Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Mason Karrer
1 2 3 Previous Next

RSA Archer Suite

44 Posts authored by: Mason Karrer Employee

What do we mean by controls monitoring?

In today's complex regulatory environment, organizations face a daunting task in maintaining compliance amidst constantly shifting obligations and requirements. As organizations attempt to keep pace and adapt control activities (controls) to changes in compliance requirements and operational risk scenarios, often times they are hamstrung by ad-hoc, disconnected compliance efforts that are implemented reactively across separate areas of the business. This severely limits the ability to maintain a real-time, aggregated view of risk and compliance impacts. Efficiency and scale also suffer as the volume of manual systems and processes overload the organization's limited resources.


Implementing a program that includes a centralized inventory of assets, requirements, risks, and controls, coupled with a standardized approach to measuring control efficacy, is the key to ensuring diligence and completeness. This also provides the solid foundation necessary for enabling automation and improving the ability to continuously monitor key risk and control performance metrics as the organization adapts to changes in the business climate.


Why is a program approach to monitoring control activities so important?

Consolidating organizational compliance projects into a single platform offers business owners a unique level of visibility into critical risk and compliance information, enabling them to make fully informed risk based business decisions in support of organizational priorities. A single control universe can further align with extended corporate stewardship and responsibility goals and other strategic objectives.


RSA Archer Controls Monitoring Program Management

RSA Archer Controls Monitoring Program extends the foundation established with RSA Archer Controls Assurance Program Management, with a modernized approach to defining and managing separate compliance projects simultaneously. This includes tools to assess and report on the performance of controls across all enterprise asset levels and the ability to automate control assessments and continuously monitor ongoing compliance efforts. Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all aspects of Integrated Risk Management in their unique environments.


Businesses that operate with disconnected, ad-hoc programs typically find themselves diverting more and more time and resources to compliance, only to see their overall risk levels continue to increase. Whereas organizations with optimized compliance programs are able to reverse that trend and return more resources to the business which can then be used to invest in future growth initiatives. An optimized program also serves to reduce overall operational risk and provide decision makers with a reliable means for exploring the opportunity landscape by enabling them to identify with confidence the business risks that are worth taking.


For more information, please visit and review the Datasheet.

Mason Karrer

RSA Archer PCI Management

Posted by Mason Karrer Employee Jan 16, 2019

What are the basics of PCI-DSS Compliance?

The Payment Card Industry Data Security Standard (PCI-DSS) defines a consolidated set of security best practices endorsed by major card brands, which are designed to reduce fraud risk associated with credit card processing. Organizations that fail to comply may lose their ability to accept credit card payments, which could greatly impact their ability to conduct business. However, with the continually increasing velocity and sophistication of new threats, maintaining an effective PCI- DSS compliance program has become an increasingly costly business requirement as well - and those costs can be substantial.


The PCI-DSS is considered one of the more prescriptive and technical compliance mandates that companies must typically deal with. This can be both good and bad. In contrast, many higher level government mandates like federal regulations are often written in broader terms that can be difficult to interpret into actionable specifics like precise internal control definitions. The more a company has to guess at what’s expected, the greater the chance of guessing wrong and either undercompensating (raising the inherent risk of running afoul of the regulation); or overcompensating, which can increase the internal costs and burden of compliance unnecessarily.


The benefit of PCI’s more prescriptive language is better clarity in terms of understanding what’s expected, how it will be audited, and specific reporting requirements. However, the other side of the coin with PCI is the extensive technical breadth and depth of its coverage. Encryption, network segmentation, multi-factor authentication, and external vulnerability scanning are a few areas where companies often struggle, either because of technical limitations or significant additional technology investments needed.


Why is a program approach to PCI Compliance so important?

Companies able to gain efficiencies by optimizing their operational compliance efforts will be more successful at reducing compliance costs and gaps. Consolidating organizational compliance initiatives into a single comprehensive view is the most effective way to identify and eliminate duplicate efforts and reduce overall compliance risk. The technical nature of PCI can often force companies to undertake process improvements, technical infrastructure overhauls, and even facility construction projects simultaneously. A streamlined program approach helps to keep things organized and drive consistent, successful outcomes.


RSA Archer PCI Management

RSA Archer Controls Assurance Program and RSA Archer Controls Monitoring Program provide a solid foundation for managing any organizational compliance initiative. However, PCI’s unique characteristics and pervasive global reach offer an opportunity to take things several steps further. RSA Archer PCI Management is designed to do just that, by enabling organizations to streamline the compliance process, simplify stakeholder participation, and reduce overall compliance effort and cost.


RSA Archer PCI Management guides merchants through identifying and defining cardholder data flows and environments, engaging the proper stakeholders, completing self-assessment questionnaires (SAQs), testing and gathering evidence for all required controls, and managing the gap remediation process.


Key features include:

  • Easy-to-use project workflows to manage CDE (cardholder data environment) scoping and multiple, ongoing compliance assessment projects.
  • Structured content libraries linking each discreet control requirement in the PCI-DSS to an extensive control testing repository ensuring full coverage across internal and external assessment activities.
  • Persona-driven dashboards and questionnaires that simplify the attestation and evidence gathering process and provide clear insight into compliance activity status.
  • Aggregated issues management functionality for tracking findings and gaps and managing the remediation process.
  • One-click reporting templates to assemble all required deliverables into a properly formatted Report on Compliance (ROC) for easy review and submission.


Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all aspects of Integrated Risk Management in their unique environments. Organizational leaders with optimized programs in place have a distinct advantage for exploring the opportunity landscape, by enabling them to identify with confidence the business risks that are worth taking.


For more information, please visit and review the Datasheet.

What is a cyber incident / breach response program?

Cyber and security breaches continue dominating front page headlines all over the world. It’s not enough to hope it doesn’t happen to you or assume you’ll be able to respond effectively if it does. Companies need a proactive, program-level approach to IT & security risk management based on sound methods for prioritizing actionable security events combined with consistent operational response procedures. Poor handoffs between security functions and IT teams leave limited visibility into remediation efforts to close declared cyber incidents, and can weaken the overall process to the point where it breaks down when needed most, namely during a breach.


Why are cyber incident & breach response capabilities so important?

The identification of potential security issues and the process of responding to a possible cyber incident are the first lines of defense against a significant business event. Many organizations have deployed security information and event management (SIEM) technology and log collection tools in their infrastructures to track events and provide alerts. These systems produce an overwhelming amount of data for the security team to review. Uncoordinated security response processes managed in spreadsheets, email, and through other ad-hoc mechanisms further raises the overall risk that the organization will not be able to respond in time and effectively.


RSA Archer Cyber Incident & Breach Response Program Management

RSA Archer Cyber Incident and Breach Response enables customers to centrally catalog organizational and IT assets, establishing insightful business context to drive incident prioritization and implement processes designed to escalate, investigate and resolve declared incidents effectively. This use case is designed for teams to work effectively through their defined incident response and triage procedures and prepare for data breaches. Built-in workflows and reporting allow security managers to streamline processes while staying on top of the most pressing concerns. Issues related to a declared incident investigation can be tracked and managed in a centralized portal, enabling full visibility, stakeholder accountability and reporting. If an incident escalates into a data breach, prebuilt workflows and assessments are designed to help the broader business team work with your security team to respond appropriately.


With RSA Archer Cyber Incident and Breach Response, declared cyber and security events are escalated quickly and consistently, a crucial aspect of robust Integrated Risk Management programs. Advanced workflows and insights allow more efficient utilization of security team resources, resulting in faster response, analysis, and closure rates for critical security incidents. With improved processes and capabilities, the security team can more effectively leverage existing infrastructure, such as SIEMs, log and packet capture tools, and endpoint security technologies, to focus on the most impactful incidents. These capabilities improve the security team’s preparedness for serious incidents involving potential data breaches, while increasing the return on infrastructure investments and lowering overall security risk.


For more information, please visit and review the Datasheet.

What is controls assurance?

Controls assurance addresses the ongoing practice of measuring control performance against expected outcomes and addressing gaps discovered along the way.  These controls are essential in reducing inherent risk - defined as risk that exists natively (for a process, system, asset, etc.) in the absence of controls. Controls describe mechanisms that are (or should be) implemented to reduce inherent risk, including process refinements, allocation of resources and technology, etc. Operational risk and control requirements often increase in number and complexity as an organization changes. Successful compliance depends upon the consistent performance of carefully controlled activities. 


Why is the concept of controls assurance so important?

In many organizations compliance and reporting activities consist of manually gathering information from various people and systems scattered in different locations. This manual headwind leads to chasing one compliance emergency after another reactively, with the business always a step behind the regulatory change curve. The result for organizations lacking a robust corporate compliance program is often increased audit findings, penalties, and greater potential for brand and reputational damage.


RSA Archer Controls Assurance Program Management

RSA Archer Controls Assurance Program Management provides a structured framework and taxonomy for systematically documenting the organizational control universe, continuously assessing performance of controls at all levels of the business hierarchy, and reporting aggregated results in a variety of concise formats that are approachable for all audiences. Automated testing for a wide range of process and technical controls as well as integrations with leading testing technologies are easily managed. Another critical function of Integrated Risk Management is handling issues that arise. RSA Archer’s built-in Issues Management functionality helps centralize accountability to ensure gaps are identified and remediated efficiently.


With RSA Archer Controls Assurance Program Management organizations can apply clear, accurate controls guidance in support of any compliance objective. By improving the linkage between compliance requirements and internal controls, the business can streamline communication and collaboration and improve reporting on compliance obligations using a standard taxonomy and common risk language throughout the organization. With RSA Archer’s agile and flexible platform and complimentary frameworks, the first and second lines of defense can proactively manage key risk and compliance indicators as the business and its obligations change, reducing time spent researching and linking external requirements to internal controls, and improving overall accuracy and completeness of ongoing control testing activities.


For more information, please visit and review the Datasheet.

What do we mean by IT security vulnerabilities?

IT security vulnerabilities can arise for a variety of reasons, the most common being systems deployed in the environment with misconfigurations, critical patches missing, inadequate information classification and network segmentation, etc. It doesn’t take much for a sharp increase in overall security risk to occur that is often disproportionate.


In other words, a small number of vulnerable systems can easily put the entire environment at risk; something that is increasingly alarming on a global scale. For example, according to RSA’s Cybersecurity Poverty Index survey, 75% of organizations said they have significant cyber risk exposure but only 5% felt they were positioned in an “advantaged state” to detect and manage security exposures effectively.


Why is a program approach to managing IT security vulnerabilities so important?

The identification and remediation of security vulnerabilities is an absolute necessity in managing the constant threat of data breaches and system compromises. Attempting to stay ahead of threats, organizations may deploy one or even multiple scanners to identify vulnerabilities, only to produce too much information to be helpful in managing security risk. This deluge of data leads to a poor handoff to IT operations in addressing tactical security vulnerabilities, as well as limited or no visibility into ongoing remediation efforts to close those gaps.


Organizations that have implemented vulnerability scanning solely for compliance purposes also receive limited added value for the effort. Ultimately, attempting to manage the large volume of vulnerability data without a sound process to prioritize security issues drastically reduces the effectiveness of this fundamental control.


RSA Archer IT Security Vulnerability Program

RSA Archer IT Security Vulnerabilities Program (ITSVP) offers a data-centric approach to identifying and prioritizing high-risk threats. This use case is designed to enable operational teams to proactively manage IT security risks by combining asset business context, actionable threat intelligence, vulnerability assessment results and comprehensive workflows in one place.


IT assets can be cataloged with a full business context overlay providing better prioritization of scanning and assessment activities. Security analysts can implement alerts, explore vulnerability scan results, and address issues as they arise, all of which serves to boost the closure rate for critical gaps. The ability to research known vulnerabilities helps to guide the prioritized efforts of IT operations, resulting in lower costs, less time and effort, and better visibility into dangerous vulnerabilities on critical assets. A powerful and flexible rules engine highlights new threats, overdue issues, and changing business conditions. A consolidated management module integrates powerful analytics with reporting, workflows, and a risk management framework to enable company leaders to confidently execute data-driven security decisions.


With RSA Archer IT Security Vulnerabilities Program organizations can effectively manage the entire vulnerability lifecycle from detection and remediation to verification and reporting. Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all the aspects of Integrated Risk Management in their unique environments.


For more information, please visit and review the Datasheet.

History and heroes? Sounds like tall talk, right? Nope, not at all. The time is now. And the Nashville.


Fifteen years ago the "Archer Summit" was born out of a dream to build a...


Hmmm...wait a second...come to think of it I never heard what the original dream was! Many of us joined the RSA Archer fold long after that fateful gathering. However I do know what came from it -- an amazing product propelled to the top of its industry by the largest GRC family on the planet!


Ever since then we've been regaled with tales about the first ever "Summit" .. the ragtag band of entrepreneurial pioneers .. the oppressive AZ heat .. and most importantly, the famous bar tab rescue (when the party venue's credit card machine stopped working before we could pay for our event!)


So what's the secret behind the magic? What's the common link that makes it all possible?


The answer of course is YOU!!


Without YOU there is no summit. It's that simple. The famous "bar tab rescue? Yep, that heroic effort was in fact customer led; just like the presentations that year and every year since. The RSA Archer Summit has always been about maximizing customer engagement and working together. Always customer first and customer focused.


If you've attended an RSA Archer Summit or RSA Charge event before then I have a question for you. Remember that feeling of being in the audience when your own personal light bulb went off as the presenter described a solution to a similar challenge that your organization was also facing? Seeking answers to that challenge might have even been the very reason that brought you to the summit in the first place.


Remember how fired up and encouraged you were to learn the speaker wasn't a professional trainer, but was actually just like you? A fellow customer sharing their story, educating peers across industries, and energizing you in the process. The RSA Archer Summit is a reflection of our impressive RSA Archer Community following and both are truly unique in our industry. Customers coming together out of an innate desire to learn and help each other as part of something bigger. What a cool concept to embrace.


Well guess what! Now it's your turn to be a hero! The only thing required to rise to the challenge is to simply submit a presentation idea. While the first Archer Summit may have been small and cozy, it was still very impactful. Just look how far we've come since then! Today customers from around the world and all levels of GRC maturity gather each year in growing record numbers to exchange ideas, learn, and get inspired to own risk.


If you've never attended an RSA Archer Summit you might be wondering whether you could also be a presenter. The answer is YES OF COURSE!! Some of our best presentations have come from customers that were not only first-time attendees, but achievement award winners too!


MARK YOUR CALENDARS: The Call for Speakers ENDS FEBRUARY 28, 2018!


The window is closing fast. Don't miss your chance to be one of the next heroes in the RSA Archer Community. The instructions below will guide you on completing your submission. Steve Schlarman's blog post offers several great tips on trending topics and presentation ideas. Additional insights can also be found here and here courtesy of my fellow GRC Strategists at RSA Archer HQ.


The speaker submission process is simple:

  1. Download the form.
  2. Complete the form.
  3. Email the completed form to Include “Speaker Submission” in the subject line.

(Final selections will be communicated to speakers once the selection committee reviews all submissions.)


So that covers the "hero" portion of my post. But what about the "history" part? How does that fit in?


Again, the answer is simple. What better way to celebrate the 15th anniversary of the original summit then to mark the occasion with the return of the RSA Archer-only summit too! While the combined RSA Charge event will continue bi-annually, us GRC folks are a pretty tight-knit group. We couldn't go two whole years between gatherings! We'd miss each other too much! Needless to say all of us here were pretty excited when we heard the news at RSA Charge last year. And we're grateful to our executive leadership for their continued support and confidence in the power of the RSA Archer Community and brand. I did mention we're also a big GRC family after all, right? donating your time and energy, and sharing your unique insights, not only can you walk taller as a recognizable hero in the RSA Archer Community, you can also become an important part of our unique history to boot! Speaking of boots...don't forget we'll be in Nashville this year too! Lots of boots, good music, and in the grand tradition of RSA Archer Summits past, always a great time had by all. General registration is also open now on the RSA Archer Summit website.


See you there partner!

On behalf of my co-author, Corey Carpenter, greetings from RSA® Charge in Dallas, TX, the biggest GRC stampede around! We're knee deep in exciting announcements this year, including several new partner interoperability offerings. And of course let's not forget the official launch of RSA Archer® 6.3, with the latest additions to our Regulatory & Corporate Compliance solution domain: RSA Archer Data Governance and RSA Archer Privacy Program Management!


For many years, organizations have wrestled with the daunting task of protecting data in their business operations. The forthcoming European Union (EU) General Data Protection Regulation (GDPR), which takes effect on May 25, 2018, has gathered much attention and is certainly a hot topic of conversation around RSA Charge this week. The EU-GDPR places an increased emphasis on the importance of managing EU resident personal data and the consequences for failing to adequately do so.


The concepts of data governance and protection, while not new, have been pushed to another level under the EU-GDPR as organizations must ensure they clearly understand and adequately protect the EU resident personal data that they collect and use, and retain it appropriately with an increased accountability and transparency to consumers. While this aspect of GDPR may represent a "new normal" for many organizations, to a large extent we believe it merely reinforces what practitioners in the information security and risk domains have known for years. Whether the exercise is driven by regulatory exposure through EU-GDPR, Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), or other similar standards; or simply battling the general risks that information thieves pose to everyone, the concept of data protection has always been critical in managing overall information risk.


As organizations in every market continue to face the ongoing risk of data breaches and the devastating fallout that can occur, in many respects compliance obligations merely underscore an already pressing business need to proactively maintain vigilant operational security processes and due care as critical elements of a sound risk management program. Whether the target is personally identifiable information, or corporate intellectual property, the techniques and approaches are often similar. In today's world of high stakes information thievery and corporate espionage, organizations must protect all types of sensitive data to survive.


Establishing effective controls to protect sensitive information begins with a clear understanding of what those information assets are. Where do they live? How are they used? How does that sensitive data flow into and out of our organization? How are third parties involved? How long should we keep the data? Questions like these may seem simple enough, but they often reveal a complex web of interconnected data siloes that companies struggle to understand and protect.


Enter RSA Archer Data Governance and RSA Archer Privacy Program Management…


RSA Archer Data Governance is designed to help document and understand the flow of key information assets in an organization. What are the entry points for that data? Is it collected through an internal process or third party? Where is it stored, sent, and shared? These types of important details can be documented and tied to the appropriate Notice/Consent statements using RSA Archer Data Governance. As sensitive data is processed and moved from system to system, those critical data flows can be clearly understood and documented, along with relevant data retention and disposal requirements. With a complete picture of the entire data environment, the organization is empowered to demonstrate proper governance and accountability.

RSA Archer Privacy Program Management is designed to help organizations assess the privacy impacts of their data environments and measure the resulting risks. As organizations communicate with regulators to answer questions, respond to inquiries, or even declare a data breach, they can utilize RSA Archer Privacy Program Management to document and manage those communications. For organizations still working through the process of documenting their data environments, this use case also can assist in understanding data inventory scope boundaries through questionnaires to key stakeholders such as application and information processing owners.


Did you know that companies with mature risk management programs are measurably more profitable? How would information like that resonate with your executive management? There's no better place to explore these topics with global experts than right here at RSA Charge, the largest GRC gathering on the planet! Stop by the demo pods in between your learning sessions for a look at the latest and greatest features in RSA Archer 6.3. You can also follow #RSACharge to catch trending conversation topics this week on Twitter.

Mason Karrer

Back in the Saddle

Posted by Mason Karrer Employee Sep 12, 2017

Did you know IDC reported that companies with active GRC programs resolve their security breaches 63% faster and are 33% more efficient at assessing their risks? Would you like to hear directly from leading companies achieving those kinds of GRC successes? This year RSA Charge is rolling through the Big-D...Dallas, TX!! In the land of "go big or go home," the world's largest gathering of GRC professionals is shaping up to be bigger and better than ever! Registration for the October 17-19 event is filling up fast. Don't miss out!


Consider the following: According to a PWC study, 62% of companies expect cyber risk to cause disruption in the next 3 years. EY also released research showing that 86% of respondents did not believe their cybersecurity functions fully meet the organization’s needs. And the cost of data breaches is projected to exceed $2T globally by 2019 according to Juniper Research. What do these stats have in common? They all describe some aspect of business risk associated with the use of technology. That's why one of the RSA Charge tracks I'm most excited about this year is called "Managing Technology Risk in Your Business". This track will focus on those unique challenges that emerge where the business and technology risk environments intersect (and occasionally collide).


The customer submissions for this year's sessions are once again truly outstanding! Customer presenters from all over the globe will be onsite to speak on a variety of topics such as assessing risk on specific technology assets, normalizing risk and compliance reporting, addressing the human element of technology risk, and much more. It's so incredible how many inspiring stories and ideas our customer community has to share. Whether you're a seasoned pro or just beginning your GRC journey and looking for the basics, you won't be disappointed. RSA Charge has something for everyone, from executive roundtables to operational hands-on labs and demos. Plus, nearly every session is customer-led! What a truly awesome community!!!


Did you know that companies with mature risk management programs are measurably more profitable? RSA Charge being the largest GRC gathering on the planet is a great place to start learning how! If you haven't registered already, I highly encourage you to get on it before it's too late! The full schedule can be viewed here, and the registration page here. Several resources have also been uploaded on the RSA Charge website to assist with trip planning, etc. Need help justifying the cost? No problem! Several resources are available including an ROI calculator and more. Look forward to seein ya'll in Dallas real soon!


RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17-19 at the Hilton Anatole in Dallas, Texas.

For the third time in a row Dell RSA Archer is very excited and honored to be recognized by Gartner as a Leader in the 2017 Magic Quadrant for IT Risk Management!!


2017 Gartner Magic Quadrant - IT Risk Management

RSA Archer (Dell Technologies) was positioned as the IT Risk Management vendor with the highest rating for "Ability to Execute." We believe our understanding of the market, product innovation, and geographic reach are just a few of the highlights that earned us this well received recognition this year.


We humbly extend our sincerest gratitude to our customers for sharing their valuable insights and experiences working with RSA Archer with Gartner directly. While it isn't difficult to find vendors talking about the importance of their customers, here at RSA Archer our customers really do define our success. Our large, recognized community of active users is at the heart of how we drive our products forward.


Whether you're just beginning to explore GRC or you’re already managing a successful program, I encourage you to review Gartner's full report. Many valuable market insights can be found, along with important things to consider as you prepare to take command of your GRC journey.


Need help building a business case? Check out resources on the RSA Link Community for detailing the business value of RSA Archer and estimating ROI. We're also standing by, ready to answer your questions as we continue our mission to enable customers to know which risks are worth taking.


This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Dell Technologies.

Hello everybody! The bad news is there's more Summer behind us than ahead of us. I hope yours has been as enjoyable as mine has been. And here in the midwest at least it's pretty hot still. So plenty of warm weather left before it turns cold. The good news is we're less than 80 days away from RSA Charge 2016! The other good news is we have another major content resource available for your library, PCI DSS v3.2!


Just like the previous v3.1 content, we've worked very hard to ensure this latest version is as robust and tightknit as possible. Alone it's a fully functional content set to drive PCI compliance activities. Add our specialized PCI solution functionality to the mix and together the two provide a powerful resource to efficiently manage PCI compliance programs of any size. A separate update will follow for the PCI solution itself, so stay tuned for that.


As far as the content goes, this latest version includes additions to the following core libraries:

  • Authoritative Sources
  • Control Procedures
  • Question Library


Everything is cross-mapped and the Authoritative Source also has 700+ mappings to Archer Control Standards.


The content updates themselves can be obtained from Customer Support. As always, we're here to answer any questions you have. And please don't forget to register for RSA Charge 2016! You don't want to miss out!




RSA Archer is very excited to be recognized by Gartner once again as a Leader in the 2016 Magic Quadrant for IT Risk Management! Of the nearly dozen vendors evaluated, RSA was cited as the vendor with the highest rating for "Ability to Execute".  According to Gartner, "RSA Archer's fulfillment of critical needs, customer understanding, and insight into primary buyer identification are among the best-observed in the market."


This exciting accomplishment comes on the heels of similar leadership positions announced in the IT Vendor Risk and Operational Risk Management Magic Quadrants earlier this year. Together these represent a true market-leading ability that Archer's customers have to manage business and IT operational risk programs effectively to accomplish their goals.


2016 itrm mq.png

We're doubly excited for this announcement as it actually reflects an evaluation of a prior version of Archer (v5.5.3). And today our current v6.1 takes Archer's core capabilities several levels further!


We also offer a sincere thank you to our customers for sharing their valuable insights and experiences with Gartner directly. It isn't difficult to find vendors in any market preaching the importance of their customers whether they practice that or not. However here at RSA Archer our customers really do define our success and our large community of active users is at the heart of how we drive the product forward. Gartner specifically recognized us for actively gathering & considering customer input in our strategy and design decisions. Our redesigned user interface and new pricing model are just two examples of the transformational product outputs our customers have helped inspire.


Whether you're new to GRC or managing a successful program already, I encourge you to review Gartner's full report. Many valuable market insights and important elements to consider throughout all stages of GRC program maturity can be found. And we are standing by to engage with you and answer any questions you have as we continue our mission to inspire everyone to own risk. And if you haven't already, be sure to register for 2016 RSA Charge, October 25-27 in New Orleans. This year promises to be the biggest event ever! Hope to see you there and best wishes!


This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from EMC RSA. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Hello everybody! March is a notoriously unpredictable weather month here in the midwest. Many times we've been tricked into thinking an early Spring is upon us only to get hit with a frigid snowy blast. However with such a mild winter so far and so many things starting to bloom it's hard not to feel like Spring is here. Plus the honor of receiving the 2016 SC Magazine Excellence Award for "Best Regulatory Compliance Solution" has also put some extra spring in our step!


Just as March brings us closer to Winter's retreat, it also brings us another Archer content library update. The timing seems all the more fitting given the recent move to our new RSA Link Community platform that sprung into action a few weeks ago (ok, last pun I promise). This bundle is a cumulative bundle of Q4-2015 and Q1-2016 items including a much-anticipated NERC-CIP update.


Our NERC-CIP v5 release features a full update to the CIP family of content. This is the first update to take advantage of NERC content restructuring effort we did previously, to create better alignment within Archer and the ability to roll out updates to various NERC requirement families independently and much more efficiently. This latest NERC-CIP update also includes the compliance measurement elements specified in the standard in addition to the base requirements. Please consult the release notes prior to importing this NERC update as it is configured to overwrite the existing version in your libraries.


A number of updates to our FFIEC content set appear this time too. Our previous cumulative update included the latest FFIEC Business Continuity Planning Booklet. This time we're including additional updates to other FFIEC booklets and the addition of new ones not previously available in Archer, such as the E-Banking booklet.


NIST SP 800-82 Revision 2 is also included in this quarterly bundle. This is NIST's latest Special Publication for addressing security in Industrial Control Systems (E.g. SCADA).


Lastly, for existing customers that have previously implemented the Archer UCF (Unified Compliance Framework) solution, we have a full update to those UCF solution content libraries.


Once again the Community update page with release notes can be found here, and the content import packs themselves are obtained from Customer Support. I always highly encourage customers to review the release notes carefully before jumping in.


As always we’re here to answer questions too - whatever you need. And believe it or not it's time to start planning for the 2016 Archer Customer Summit! Check out the registration page for more info!







Whoa wait a minute…is this a psychology lesson? Well if so hopefully it's no less comfortable than your favorite chair!


Last week we kicked off a new blog series on Issues Management. Read Steve’s initial volley here which neatly frames up the problem of the "Issues Pit". This week I'll discuss the process of compensating for gaps, an often overlooked aspect of managing issues.


Basic risk and control doctrine calls for identifying multiple methods to address risk. We generically refer to these risk mitigation methods as controls. Typically (though not always) the more controls we can identify for a particular risk, the better. As such, it's the nature of things that some controls will be deemed more important than others. Some will be so important that they'll be required to be in place all the time and will usually receive some kind of flashy label like “key control”, “primary control”, etc.


Since it’s inevitible that controls can and will fail, those important key controls will often benefit from having other secondary controls to backstop the primaries and reduce the impact of a control failure. This is all very sensible and seemingly omnipresent not just in business but practically every aspect of daily life. (The generic example of speed limits + seatbelts + airbags + baby seats comes to mind.)


If control issues are unavoidable then it's certainly preferred to discover them on your terms versus some external actor. That's the worst case scenario. Nothing throws an organization into a panic faster than an unplanned crisis. And in almost every case, after action analysis will point to control failures as contributing factors or root causes. In other words, controls must be regularly tested to ensure they function properly; underpinning the essential discipline of compliance. As control issues (gaps) are discovered, a remediation process to address those issues must also be in place. This is unfortunately where organizations that think they have a good handle on things may often roll the dice unknowingly.


Suppose a control issue is found as the result of implementing new business technology and the only remediation is implementing some other new, expensive system on top of it? If the only quantitative decision criterion is the purchasing cost then the organization's leadership isn't very well equipped to make an informed decision, and increases the likelihood the purchase will be pushed off. This is where the value of a GRC program can really shine.


What if the leadership had quantitative metrics on the risks associated with the control gaps that showed the cost was less than the risk? Or, what if the risk could be partially reduced through other resources the company already has under roof? Perhaps a smaller investment could sufficiently address the remaining gap. Regardless, management would have a much better framework for balancing that decision against the other strategic decisions they have to make. And when there's good intel available to inform a decision, no executive would prefer to blindly guess instead.


This mix of risks and controls and exposure is constantly shifting as businesses and markets and security threats fluctuate. A healthy remediation strategy includes the ability to quickly identify alternative controls to supplement primary control activities, or even fully compensate for them in a pinch. Understanding the criteria for determing those compensating controls, inherent limitations, and mapping all that together is impossible without a full inventory of risks, assets, and controls and a solid system of record for managing them. This is another area where GRC capabilities are perfectly suited to deliver value through process enablement, efficiency, and risk reduction.


We've spoken before about the potential competitive advantage that organizations can harness by maturing their GRC processes. Imagine if your organization never feared an audit because your compliance posture was already assured through healthy business processes. By replacing guesswork with the ability to make informed, risk-rationalized decisions, not just for compliance, but for risk taking growth strategies, organizational leaders can much more confidently guide the business forward. In these times of extreme global competition and front page security breaches, what would that kind of assurance be worth to the leaders in your organization?


For more information check out this short video that shows how RSA Archer can help with your Issues Management process.

We often speak about the rate of change in today’s fast paced business environment and the challenges associated with trying to keep up and adapt. So why does “operating in a reactive mode” keep getting a bad name? What’s so inherently wrong with that? Wouldn’t “not” reacting be worse? And what other choice do we have…really? Heck in some cases not only does it make sense to “wait and see,” there’s practically no other option.


The reality is there’s actually a lot of truth in that contrarian view. If you’re able to react quickly and effectively and manage the churn reasonably well then yes, on any given day things are probably fine. You monitor a few metrics here and there and things hum right along. That is until they don’t.


While the faceless straw man has always been available to enliven the debate, for the longest time it was limited to the theoretical and therefore easy to disregard, or at least to tune out. But that was then and today things look much different. Today we need terms like advanced persistent threat, global hacktivism and crushing regulatory pressure to even begin to describe the business environment we’re all operating in. Yesterday chances were the infrequent normal network anomaly actually was just a power spike. Today it could legitimately be the ground zero event that signaled the end of your business.


And therein lies the first big problem with being strictly reactive. Even with vigilant preparation it’s simply becoming less and less effective to procrastinate until there’s something tangible to react to. Inherent operational risk has skyrocketed in today’s interconnected global marketplace. Combined with the volume and velocity of changes an average organization deals with it’s become too much for many to keep in check, which is the second big problem with a purely reactive posture. Companies that can’t react efficiently enough to beat the buzzer to do so have by definition failed to react in time.


The good news is there is an alternative approach to reposition further ahead of the threat landscape and reclaim that lost time horizon. It begins with increasing our inherent risk intelligence and a philosophy shift toward choosing to actively hunt for threats to the business just like we hunt for opportunities. Because today those two concepts are in fact one and the same and those able to embrace that new operational paradigm will not only survive, they'll thrive. We remain vocal about our belief that the ability to harness risk and transform compliance is an untapped source of competitive advantage to fuel the enterprise. That’s why we’re so excited to announce the upcoming launch of RSA Archer GRC 6!


With loads of new features to bring technology and business processes together we’ll not only enable but INSPIRE everyone to own risk within an organization:

  • A new user experience for all RSA Archer GRC solutions, including a walk-up friendly, task-driven user interface and drag-and-drop advanced workflow functionality. All solutions will see the updated interface that includes the new color scheme, fonts, icons, navigation and more. Advanced configuration options include task-driven landing screen integration, workflow chevrons, action-driven user interface, multi-layout workflow, and more.
  • Identify, assess and act on known and emerging risks – RSA Archer Operational Risk Management provides an end-to-end risk management framework to identify, assess, decision, treat, and monitor existing and emerging operational risks. Archer’s advanced workflow capabilities enable first line of defense business unit managers and second line of defense risk managers to quickly and easily adjust risk management processes as part of their daily routine.
  • New capabilities for RSA Archer Operational Risk Management risk and control self-assessment lifecycle functionality; enhancements for loss event origination, routing, and approval; and metrics management. Plus, improved out-of- the-box workflow, reports, user personas and dashboards that align with the “three lines of defense” principle.


RSA Archer GRC 6 is the latest milestone in our GRC mission, which is to equip you with the best possible tools to navigate your own GRC journeys. By connecting the dots between key business elements, strategies, risks, and obligations, organizations can get a clear picture across the entire enterprise to make proactive decisions that minimize the effects of external change and maximize opportunities to grow the bottom line.


Don’t miss our Virtual Launch event Tuesday, November 10th at 11:00 EST to hear how RSA Archer 6 can inspire your users to own risk.

I need your help with something. How many books exist about the fine art of being more persuasive? Do they work? Whether it’s to win & influence, breach the inner circle, or just get a date, there’s seems to be no shortage of resources available. What do they all have in common? Probably nothing beyond a desire to influence people to buy them so we can magically learn how to be more influential! However some interesting research by Cornell University Professor, Vanessa K. Bohns suggests there actually is a universal trick to influencing people that’s both real and much easier than we might think. What’s the secret? Just “ask.”


In her Harvard Business Review article Professor Bohns describes a set of simple experiments her team designed to evaluate the accuracy of the average person’s beliefs about their own powers of influence. The basic approach was to analyze the delta between the subjects’ perceived difficulty versus how difficult it actually was to get strangers to do things for them. Some interesting baselines came out of it suggesting the average person is far more influential than they realize. Professor Bohns says we “persistently underestimate our influence,” (on the order of about half according to her stats.) In one experiment the subjects were supposed to get passersby to complete a questionnaire. Ahead of time the subjects predicted it would take them asking ten people just to get one to agree. Yet the results were not 1 in 10 but rather 1 in 4!


How can we apply this in the world of risk and compliance? The article cites a classic whistleblower scenario that reiterates how challenging it can be getting people to speak up. Another example that comes to mind is the difficulty in establishing consistency and repeatability when trying to embed compliance activities into business processes. We often seem to draw attention to the consequences of non-compliance (regulatory penalties) as a way to compel people to work differently, implement additional steps, fund projects, etc. Yet these consequences are often so ethereal it’s hard to cast them in a relatable context.


The Cornell team suggests a better approach may be to simply ask for help instead. Part of the rationale is based on the psychology that people are more inclined to willingly participate when they emotionally believe their effort will truly help. For instance a compliance process owner in need of better departmental cooperation might try an empathetic appeal: “Hey I know it’s a pain. But after the last audit finding it now falls on me personally if we have another issue and I can’t do it alone. So I really need your help. Can you please make sure these compliance checks get done each night?”


A compliance manager trying to win executive support could try an approach like this: “Mr./Mrs. Executive I know resources are tight, especially your time. But I also know how much you care about keeping a tight operation too. You have my word we’ll always run as lean as possible to keep spending down. Honestly, in many ways a few words of vocal support are worth more than budget dollars. If you could put some wind in our sails on this compliance initiative with a call to action for the stakeholders, we’d have a much better shot at getting them engaged quickly to ratchet things down with minimal expense.”


Is this really so shocking? It certainly seems more sensible than trying to command a bunch of pre-trained personality habits on the fly by simply memorizing a few acronyms. Or are they "backronyms"? Regardless, the results of the experiments seem to suggest a simpler, more tangible alternative. As to why this may not be more widely understood already, the researchers offered a few explanations ranging from people incorrectly believing their ability to influence was primarily governed by position or standing (e.g. title), to a theory that it’s simply inherently harder for people to physically say “no”.


Feel like giving this a try yourself? The Cornell team suggests the following tips:

  • Just ask: It really can’t hurt and people want to say yes more than we realize.
  • Be direct: Although it may seem polite to drop hints, it’s not as effective and people don’t actually respond as positively as we think.
  • Ask again: Persistence pays. Obviously you don’t want to be a nuisance. But statistically if you’ve only gotten a single “no”, it’s in your favor to ask again.
  • Skip the incentives: Depending on the request people are on average just as likely to comply whether they get something in return or not.


If you’ve made it this far then my attempt to influence you into reading my blog was indeed successful. Wow it really does work! Thanks Cornell!




Filter Blog

By date: By tag: