Ensure that information in all forms are secured


Interested in learning more? Join us for our Free Friday Tech Huddle this Friday, April 27 to hear more about the offering and see a live demo. The Free Friday Tech Huddles are available to existing RSA Archer customers. If you are not yet a customer but interested in learning more, please contact your local representative or authorized reseller—or visit us at

A key to delivering a solid risk management program is the quality and performance of the processes fueling your organizations’ strategy. Getting solid results through efficient processes enables your program to achieve the reach necessary across the enterprise to address risk effectively. These two facets – quality and performance – were the key themes of our most recent release.

I am pleased to announce the general availability of RSA Archer Release 6.4. RSA Archer 6.4 delivers enhanced capabilities for RSA Archer Platform focused on improved data quality and feed performance and greater performance and serviceability.

Integration is critical in gathering the information for your risk program. RSA Archer’s integration capabilities are core to the platform and the 6.4 release enhances the data feed capabilities in RSA Archer with more ability to transform inbound data before it is brought into the RSA Archer Platform. Release 6.4 also improves the performance of data feeds by batching records and calculation improvements.

In addition, there are some fantastic new features that improve the user experience and make life easier for administrators. The ability to embed reports on application forms and calculate cross-references based on data filters are two new capabilities that will improve how users view data and how administrators can streamline data input.   For easier serviceability of the RSA Archer Platform, a new permissions investigation console has been added to simplify the role and group access control troubleshooting. Additionally, the expansion of advanced workflow capabilities captures advanced auditing insight and logging workflow history within the History Log field.

RSA Archer Release 6.4 also introduces new capabilities for RSA Archer IT & Security Risk Management use case offerings:

  • The new RSA Archer Cyber Incident and Breach Response use case is designed to align security to business risk. It provides a consistent measure of control efficacy and centralizes the process for responding to business impacting security incident.
  • New capabilities for the RSA Archer Information Security Management System (ISMS) use case enable users to automate scoping of ISMS resources, conduct a gap analysis, and generate a Statement of Applicability.

These are just some of the highlights of the release.   With the release of 6.3 in October 2017 and this release, we continue on our journey to make RSA Archer the system of engagement and insight and help your organization implement high quality, high performance risk management processes.

For more information, see the Product Advisory.

In my previous blog about cyber risk quantification and privacy, I suggested that there is a role for assessing risk using cyber risk quantification and assessing risk from a privacy orientation.  Let me explain further.  Cyber risk quantification is hugely important to an organization!  Cyber risk quantification is used to answer these kinds of questions:

  • What would be the monetary impact on the organization, if it experienced a cyber breach?
  • How much, in monetary terms, is risk reduced if a particular control is implemented?
  • What’s the monetary value of implementing this control over that control?
  • How much cyber insurance should be purchased to cover the organization’s cyber risk (what should be the dollar limit of the insurance policy on a single and aggregate loss basis)?

These are extremely important questions that every organization needs to answer.  When these questions can be answered in monetary terms, it is much easier for executives and the board to prioritize the allocation of scarce human and capital resources in the management and transfer of risk.

Privacy laws change the orientation of risk assessment from the impact of a cyber incident on the organization to an assessment of how the cyber incident would impact an individual.  Originally, privacy laws were very prescriptive about the obligations to individuals, as can be seen in these two regulatory obligations:    

  • The Australian Privacy Principles state that an “entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorized access, modification or disclosure.”
  • Section 501 of the U.S. Gramm-Leach Bliley Act states that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.

Contrast these rather prescriptive requirements with the EU General Data Protection Regulation, effective this May.

  • The EU-GDPR was designed to “protect [the] fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

The EU General Data Protection Regulation broke from the older, more prescriptive, requirements of the Australian Privacy Principles and the U.S. GLBA, and expanded the scope to include “fundamental rights” of EU citizens.  In the United States, this would be analogous to equating GLBA with the Declaration of Independence, where you might end up with a privacy statement like “institutions have an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information so as to not infringe upon the individual’s unalienable right to life, liberty, and the pursuit of happiness.”

As I said, The EU-GDPR was designed to “protect [the] fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”  There happen to be fifty fundamental rights identified in the Charter of Fundamental Rights of the European Union.   Not all 50 of these fundamental rights could be infringed by poor information security but a thorough risk assessment requires the assessor to evaluate the likelihood and impact that an information security incident could have on the individual’s fundamental rights.

The change in orientation from assessing the impact of a breach to the organization to one of assessing the impact on the individual ultimately influences an organization’s cyber risk appetite too.  An organization may have an appetite for $10 million in cyber breach-related costs but zero tolerance for an information security breach that could compromise the life and safety of employees.  Both risk appetite statements are perfectly logical. However, to assess the risk requires two different but complimentary approaches: Cyber Risk Quantification and Privacy Risk Assessment.

I have been obsessing over the question of whether cyber risk quantification, as we understand it today, can serve as a reasonable proxy in assessing risk associated with privacy regulations such as the EU General Data Protection Regulation.  The EU-GDPR says the obligation of companies is to “protect[s] fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”  Article 6 of the Charter of Fundamental Rights of the European Union states that one “fundamental right[s] is the right to Liberty", which encompasses the concept of self-determination.


I am not at all confident that traditional cyber risk quantification is a suitable proxy for an individual’s privacy risk related to this fundamental right.  For example, a company might perform a quantified risk assessment of non-compliance with the EU-GDPR that concludes there is an 80% probability of a fine of 4% of global revenue + 10 million Euros of customer litigation.  This is a great approach if you need to understand the potential monetary impact to the organization for non-compliance but, if your intent is to truly comply with the law, it seems to me that you may have to take an individual-focused approach to risk assessment. 


In short, what is the risk to an individual's fundamental rights if they are subject to psychographic profiling by a company like Cambridge Analytica, for the purpose of manipulating public opinion that undermines the individual's right to self-determination?


After pondering this with a number of people, I think the answer is that different risk assessment approaches must be employed.  In those circumstances where you want to understand the monetary impact to the organization, you would use cyber risk quantification.  In those circumstances where you want to understand the impact to an individual, you must do the assessment from the individual's perspective.  This bifurcated approach will no doubt leave many organizations faced with circumstances where they have determined that the risk to the individual is great but to the organization, comparatively small.  


What do you think?


Hi RSA Archer fans,


Once again, your friends at RSA University have teamed up to bring you some exciting pre-conference training opportunities! Please note that these training courses are limited in the number of students we can accommodate per course, do require pre-registration, and carry a cost that is separate from your conference fee. That said, these prices are at least 20% off list price, and as prior Summit and Charge events have shown, the available discounted training spots will go fast!


Based on response and instructor availability, we may be adding more courses to this line-up as the event approaches, but we can’t promise that just yet.  We strongly recommend you don’t delay and risk losing your chance to add even more value to your trip to Nashville for the RSA Archer 2018 Summit!


All of these courses will be held at the Sheraton Grand Nashville Downtown, a quick 3 minute walk from the main Summit hotel.  We commit that you’ll be out in time to join in the opening night fun on Wednesday, so make sure you register for the RSA Archer Summit as well if you haven’t already!


Visit the RSA Archer 2018 Summit website for registration and ongoing event information as we head toward the August 15-17 Summit event.


Links to register for pre-conference training are included below.


Aug  14-15 (Tues-Wed):

  • RSA Archer Boot Camp - $1600
    • In this consolidated, 2-day version of our 4-day Admin I course, students will gain knowledge of the key RSA Archer 6.x platform components such as applications, security management, and communication tools through presentations and hands-on practice.
    • Registration Link: 
  • RSA Archer Infrastructure Administration - $1600 - NEW COURSE!
    • This brand new 2-day course offers Archer Admins and IT Teams instruction specific to the Archer Server and Server Side Functions. In this class you will learn how to configure LDAP Integration, SSO, SQL Maintenance, and Archer Control Panel Settings. You will also learn Packaging, installation of Archer Updates, Bulk Data Management, License Activation, and Troubleshooting tips and tricks.
    • Registration Link:

Aug 14 (Tues):

  • RSA Archer Advanced Workflow & Navigation - $800
    • This one-day workshop includes instructions for navigating the new interface introduced in RSA Archer 6, an overview of main differences between versions 5.x and 6, and extensive hands-on practice using the new Advanced Workflow feature.
    • Registration Link:

Aug 15 (Wed):

  • RSA Archer Advanced Workflow & Navigation - $800 - SOLD OUT!
    • This one-day workshop includes instructions for navigating the new interface introduced in RSA Archer 6, an overview of main differences between versions 5.x and 6, and extensive hands-on practice using the new Advanced Workflow feature.
    • Registration Link: 


    And if you just can’t get enough of our amazing RSA Archer instructors, during the conference itself, please be on the lookout for a lab room running multiple sessions of our popular “Choose Your Own Adventure” style lab.  There, you can get hands-on practice with any of the RSA Archer Use Cases of your choice!


    We look forward to seeing you this year in Nashville! 


    All the best to you and yours,


    Megan Olvera

    RSA Archer Education Services Practice Lead

    Filter Blog

    By date: By tag: