Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2018 > July
2018

Take Control of Your Controls

Managing risk today isn’t easy.  Many times, your success in reducing risk is dependent on the effectiveness of the controls within business operations.  The design and implementation of control activities are key for your organization to reduce the possibility of negative events such as compliance violations, business disruptions, data breaches and a host of other scenarios.

 

I am happy to announce general availability of RSA Archer Release 6.4 SP1.  This release includes updates to several key use cases that are critical in managing control documentation, testing and reporting.  In other words, this latest RSA Archer platform and use case release focuses on helping customers ‘take control of your controls.’. Following on the heels of RSA Archer Release 6.4 in April , RSA Archer 6.4 SP1 leverages features introduced in RSA Archer Release 6.4 within several use cases and includes additional updates to the RSA Archer Platform.

 

Use Case Updates

  • RSA Archer IT Security Vulnerabilities Program – One of the most prevalent security controls is the identification and remediation of vulnerabilities on IT systems.  These vulnerabilities are the foothold today’s security threats need to compromise systems, ultimately leading to data breaches.  The process that identifies those vulnerabilities and ensures proper patches are implemented is critical in reducing the ‘attack surface’ of an organization.

 

The RSA Archer IT Security Vulnerabilities Program use case is designed to offer security teams an integrated approach to identifying and prioritizing high-risk cyber threats, proactively managing IT security risks by understanding the criticality of various assets to business operations, and combining those insights with actionable threat intelligence, vulnerability assessment results and comprehensive workflows.

 

Updates to this use case in this release improve performance of data feeds, introduce new workflows, update the integration to the National Vulnerability Database (NVD) and add a new Vulnerability Tickets application to track remediation actions needed to address vulnerabilities identified by scanners.

 

Updates to these use cases within this release streamline the compliance testing and controls management processes with improved planning for Compliance testing and support for multi-phase tests throughout the year.  One of the most exciting additions is the End-to-End Compliance Project Management, allowing compliance teams to scope controls and plan and generate appropriate Control tests as needed.   Additionally, a new Control Procedure Hierarchy provides a method to create a master list of Controls with automated creation of Control Instances via the Control Generator for different business entities and infrastructure. A new Evidence Repository application is now also included providing a single repository for evidence gathered in the Compliance testing process.

 

Additional updates to the RSA Archer PCI Management,  RSA Archer Assessment & Authorization and RSA Archer Issues Management use cases carry on the theme of streamlined control management.

 

Platform Updates

This latest RSA Archer release also includes new and updated Platform features.  One of the key new features is the addition of an Electronic Signature using RSA Archer authentication or emailed PIN authorization.  This feature strengthens customers’ ability to log and track user actions and support non-repudiation of attestations.

 

In addition, other Platform updates in this release include:

  • Data feed performance and scalability improvements when using the Batch Content Save Token
  • Additional filtering capabilities for Calculated Cross-Reference and Report Object hierarchical values lists
  • Dynamic Field Population via Mapping for Bulk Action to populate fields with content assigned from a related field
  • Performance improvements for hierarchical values lists

 

For more information, see the RSA Archer Release 6.4 SP1 Product Advisory.

2018 Gartner Integrated Risk Management

 

Gartner has named Dell / RSA Archer a Leader in its inaugural Integrated Risk Management Magic Quadrant published on July 16, 2018. This is just the latest in RSA Archer’s long history of a Leaders quadrant designation in Gartner Magic Quadrant reports, most recently including:

 

Shifting to Integrated Risk Management

In recent years, particularly among more mature GRC implementations, we believe Gartner had seen organizations were increasingly implementing multiple use cases to establish enterprise-wide risk management programs. In 2017, we observed that Gartner began reframing their assessment of the GRC market and risk and compliance management-related solutions in the context of Integrated Risk Management.

 

Gartner believes that “integrated risk management enables simplification, automation and integration of strategic, operational and IT risk management processes and data.” We feel Gartner’s depiction of integrated risk management brings together Digital Risk Management (DRM), Vendor Risk Management (VRM), Business Continuity Management (BCM), Audit Management (AM), Corporate Compliance Oversight (CCO), Enterprise Legal Management (ELM), IT Risk Management, and Strategic Risk Management, all around the hub of Operational Risk Management.

 Leaders Quadrant for RSA Archer

One of the greatest strengths of the RSA Archer Suite is enabling a customer to bring together and effectively integrate multiple use cases.  So to us it is no surprise that, among 16 vendors evaluated, Dell Technologies (RSA) was placed in the Leaders quadrant by Gartner. RSA is pleased to be positioned – yet again -- as a Leader in -- yet another – Gartner Magic Quadrant.  We believe this Integrated Risk Management MQ report shows a very positive evaluation of the RSA Archer Suite. 

 

 

Thank You to Our Customers!

We know that this Leader position could not have been achieved without the help and support of our customers, acting as critical references  in Gartner’s evaluation of the RSA Archer suite. Our sincerest thanks to all of you that have acted as a reference on our behalf!

 

The Future of GRC

The term ”governance, risk, and compliance” has been fading in relevance over the past several years as organizations have matured their risk management programs.  Many of our customers have already implemented integrated risk management or enterprise risk management programs.  RSA, too, has embraced integrated risk management as a representation of how organizations should mature their risk management programs. We have long acknowledged that information security professionals cannot be truly effective in their roles without embracing business risk management – and integrated risk management is a further evolution ofthis idea. In the end, GRC is not dying – rather, it is evolving into IRM, a more meaningful approach to bring the whole organization together to consistently and effectively identify, assess, evaluate, treat, and monitor risk.

 

Magic Quadrant for Integrated Risk Management; Published: 16 July 2018; Analyst(s): John Wheeler, Jie Zhang, Earl Perkins

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from 2018 Gartner Magic Quadrant for Integrated Risk Management Solutions

 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Are you tired of the GDPR discussion yet? I hope not. GDPR represents a tremendous opportunity to discuss risk management in a much wider context. GDPR – being all about personal data – is the opening you need to discuss how data is fueling your organization.


Why is Data Governance so important?


Data is so widely distributed in organizations today and the power of end users is tremendous. Just a simple download of Personal Data from a central, controlled system into a spreadsheet by a marketing person for a one-time use is a risk. So not only do you need to understand where the managed systems are that contain Personal Data, but also the possible outputs from those systems.


Processing activities can be extremely complex. This is where engaging those process owners is so important. First, you need to educate them on the risks and second, get their help in working out the data flows. Third parties are also a major challenge in this area. Many companies are leveraging cloud service providers or external vendors for many types of data processing. You must be able to identify these vendors, and then understand if they access or process personal data.


Shadow IT or functional groups working directly outside the scope of IT with external vendors are a major challenge. Policies, education and better options have to come into play. You may not be able to eliminate all of the instances where a functional group works with an outside firm – but you can certainly ensure policies and training are in place to educate those groups on the potential risks.


While the discussion with your business may start with personal data, it isn’t a long shot to talk about other elements of data, the importance of data governance and the controls needed to secure all types of data. Once you cross that chasm of discussing data, the opportunity to talk about internal and external threats is open.

 

 

What to learn more about data governance and GDPR?  Check out our solution brief or take a look at the RSA Archer Data Governance use case.

Remember the hullabaloo around GDPR?  Well, it went into effect a little over a month ago and already there is litigation pending with Supervisory Authorities in 4 EU countries!  The first complaints filed pertaining privacy concerns affected by the EU regulation is aimed at several major companies, all of which are U.S. based.

 

The First GDPR Complaints

Complaints have been filed against several U.S. based companies.  The suits range in size from one litigant to class actions, representing 9,000 to 10,000 EU data subjects.  As these stories unfold,  no one knows how the lawsuits will progress or whether any of these companies will be fined by an EU Supervisory Authority.   However, GDPR continues to be an initiative affecting many companies. 

 

What we do know from these early lawsuits are three things:

 

  • U.S. companies are not going to be immune to GDPR litigation
  • Even if no fines are levied, each of these companies must devote expensive legal resources to defending against these suits.
  • If you are a U.S. based company handling information about EU data subjects, you need to make sure you are ready for GDPR, including being able to demonstrate your compliance should an EU Supervisory Authority make an inquiry.

 

GDPR Preparation Basics

Every company has to consider the impact of the GDPR on its own business requirements and operations.  There are some basics that stand out as good fundamentals for GDPR efforts and privacy programs, in general.

 

Security Risk Assessment: Article 32 of the GDPR outlines appropriate elements of a security risk assessment process to ensure controls and risk are appropriately designed and implemented. An effective risk assessment process accelerates the identification of the linkage between risks and internal controls, reducing GDPR compliance gaps and improving risk mitigation strategies.

Breach Response: Article 33 of the GDPR outlines specific requirements for notification of a personal data breach to the supervisory authority. Obviously, the goal of any security team is to prevent these kinds of breaches, but breaches can still occur.  Accomplishing this objective will require a combination of processes and technical capabilities including security incident management, security operations and breach management, as well as tools for deep monitoring and analysis of system related security data, such as system events, coupled with strong forensics capabilities.

Data Governance: The GDPR highlights that data governance is a crucial element of effective data management practices.  Organizations must protect personal data in a number of different ways, and must be able to demonstrate due diligence in keeping accurate records of processing activities.  A basic element of data governance is controlling who has access to personal data within the organization.  These requirements are in keeping with Identity and Access Management (IAM) and Data Governance best practices.

Compliance Program Management:  At the end of the day, GDPR is a regulatory issue.  A compliance program should provide the framework for establishing a scalable and flexible environment to document, manage and test your organization’s policies and procedures to comply with the GDPR.

Organizations with these basics in place can have a stronger foundation to address emerging issues, creating a more proactive and resilient environment while reducing the cost of GDPR compliance.

For more information, check out RSA's resources on GDPR - specifically this paper on GDPR Compliance.  For RSA Archer Community members, we have several Practitioner Tours highlighting the RSA Archer privacy use cases - Data Governance and Privacy Program Management.

GDPR has come – and gone?  Not really.  Despite the deadline passing without the sky falling, GDPR is something that can’t fall off your radar.  If your legal and compliance team raised the GDPR flag as something you need to address, then you should certainly be thinking long term.  GDPR is not just a regulation - it is an opportunity.

 

New regulatory requirements are a great opening to take a close look at controls in general.  When Sarbanes Oxley hit organizations, they responded by focusing obviously on the financial reporting processes.  But over time, companies realized a strong control strategy has benefits beyond those processes.  It raised the awareness of managing not only compliance – but of managing risks to the business.  GDPR can play that same type of role.  While the immediate focus may be on security of personal data – the changes GDPR can bring in policies, processes and technical controls can benefit areas of your business outside of Personal Data. 

 

What Comes after GDPR?

If your organization understands how important it is to protect personal data because of regulatory requirements, then the time is ripe to ask the question – what about other data?   GDPR represents a shift in how businesses must address data governance, breach preparedness and risk and compliance management.   Those controls can evolve into a better strategy across the enterprise.  Take the opportunity – have the discussion.

 

 

What to learn more?  Check out RSA's perspective on GDPR or read the white paper on how GDPR is affecting your future.

The California Consumer Privacy Act is the latest addition to the privacy regulatory world and it is stirring the conversation about protecting personal data even more.  I’ve been a huge fan of Saturday Night Live since the first time I saw it on TV.  One of its iconic reoccurring skits was “The Californians”, whose primary theme was explaining how to get from one place to another by using different California roads and highways.  As of last week, real Californians have a new topic to discuss that's a lot more serious: Information Privacy!   And the route by which organizations may need to proceed could have as many twists and turns as those classic SNL Californian skits.

 

What is the California Consumer Privacy Act?

On June 28, “The California Consumer Privacy Act of 2018” was signed into law extending Californian’s right to privacy.  This law strengthens rights of California residents already in place.  In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. According to the California Consumer Privacy Act, “fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.” 

 

Beginning January 1, 2020, the law provides for:

  • The right of Californians to know what personal information is being collected about them.
  • The right of Californians to know whether their personal information is sold or disclosed and to whom.
  • The right of Californians to say no to the sale of personal information.
  • The right of Californians to access their personal information.
  • The right of Californians to equal service and price, even if they exercise their privacy rights.
  • Businesses that collect consumer personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used and shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice.
  • A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer and the business shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
  • Businesses that suffer a breach of security shall be deemed to have violated the Act and may be held liable if the business has failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.

What does the new California Privacy Law mean to businesses?

The first step, as with all new regulatory changes, is to engage with legal counsel to see how the law may affect your business.  According to the law, businesses that do not comply are subject to litigation and sanctions.  Any consumer whose nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

  • To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
  • Injunctive or declaratory relief.
  • Any other relief the court deems proper.

In assessing damages, the court shall consider any one or more of the relevant circumstances, including, but not limited to, the nature and seriousness of the misconduct; the number of violations; the persistence of the misconduct; the length of time over which the misconduct occurred; the willfulness of the defendant's misconduct; and the defendant's assets, liabilities, and net worth.

 

In addition, any person, business, or service provider that intentionally violates the Act may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.

 

While the amounts involved may appear relatively immaterial, they will certainly be impactful in aggregate as the size of a breach grows.  Further, the ill will and reputation risk associated with breaches will be magnified due to press coverage around violating this Act.

 

Consumer Privacy

The concept that consumers own their information and have the right to control it is the front and center tenant of the California Consumer Privacy Act.  Businesses subject to this regulation have much work to do to ready themselves to accommodate consumer rights to receive notice; to inquire about the information; to refuse sharing; and to delete information.  At the same time, businesses handling consumer information must establish a program designed to ensure that reasonable security procedures and practices are implemented and maintained appropriate to the nature of the information to protect it from unauthorized disclosure.  As with most privacy-related regulations, the California Consumer Privacy Act will prompt businesses to adopt an on-going, risk-based information security program across their extended enterprise.

 

No, this Act isn’t funny like SNL’s “The Californians” but it is already being touted as groundbreaking, and the most sweeping privacy legislation passed in the U.S. to date.

 

Check out RSA Archer's use cases that are designed to help organizations with privacy challenges:  Data Governance and Privacy Program Management in the RSA Archer Regulatory and Corporate Compliance solution

Filter Blog

By date: By tag: