Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Mason Karrer
1 2 3 Previous Next

RSA Archer Suite

44 Posts authored by: Mason Karrer Employee

Hello everybody! I hope you had a wonderful 4th of July weekend! Independence Day is my all-time favorite holiday and this year did not disappoint. But now that the BBQ smoke cloud has settled and the Prilosec has subdued the effects of too much brisket and cherry pie, it’s back to work! And a lot of work to do indeed with so much on the horizon ahead of the annual Archer Summit at RSA Charge.  With that I’ll keep things short & sweet here and jump right into several highly anticipated items included in this content update.


First off is PCI-DSS v3.1. Rumor has it that four out of five PCI Council members agree it’s the DSS standard you’ve always wanted and way better than that old decrepit 3.0 standard they released so many years months ago. Ok yes I am poking some fun. And I guess to be fair it’s not the Council’s fault those protocol vulnerabilities were discovered right after DSS v3.0 came out. Inconveniencing? Yes. But necessary? Also (begrudgingly) yes.


In any case since 3.1 is largely the same we toyed with the idea of just issuing an update to the previous 3.0 content but ultimately decided instead to bundle 3.1 as a net new addition and take the opportunity to further improve the look and feel at the same time. This Archer content pack is tight as a drum and one of the most interconnected content sets we’ve produced yet. We’re talking a full boat package that includes the authoritative source, control procedures, all self-assessment questions, and triangular mappings to Archer Control Standards. In short you’re good to go with everything needed to operationalize your PCI compliance program in Archer right out of the box.


Also included this round is the latest Cloud Controls Matrix (v3.0.1) from the Cloud Security Alliance as a mapped authoritative source, along with their updated Consensus Assessment Initiative Questionnaire (CAIQ) as a set of mapped assessment questions.


The other authoritative source included in this update is the latest FFIEC Business Continuity Planning Booklet released in February, 2015.


The last item included in the update is a collection of 2,100+ new technical control procedures for more than a dozen different technologies including Apache Web Server, Linux, and several Microsoft products.


So that’s the overview in 400 words or less. The update page with release notes is here and content import packs are available through Customer Support. As always we’re here to answer questions too - whatever you need.


With that you’re now free to resume your regularly scheduled summer activities!



We’ve recently begun rolling out our new RSA Archer Maturity Models, a unique set of resources designed to help customers better understand and navigate their GRC journeys. The concept of a maturity model is certainly not new, especially in the technology world. However to me one of the more frustrating aspects of typical technical maturity models (besides being abstract and not GRC focused) is the tendency to have a rigid, unforgiving way of making you feel inadequate no matter what you accomplish. So we set out to create a fresh, new spin on discussing operational maturity in a way that’s more instructive and GRC-centric. Our maturity models are very approachable to help customers easily identify where they currently are in their journey so they can set realistic goals for where they want to go next, and most importantly provide specific guidance for HOW to get there!


In our initial announcement a few weeks ago we introduced the basic approach across the seven GRC discipline areas we focused on for this first round of models. The Regulatory and Corporate Compliance Maturity Model details dozens of specific aspects necessary to build a mature compliance program from the ground up; and transform disconnected, inefficient risk and compliance motions into an integrated and differentiated system of activity and source of enterprise competitive advantage.


Celebrated business executive Jim Barksdale was notorious for his creative business expressions including his “Main Thing Principle.” His mantra: “The main thing is to keep the Main Thing the main thing”. During his tenure as COO of FedEx his frame of reference was a little different than ours here but the idea is the same. Every organization, every program needs a “Main Thing” – a central driving concept that forms the basis for success. That one thing is what people must clearly understand above all else in order to realize the potential.


One of the key elements you’ll hear us echo repeatedly is the importance of building business context. If there’s only one “main thing” in GRC then I would argue that’s it. Because it’s that rich business context that unlocks the inherent potential that exists within every organization’s operations. Without that context we don’t know what we don’t know, let alone how to prioritize goals that harness risk and transform compliance in meaningful ways to deliver real, tangible value through GRC initiatives. As Jim Barksdale would say, “You can’t manage that which you cannot measure.” (He would also say “In a fight between a bear and an alligator, it is the terrain which determines the winner.”) I’ll leave it to you to apply that latter pearl of wisdom on your own.


In the meantime I encourage you to take a look at the maturity model white paper for Regulatory and Corporate Compliance and the other Maturity Models, along with our Risk Intelligence Index on the RSA Archer Community. My fellow GRC Strategists and I are excited about the conversations these resources are inspiring with customers as a new backdrop for them to plan their GRC journeys and ramp up their programs. If you have any feedback or would like to engage in a consultative maturity model discussion in your organization, please email me anytime!

When it comes to IT risk management approaches few things can spark more debate than the use of standards. To explore that is to ponder another alphabetic quagmire of acronyms, categories, and random numeric designations. So which one’s the best? Is there even such a thing as “best”? My answer is always the same. The best one is the one that’s best for you. In other words it depends.


The reality is you rarely have a choice. If your business accepts credit cards in any significant volume of transactions then PCI compliance becomes a business requirement. Want to set yourself apart in Europe? Perhaps ISO-27001 certification is en vogue. Opening a new power plant? Welcome to the electric world of NERC enforcement. It’s the same story throughout every industry and geo. The list goes on.


We operate in a world of multiple standards and requirements and rapid change. How can you find efficiencies and cut through duplicate work? When you already have your hands full with meeting the requirements you don't want to struggle with the mechanics of managing them on top of it. That's why we’ve gone to such lengths to transform the “ask once answer many” dream into reality by wrestling this problem into workable solutions that make the process of IT risk and compliance easier.


Gartner’s most recent IT Risk Management Magic Quadrant once again named RSA Archer a GRC industry leader, which we're excited and proud to say makes us the only leader in all four major evaluations (the other three being IT Vendor Risk, Business Continuity, and Operational Risk). In an MQ report two years ago Gartner flattered us with an unexpected notation in their analysis about the extensive breadth and depth of Archer’s embedded content libraries. I say unexpected because it’s not a specifically weighted category they rank separately, but rather an additional observation they chose to make on their own and share with their readers independently. We were humbled to say the least but also delighted in the validation of the conscious decisions we’ve made over the years to invest in those aspects of Archer.


One of the more tangible aspects of Archer’s GRC libraries is the inclusion of many large format technology related standards. Make no mistake, it’s a TON of work to process and map those together. The past few years brought an interesting turn of events in their revision timing. Most major IT related standards are published by totally separate entities and consortiums, each according to their own schedules. Since the development of those standards is often collaborative and even political, delays can occur causing official releases to slip by a year or longer, which is exactly what happened for a few of them.


The result was a rare perfect storm of circumstances that dropped new versions of COBIT, PCI, ISO 27001, NIST 800-53, and the ISF's Standard of Good Practice on the collective market all within about 18 months of each other, plus a major revision to HIPAA and ongoing NERC changes to boot! This was unprecedented and if you have to maintain compliance with more than one of those, chances were you were scrambling. So we marshalled resources and hustled up in order to have all of them fully mapped and ready to go shortly after their release. Because of the unique way we enable IT risk and compliance in Archer, the result was to enable our customers to quickly adapt to any combination of those changes without missing a beat.


We’ve always recognized two of the most powerful resources we can give customers are flexible options and the freedom to make Archer their own. We do this with a fundamental appreciation that they too have a choice in the market. So when they choose us we take our commitment very seriously to give them the best tools we can to drive their information risk and compliance programs effectively. One of the great things about Gartner’s approach to industry analytics is the emphasis placed on independent customer validation and opinions. Our customers continue to have a profound influence on the direction of Archer and they challenge us in the most fantastic ways. That alone really is its own reward. But undisputed GRC market leadership feels pretty good too.


Please visit Steve and Patrick’s blogs for additional insights, and check out our Community page for more information on the MQ series.



Gartner, Magic Quadrant for Business Continuity Management Planning Software, Roberta J. Witty an John P. Morency, 27 August 2014.

Gartner, Magic Quadrant for IT Risk Management, Paul E. Proctor and John A. Wheeler, 10 March 2015.

Gartner, Magic Quadrant for IT Vendor Risk Management, Christopher Ambrose et. al., 29 October 2014.

Gartner, Magic Quadrant for Operational Risk Management, John A. Wheeler and Paul E. Proctor, 15 December 2014.

Hello everybody! 2015 has us off and running with several big updates headed your way!


First and foremost, NIST 800-53A Revision 4 is ready to rock in Archer. If you’re unfamiliar with 53A (Assessment), it’s the companion to the 800-53 base standard that NIST publishes to assist with assessing control performance. NIST changed their approach to 53A this time around and made it much more granular. As such this latest version is a monster, having grown from only 600+ elements to over 3,000! We consumed this beast as a single set of Archer Control Procedures mapped to both the 800-53 Authoritative Source as well as Archer Control Standards to enable you to drive a fully tailored compliance program using NIST 800-53 Rev 4.


We also have an update to the FedRAMP authoritative source we released last year with additional control requirements and mappings to Archer Control Standards.


For those of you in financial services we have a new collection of assessments with over 1,400 questions targeting a variety of major regulatory requirements, including mortgage origination and disclosure, truth in lending, and more.


Lastly we have the latest [DEAD LINK]SIG 2015 Lite assessment available, this time mapped to Archer Control Standards. This is a great Question Library resource to enhance the already comprehensive 3rd party risk assessments available out of the box in the Archer Vendor Management solution.


Since this quarterly update includes both new content as well as updates to existing content elements that may already in your library, you’ll want to pay special attention to the release notes and supplemental documentation before processing them to ensure everything is well understood. The update page with release notes is here and content import packs are available through Customer Support. As always we’re here to answer questions too - whatever you need!


See how Archer stacks the deck in your favor with the latest customer and industry news here.


And please check out the latest blog from my buddy and fellow GRC Strategist, Patrick Potter.


Happy Spring!!



A customer (large bank) has been doing inquiries with several of us recently in conjunction with a major project they have to revamp their internal polices and standards and reset their foundation in Archer. A member of their team (let’s call him “Bob”) posed an interesting question about whether there was a specific standard (e.g. authoritative source) that fellow Archer customers in the financial services industry seemed to prefer above others to guide their policy and control development. It’s an interesting question and while the viewpoint I gave in my response seemed to resonate pretty well, it’s also sparked a productive dialog which in fact is still ongoing. I’ve only included the initial exchange below but I wanted to share in the hopes you might help expand the conversation by sharing your own insights at the bottom of this blog.


How would you answer? What’s your approach been to this same issue? Do you share a similar viewpoint or see things totally differently? What advice would you give?


His initial question:

“…what would be helpful as we are structuring our way ahead is to understand what Archer is seeing its financial services industry clients use…as the industry reference model for…policies.”


My response:

Hi <Bob>


Nice to meet you. I can’t say there’s a universal playbook that everybody follows. I would wager if you were able to distill a typical financial services policy program down to its essence you’d likely find a lot of alignment and overlap to major standards like ISO 27001, COBIT, etc. This is probably not surprising nor should it be, considering that despite being different down in the weeds, at a higher level most of those standards have a lot in common. Some are broader and some more technical but ultimately I think many of the core principles that embody a healthy information security and assurance program are fairly universal.


The other thing that’s become universal is the increased need for a rationalization to risk. I believe this is a better foundation to build upon. Absent anything else, international standards are always a great place to start, but they’re never a universal fit. And for larger more mature organizations the expectations have shifted. A risk based approach rooted in sound principles (which may or may not be directly inspired by external standards) is going to yield the best overall result (“best” meaning most complete, most accurate, and most operationally sound and efficient). An organization that maintains a healthy risk-based view of things can easily overlay standards and know where they stand. But an organization that relies only on a specific standard and otherwise lacks that embedded risk intelligence is more likely to encounter issues and miss opportunities to capitalize on operational advantages.


For what it’s worth the default policy set in Archer was originally largely ISO based. That doesn’t mean it’s taken directly from ISO but rather it aligns with the core principles ISO 27001 covers, as well as some influence from ITIL, FFIEC, HIPAA, PCI, etc. Our Control Standards library also reflects these linkages but at a more detailed level and across a much wider set of authoritative sources including more extensive technical standards like NIST 800-53.


Personally if I had to pick only one standard to serve as the backbone for my program I’d probably pick NIST 800-53, primarily because it’s so prescriptive and technically detailed and already has a companion control assessment guide (53A) – both of which are free. I find it’s easier to abstract up from something like that than to take a higher level abstract source like COBIT and go the other direction deeper into the technical stack without additional guidance. However 800-53 is an intimidating beast that can be overwhelming without the right resources and maturity established which is why I also like PCI as a starting point. It’s certainly not perfect either but it is fairly compact, organized across distinct principle areas, sufficiently technical to get started, and often a business requirement anyway. I like that it slants toward technical security and despite its focus on credit card data I don’t think it’s a stretch to substitute other things (like “PII” for a health care org) and arrive at similar conclusions for what types of controls and policies make good sense to implement in most cases. Plus it’s also free and includes assessment content (the SAQs) that can easily be used internally for risk assessment activities.


Something else to consider from the above is any hard business requirement such as specific certifications or other industry-specific needs. If the organization must be ISO 27001 certified or will always be measured against certain FFIEC guidance then those should definitely be factored into the program design. But again I think a lot of that comes down to tailoring and even in those cases I would still challenge the organization to operate from the perspective of a risk-centered program and fill in compliance reporting gaps as needed for specific obligations. <COMPANY X> was PCI compliant as were <COMPANY Y> and <COMPANY Z>. How much would it have mattered if they were also ISO certified? There are too many asymmetric business threats that can get overshadowed when the tail wags the dog which can happen more easily if too much focus is on the “what” (ISO 27001, etc.) versus the “why” and “how” (transforming from risk managed to risk advantaged).


Hope this helps give some background and my perspective. Let me know if there’s anything else I can help with.



Ok Archer Community, I’d love to get your take below! And keep an eye out for exciting new content headed your way soon!

Mason Karrer

Dont Mess With Naptime

Posted by Mason Karrer Employee Feb 3, 2015

Long story short an electrical malfunction caused my neighbor’s house to catch fire over the weekend. Fortunately nobody was hurt but things certainly could have turned out much worse for a few scary simple reasons. According to the NFPA the likelihood of a home fire is 1 in 4 in your lifetime and the likelihood of injury is 1 in 10. Here’s the kicker: Those statistics are for a single fire. My neighbor’s house caught fire not once, but twice in 24 hours! As I replayed things in light of seemingly much longer odds some interesting operational risk correlations came to mind.


It all began midday on Saturday right after lunch as our 2 year old went down for a nap. Those of you with children appreciate the intense desire to covet and protect naptimes at all cost. This meant the house was more quiet than usual which was likely the only reason I happened to overhear the yelling outside. I discovered this was my neighbor across the street barking orders to his family and his son’s Boy Scout troop (coincidently working on their Eagle Scout project on the driveway) to seek safety as thick black smoke rolled out their front door. I scrambled for a fire extinguisher and raced across to help only to have it fail after a tiny, embarrassing “pffffffft”. Not that it would have made a big difference anyway; the fire was quickly growing beyond control. But still, neither my finest moment nor the time for a key control failure.


Other family members soon assembled having escaped out the back of the house in a nick of time. With all accounted for we retreated to the curb to await the cavalry. Acrid smoke filled the whole street so I dashed back home to close the garage and somehow had the presence of mind to also turn off the furnace before it inhaled smoke throughout the house. I returned to find my neighbor, soot faced and coughing, remarking how the fire was so hot and smoky and spread so fast he figured if it had happened while they were asleep they wouldn’t have survived. Emergency services arrived on the scene and extinguished the fire just before it spread to the roof and beyond. It seemed the worst was over.


Fast forward to the same time the next day as I arrived home to find a different neighbor kid waving for help and shouting the fire had restarted. Really? Again during naptime? Nothing was visible, but he was acting frantic so I went for a closer look and sure enough saw fire quickly spreading up the stairway inside. Yet from the outside there was no smoke or other indication. So how had he known? The answer is keen observation and lucky timing. From his vantage point at home he just happened to notice a trace of flame through the lone 6-inch pane of glass that somehow hadn’t been completely blacked over with soot the day before. He was home alone and ran outside where he found me pulling into my driveway. I dialed 911 to get things moving and 10 minutes later our street was again lined with fire trucks and other EMS personnel.


Turns out there must have been a latent ember or enough residual heat to reignite everything. It was already very dry and had been windy since the night before. Several smashed windows also remained open around the house which all conspired to create a strong draft condition inside, essentially converting the entire house into a big fireplace with the stairway acting as the chimney flue. What if things had kicked up overnight instead and spread to the roof unabated? Between the wind and several huge pine trees in our yards things could have been really wild. Yikes!


From an operational risk standpoint it’s interesting to note the random dynamics that occurred to create a system of circumstantial risk events. What lessons can we apply to broader organizational risk management practices across the enterprise?


  • Preparedness – How enabled is the organization to respond when risk alarms (metrics) sound?
  • Escalation – Everybody has the potential to save the day by simply noticing something out of place and calling attention. What’s the organizational sounding board? Who’s listening?
  • Context – Unfortunately, too often the significance of isolated observations wasn’t made clear in time to prevent (or minimize) the impact of a disaster (for example the unused school busses during Hurricane Katrina). How can we coax real time, meaningful context out of seemingly unrelated items to extend the view over the horizon and adjust to changing conditions?
  • Feedback and refinement – There’s an old saying that it’s better to learn your fire extinguisher is worthless when your neighbor’s house is on fire (my neighbor disagrees). As I go to replace my fire extinguisher should I buy the same kind or consider learning a lesson and implementing a more effective control (continuous improvement)? Does the current risk model contemplate everything it should? (Tip: Start by defining higher order risks and then fill in gaps with more specific risk definitions as needed over time.)
  • External party risk – The smoke from my neighbor’s house posed downstream risk to neighboring houses like mine. I responded by turning off the furnace and closing up our house and also packed up a few essentials in preparation to leave if necessary (escalated incident response). When a vendor or supplier experiences a security event or business interruption the resulting increased uncertainty and risk can ripple throughout the supply chain. An organization’s ability to detect and compensate for these often unpredictable fluctuations is crucial to minimizing the impact.
  • 4th line of Defense – The items above notwithstanding, a balance must always be struck between too much and not enough. This is true in all areas of the business not just security or risk management. The concept of the black swan is all about asymmetric risk either from unforeseen events or predictable events whose impact magnitudes exceed predicted thresholds or outcomes. Even the most mature risk programs can’t prevent impacts when all **** breaks loose. What’s the plan for business resilience? How do you stay viable in the short term and improve in the long term? The fire department investigators are certainly hunting for lessons to learn and I can promise you my neighbor’s already planned to get escape ladders for the upstairs bedrooms among other things.


In case you’re wondering, despite all the noise and excitement our daughter slept through both events like…well…like a baby. If the Boy Scouts’ motto is “Be prepared,” then maybe the weary parents’ motto could be “Don’t mess with naptime!”


For more on Operational Risk Management, please visit my colleagues’ blogs here, here, and here and see Gartner's latest report.


Thanks for reading. Please feel free to email me with questions or comments anytime!



Years ago Billy Joel was "In a New York State of Mind" when he returned home to the Empire State. Over the last few weeks my fellow colleagues have been illustrating various scenarios on how third party risk management can play a vital role in a company’s operations in a series of discussions on the current state of mind as it relates to trends in third party and supply chain risk management. This comes on the heels of Gartner’s latest IT Vendor Risk Management Magic Quadrant placing RSA Archer well ahead of the pack in continued market leadership. This is something we’re very proud of as it represents not only a lot of diligent work but also the tremendous gift we enjoy by virtue of having so many amazing, creative, loyal customers who continuously collaborate with us to improve our products. Billy Joel might call that "A Matter of Trust".


Let’s discuss how some of those non-IT external relationships can also factor into the overall operational risk picture. Consider insurance for instance where carrier liquidity and disqualified losses can dramatically impact the quality of coverage; say in the wake of previously identified security weaknesses. “You May Be Right” that coverage should apply but the insurer may disagree in which case you may have just become “Easy Money”, unless of course you can produce compelling evidence to the contrary. Even then it can still be a protracted battle of wills to finalize any settlement which could likely fall short of actual realized losses for a major privacy or credit card breach. A disciplined approach to exploring these types of scenarios up front is necessary to ensure the organization has a healthy understanding of its entire portfolio of third party risks and isn’t blindly accepting more inherent risk than it realizes.


Other types of representative services like legal counsel or marketing and public relations can also benefit from a stronger dose of operational risk scrutiny. For example companies often retain specialty firms full of hired guns to help manage tough situations like breaches or other crises. In politics the term "risk management" usually relates more to spin control than security controls. It’s also common for companies to engage outside assistance when launching new products or other initiatives, or maybe just to help rejuvenate a tired brand with a fresh image makeover. The exposure risk is usually low for most of these pursuits given the level of iteration and approval required before any work sees the light of day provided no inadvertent leaks or other dumbdumbery occurs. Other times though they can bite in a hurry if the wrong firm was chosen or the project mishandled. When there’s only one chance to get it right what happens when things go wrong?


Two scenarios come to mind where this can quickly get interesting from a third party risk perspective. The first is crisis response. A company experiences an impactful event (breach, fraud, corporate scandal, whatever). Incident response best practices include initiating a predetermined chain of communication with clear guidance on interacting with the public (press inquiries, public statements, etc.) Controlling the flow of information is crucial to ensure the right things are communicated clearly as well as guarding against misinformation or leaks further hampering response and remediation efforts. From a certain viewpoint having the right PR firm on retainer in those types of situations could almost be regarded as its own form of insurance; intended to reduce the risk of further reputational damage by transferring certain communications and message crafting responsibilities to a more qualified outside expert.


What happens if that service fails to deliver? Whether in response to a crisis or something else entirely how are the terms of service and dispute resolution mechanisms managed? When a company has servers at a hosting facility that gets knocked offline by a clumsy technician or power outage it’s easier to identify a fault chain. Something like five 9s of uptime can be measured empirically so enforcement through a service level agreement is pretty straightforward. But if a company retains a professional spinster to help control a sensitive public message and it backfires, is similar recourse is available? What kinds of SLAs are best defined? Can fault be established? How should the company best manage those types of inherent third party risk adjacencies?


Here’s a second hypothetical, this time from the product side. Let’s pretend you’re a software product vendor participating in one of these analyst bakeoffs like the Gartner MQ. Just for fun let’s even say you’re actually one of our competitors in the GRC space. The whole process is competitive by nature and while different analysts have different styles, across the board there’s usually a large questionnaire you have to answer and other product information you must provide, typically on a very tight timeframe. So let’s further pretend you decided to try and stack the deck by engaging an outside industry “consultant” to help you prepare your responses (surprisingly some vendors really do this.) It’s all in secret of course as you would never want anybody to know you actually needed help representing your own product! Heck, the disclosure of that alone would be embarrassing, maybe even triggering a crisis response event by itself!


Fast forward to the release of the report and let’s say unfortunately for you, rather than rocking the house your product actually falls well short of the mark in the rankings. Your hired gun strategy didn’t pan out but at least nobody knows about it, right? So what would happen instead it wasn’t kept secret? Let’s say the industry pundit you hired had her finger in all sorts of different pies trying to promote herself as a vendor consultant, buyer consultant, and maybe even as an alternative “impartial” product ranker. Let’s further suppose (unbeknownst to you when you engaged her) that she was also providing the same spit polish services to several of your competitors at the same time, essentially nullifying any supposed advantage you paid a premium for; which is why she’s in crisis mode trying to save face the only way she can - by going on the offensive! In her mind there’s no way SEVERAL vendors could hire her in all her glory only to have NONE of them to do any better unless the SYSTEM is rigged. Cue Jon Lovitz…”It’s the system’s fault! That’s the ticket!” It couldn’t possibly be that her services added no value, right? Of course not!


Now let’s say before you can remind her of the NDA you have place she takes things to the next level, fuming across the digital airwaves in her newsletter and social media shamelessly protecting her brand. Like a scene from a movie, Billy Joel’s “Big Shot” rings out in Muzak over your office speakers as you realize it wasn’t even some internal slip of the tongue that betrayed you but rather the actual consultant you hired! Out there on display for all to see ranting away and throwing you under the bus in the process! You quickly learn you’re no more a valued customer than she is a trusted adviser. Nope you’re just an expendable pawn in a desperate saga to preserve her brand against those evil establishment analysts. At least she didn’t refer to you directly by name but it’s easy enough to read between the lines and figure out who’s who. Talk about a hot mess!


So what would you do? What’s your next move? A poor showing in the rankings was bad enough but now you stand to suffer further reputational loss from this disaster. Is this an incident you need to escalate? What kind of public relations damage control might be needed? Considering your confidentiality was sacrificed for the self-preservation purposes of the one person who should have known better, maybe she’s opened herself up to litigation? But how much will THAT cost to pursue and how will it help? What about investor and board confidence in your product leadership and direction? What kind of third party risk management process improvements should you implement going forward?


Lots of tough questions to answer which now have you wishing you’d just slogged through the whole ranking process yourself and let the chips fall where they may, making your own luck like we do here. Hey we might not be the smoothest talking bunch and we've taken our fair share of dings too but at least we’re authentic. What you see is what you get and I can tell you from firsthand experience we wouldn't dream of entrusting to some outsider anything as important as representing our products in a professional analysis like the Gartner MQ…ever…because it’s always about more than just products. It’s about the people and the company standing behind those products and the customers rallying around them globally. Come what may we sail under own power, our customers alongside us at the helm, and our integrity intact. No outside caricatures with mixed agendas or venture capitalists to worry about. Just us with all the passion and commitment we can muster. Considering the spot we've earned atop the leaderboard, who are we to argue with the results? Like Billy Joel said…#JustBeYourself

Following up on my previous blog for the Q3-2014 content release announcement, here’s some additional information on the changes we’ve made to the Archer Control Standards library.


A few months ago we started a project to create a new GRC taxonomy to improve the way the Archer Control Standards library is organized. While the previous categorical groupings loosely served this purpose already we wanted to tighten things up and reset on a new standardized foundation. So we parsed several prevailing standards and control frameworks to aggregate all the various categories and areas of coverage. We then distilled those down into a consolidated set of 57 categorical terms and developed descriptions for each to comprise our new Archer GRC Control Standard taxonomy. The last step was to reclassify each control standard under the new taxonomy which at 1,200+ control standards was no small effort!


This new taxonomy is intended to replace the previous collection of terms that grew over the years with a more concise and descriptive resource to make exploring the Archer Control Standards library easier. You’ll be able to better search and filter for specific areas of coverage as well as more quickly identify and assign ownership based on roles and responsibilities.


Everything needed is included in the Q3-2014 quarterly content release package. A formatted XML import file and set of instructions for implementing this new taxonomy are provided to make it a straight forward data import exercise. Adopting the new taxonomy is not a requirement although it is highly recommended as it will be the embedded standard beginning with version 5.5.2 of the Archer platform due to be released shortly. As such we will only be including the new taxonomy values in the Control Standards import files going forward.


If you have existing workflows, reports, etc., tied to the old values you can keep using those and migrate to the new taxonomy at a later time or use both indefinitely. The release documentation discusses a few scenarios to help illustrate various options and of course you are always welcome to reach out to Customer Support or me personally for any inquiries or assistance.


We hope you find this new GRC taxonomy useful and as always welcome any feedback you have.


All the best,



Hello everybody! This has been one of the most exciting Octobers we’ve had here in Kansas City in a long time as our beloved Royals battled it out in the World Series for the first time in nearly 30 years! Although we came up a little short in the final game, win or lose we’re incredibly proud of our team and what they’ve done for our town.


Now onward to a special Archer content release that includes a big change to the Archer Control Standards Library. I’ll focus on the normal Q3/2014 cumulative content release items here and cover the Control Standards library changes in a separate blog post.


For starters we’ve added FedRAMP to our Authoritative Sources library. It neatly coincides with The specified item was not found. and the The specified item was not found. by virtue of shared mappings to common Archer Control Standards. We also added the 2014 version of the The specified item was not found. published by the Information Security Forum (ISF) with a whopping 9,200+ mappings to Archer Control Standards! This release is just in time for the 25th annual ISF World Congress event around the corner, this year being held in Copenhagen, Denmark.


Other updates include a re-release of the The specified item was not found. with enhanced descriptors to the hierarchical name field values to improve filtering and corrections to some minor errors discovered in a handful of PCI v3 SAQ question records. As in the past this quarterly update includes both new content as well as updates to existing content elements that may already in your library. So you’ll want to pay special attention to the release notes and supplemental documentation before processing them to ensure everything is well understood. Once again the update page with release notes is here and content import packs are available through Customer Support. As always we’re here to answer questions too - whatever you need.




Mason Karrer

Need Your Help! COBIT 5

Posted by Mason Karrer Employee Oct 8, 2014

Greetings Archer Rockstars!! I'm looking for any COBIT 5 users out there. If you're driving COBIT5 activities in Archer then I want to talk to you and learn more about what you're doing. You can contact me through my community profile or just reply to this post and I'll reach out to you directly. Don't be shy - the more the merrier! Thank you!

A traffic accident occurred on my way to work recently involving a car and a bicycle. We happen to have an active cycling community here in Kansas City with over 150 miles of paved trails connecting throughout the metro. If you’ve ever visited our office for training you may have noticed we’re situated on one of those trails and some folks like me even use them to commute to work when we can. Suffice it to say this particular morning I was driving to work and a few minutes after leaving home I found myself pulling over to render aid to a downed cyclist. Another innocent victim of motorist inattention I figured.


In my last blog I suggested the "language" of risk could be the most universal language we inherently understand. Most of the time we employ an operational risk discipline in our daily lives without even thinking about it. In fact humans would have probably been long extinct had our initial survival depended on higher order brain functions (thinking) without the fight-or-flight response baked into our subliminal psyche. As our understanding of the world around us increased through the millennia we developed common sense to further enhance our survival and quality of life. Let’s explore an everyday example of what happens in the absence of that common sense.


Picture a 4-lane undivided suburban artery street that feeds residential neighborhoods on both sides through a network of cross streets governed mostly by stop signs. The cyclist, an older retired gentleman was riding northbound on the southbound sidewalk (which we’ll call "strike 1"). The driver failed to notice the bicycle as he began a right turn from a cross street to head south on the main road and subsequently hit the cyclist passing in front of him. As I pulled over to help I saw the guy lying on the ground trying to sit up. He had blood streaking down the left side of his face and his bicycle was also a mess having gotten hung up under the front bumper of the car.


In the brief moments required for me to park and walk back to the corner the cyclist had mustered enough strength to stand up and start delivering a piece of his mind to the driver at top volume. The driver, a small European guy in his 50s was flustered and very apologetic. Turned out he was simply trying to return a rental car for his wife and was baffled at how he could have hit a bicycle considering how careful he was otherwise being not to damage the rental car. Another motorist (a woman 8 months pregnant) who swerved to avoid hitting them both had also pulled over to help. Between the two of us we got 911 called, the mangled bicycle disconnected from the car and both moved out of the way, and the cyclist convinced it would be better to stop yelling and just sit down on the curb for a bit.


While I’m neither a trained medical professional nor a lawyer I actually do have some practical experience with this kind of thing since I was hit by a car myself once under similar circumstances. Overall the cyclist seemed okay. A little banged up but no broken bones or major loss of mobility and he was coherent enough to multitask between typing notes into his phone and ignoring our plea to stop cursing the driver. I looked closer at the blood on his head, saw it was coming from his ear & then noticed a cracked, bloody headphone dangling from under his helmet ("strike 2"). The impact caused him to smack the side of his head on something which cracked his earbud and the resulting shrapnel cut the inside of his ear which bled a bunch but was otherwise a minor injury.


Considering my own history you might have expected me to join in with the cyclist & start berating the driver further. It’s perfectly natural under the circumstances: We hear "car hits bicycle" and we’re pre-programmed to favor the cyclist just like we tend to fight for the little guy or cheer for the underdog. It’s precisely because of my own experience that I didn’t do that. Instead I asked the cyclist where he was headed even though I already had a hunch. His answer confirmed he was just tooling around for some exercise and enjoying the beautiful weather…during rush hour on a crowded main no less ("strike 3!")


Could the driver have been more careful? Of course he could have. But was he guilty of gross inattention or merely conditioned complacency rooted in symmetric experience versus the asymmetric risk that had just landed square on his front bumper? A victim wooed by the perceived probability of success from past outcomes rather than anchored in future potential threats. Although we may have been told back in the day to "look both ways before crossing the street," in reality we get lazy sometimes. Like the night watchman who struggles to maintain "alert readiness" month after month at a building nobody ever breaks into. When we’re not actually crossing the street or even taking a left turn then we often defer to just checking to the left (or the right depending on where you are) since that’s the most likely direction of danger.


Forgetting that simple fact can be harmful for your health as Winston Churchill once learned on a visit to NYC which could be thought of as an asymmetrical outcome, an outlier in other words. Except that Mr. Churchill like the cyclist in my story amplified greatly the potential likelihood of that otherwise very unlikely event unfolding. People tend to forget the difference between odds and probability which leads them to disregard the power of asymmetric risk impacts. Though we’re not really used to thinking asymmetrically it’s nevertheless how the more impactful risks often manifest. So we must force ourselves to consciously apply this thinking and regard each scenario as a coin flip until a historical context or some other reference can prove otherwise.


Since the driver was turning right instead of left or crossing the street he deferred his attention to traffic approaching from the left only. Seeing none he proceeded to turn and BAM! This exact scenario happens to be one of the main reasons why bicycles are required to follow most of the same laws as cars including riding in the street with the flow of traffic, not on the sidewalk and certainly not on the sidewalk against traffic. This also happens to be the opposite of what we’re taught when we’re on foot where walking against traffic gives us the best chance of jumping out of the way of a driver who fails to notice us which was why the cyclist was so upset. He thought he was doing the right thing by applying the same pedestrian logic when in fact all he was really doing was amplifying the likelihood of a disaster.


So what the difference? In a word…velocity. Bicycles move faster than people on foot. Since reaction time is shorter for both parties the same controls don’t work as well. Or put another way, the velocity of the risk requires a different approach to controls in order to adequately manage the risk to an acceptable level, the control in this case being riding with traffic on the street rather than against it on the sidewalk.


If the driver had simply been more vigilant & looked both ways could the accident have been avoided? Probably but that’s not really the point. It’s a bit like saying if a hacker had just stolen somebody else’s credit card database instead of ours then we wouldn’t be in this mess in the first place. We can’t control what other people are going to do so next best thing is turn our efforts inward and focus on what we can control which is our actions and our security posture. In other words minimize our exposure by reducing our attack surface.


What about the responsibility of the cyclist and the strikes against him? Although it wasn’t probably illegal to wear headphones while riding his bicycle (like it is for drivers in cars) it certainly wasn’t the smartest idea in traffic either since it distracts the senses. It was also rather selfish to blunder around during rush hour in the first place with several beautiful trails available nearby. Even if he were riding on the street like he was supposed to, it’s not very enjoyable. At best heavy traffic is forced to move around him upping the chances of a multi-car collision plus raising stress levels of people just trying to get to work on time & instead getting stuck behind some guy who clearly has no pressing time commitments.


And what about his loved ones? Had he been more seriously injured or worse how would that have impacted them? Would they have agreed at his funeral that his little joy ride as worth it or would they have simply shaken their heads at the high cost of fair weathered foolishness? What about the driver who now had a bunch of explaining to do and insurance to deal with? Not to mention both of their wives. How would either of them explain all this without looking foolish? (something the cyclist hadn’t pondered until then but now seemed a little apprehensive about) What about the pregnant woman who nearly hit them both in the aftermath? What if she and her baby had been hurt? Or what if the panicked excitement sent her into premature labor? Then what?


Most people don’t usually think that way but most people haven’t been stupidly hit by a car either. So I thought it fair to ask the guy these questions which he didn’t really appreciate at first. But after a few moments it started to sink in. You could actually see the revelation wash over him. His entire face & demeanor changed and he smiled and shook his head when he realized how dumb he’d been and how lucky he was. Just like I realized how dumb I’d been and how lucky I am everyday now many years later.


It’s amazing the number of lives we touch with even the smallest of actions. The driver who hit me was a young mother with two children in the car and all three were terrified they’d killed me. This was before cell phones and both her husband and my parents started fearing the worst when we didn’t arrive home on time. Fortunately my bike took the brunt of it and other than being a little banged up I was fine. Her car wasn’t damaged either. At the time I also thought I was absolutely right and she was absolutely wrong. Until I learned differently from the police and that same wash of guilt spilled over me for having put all four of us in that silly situation. I swore I’d never make that mistake again which is why for his own good I decided I couldn’t just coddle this cyclist and let him slide either. And you know what? Rather than calling me a jerk and telling me to buzz off the guy thanked me beyond words for putting things in perspective for him. He even apologized back to the driver which put the apology ratio at about 1:1000 at that point and they both shook hands and tried their best to laugh it off amidst still shaky nerves and post-adrenaline rundown. Emergency services arrived and patched up the cyclist and we bystanders proceeded on with our busy day.


See, tough love really does have a happy ending. And I promise neither that driver nor that cyclist will ever forget that experience or make those same mistakes again. The real question is will they regard this as just a bicycle accident? Or will they embrace the bigger meaning that they’ve actually improved their risk posture by updating their operational risk management models based on a historical trended view of impacts and near misses? Ehh…probably not the second thing. But at least they made it home for dinner with a good story to tell.


Twitter: @masonkarrer

When you think of international or universal “languages” what comes to mind? For some it’s love. For others it might be music or mathematics. Business-centric folks might further suggest the notion of profit and loss is fairly universal as well. I propose that risk itself not only qualifies as a universal language but in fact is actually better understood by more people than all of the others combined. To those that would doubt such an assertion as mere crazy talk I say challenge accepted.


Nobody I’ve ever met was born knowing math, they had to learn it. Few people can pick up an instrument for the first time and play it beautifully without any practice or instruction. And love confounds us all at one point or another. Risk on the other hand, both awareness of it and aversion to it is ingrained in us automatically without even thinking about it. In fact we can’t really think about it. It’s just there…hardwired into our ethos.


Remember learning about the fight or flight response in school? Consider that as nothing more than operational risk management baked into our psyche at a subliminal level. Author Seth Godin refers to that part of our brain as the “Lizard Brain”, the semi-conscious area that separates where things like conscious thoughts (love, music, math, problem solving) occur from the deepest part that controls involuntary things like heartbeats and other physiology. Part of the Lizard Brain’s purpose is to trigger protective reactions without the need for extensive preliminary deliberation. In other words, prompt an action without thinking about it first. Whereas the conscious brain might wonder how fast the bus is approaching the Lizard Brain could care less. Its job is to motivate you to jump out of the way before getting run over.


There’s no shortage of other examples to easily illustrate our deep, embedded understanding of risk. When you drive someplace do you wear your seatbelt? Why? Those of you with babies; do you put them in a car seat? Why? What about locking the doors or covering the ATM keypad or a thousand other examples in our daily lives? Why do we do these things if not because of some embedded programming? A combination of nature and nurture resulting in raw behavior centered on risk awareness and further refined by contextual knowledge that enables more intelligent decisions. Ultimately the decision is still binary; accept the risk or avoid it? However the context often makes all the difference.


Embracing this notion of universal risk awareness opens up a whole bunch of possibilities when it comes to enterprise risk management. While it won’t recast everybody as PhD-level analytical risk quants overnight, it certainly suggests the average person can grasp risk management concepts far better than we probably give them credit for. Since risk itself transcends the entire enterprise landscape either way, shouldn't we strive for an understanding that permeates as well?


When it comes to operational risk in an enterprise, rather than assuming everybody in the organization is now magically risk “aware” from the start (which suggests a level business knowledge they may not yet have), instead let’s call them “risk attenuated”. They have a general appreciation of what risk is and the impact it can have. Tapping into that raw understanding is the key to realizing two important benefits.


First we can drastically elevate true awareness by starting an enterprise-wide conversation that complements each individual’s inherent understanding of risk with relevant information about the organization’s specific risk posture and goals. Second, with contextual awareness established we can gather important timely feedback about the operational state of risk in much more useful terms. When it comes to the good, the bad (and the downright ugly) aspects of operations the people in the trenches always know the lay of the land the best. Fortify the first line of defense by appealing to their embedded sense of risk and cultivating them into a well-developed risk intelligence network feeding reliable information up in real time.


You’ll often hear us discuss the importance of risk-intelligent decision making as part of advancing down the path of GRC maturity toward the opportunity landscape. Organizations that embrace these principles are transforming their risk and compliance operations and realizing the competitive benefits of operating in that risk-advantaged state. Those that don’t will continue struggling to understand their broader risk and compliance landscapes and inevitably expend more and more resources chasing security and compliance in an increasingly hostile world of global competition, threats, and regulatory pressure. While operational risk may be concerned with people, processes, and technology together, your people will always be your most important resource. Why not use them?


Have something to say? We’d love to hear it and have a conversation anytime about the opportunities that exist in your world of risk and compliance. We also have more exciting content releases coming soon. Follow me on Twitter (@masonkarrer) to stay in the loop!

Hello everybody! On the heels of the Archer Summit I’m very pleased to announce the latest Archer content update is available. The last one was big but this one’s a monster! In addition to mapping enhancements for HIPAA and NIST 800-53 we also added supplemental content to PCI v3, developed the PCI Self-Assessment Questionnaire stack, completed the NIST CSF true-up to the final version and added mappings, and did a full top-down refresh of all NERC content!


But wait there’s more! New policy content! We added new top level policies for financial services and healthcare-related items, enhanced many existing policies, and updated the policy library mappings to Archer Control Standards.


This release is cumulative of Q1 and Q2 development efforts. This includes both new content as well as updates to existing content elements already in your library. So you’ll want to pay special attention to the release notes and supplemental documentation before processing them to ensure everything is well understood. The update page with release notes is here and content import packs are available through Customer Support. As always we’re here to answer questions too – whatever you need. And keep on the lookout for more exciting content developments debuting soon!


Happy Independence Day!

Read an interesting article over at HBR recently (“Forget the Strategy PowerPoint” by John Kotter) that argues for better ways to articulate high level strategies.


The gist is that it’s already hard to communicate a strategy anyway but even harder when all you have is a bunch of slides. People’s attention is often divided and it’s easy to misinterpreted complex ideas without the full context driving the strategy, etc. So why not ditch the strategy presentations altogether in favor of telling more exciting stories centered around “big opportunities” instead?



In his article Kotter focused on challenges that executives often face when unveiling strategies to their organizations. Whatever difficulties the CEO faces in make an argument down from the top, we can all probably speak from experience that it can be even harder going the other way and selling ideas upward. So maybe this “opportunity philosophy” could hold water at any level of the organization?


Kotter suggests that where full blow strategy statements can be long and complicated, effective opportunity statements are simpler and easier to communicate. Some of the most important characteristics include keeping them short (half page or less), rational (grounded in current reality), compelling, positive, authentic, clear, and aligned with existing goals. The inset figure shows an overview of how to connect the opportunity vision to change.


In many ways this falls right in line with conversations we've been having with many of you this year around several key areas of opportunity such as business resiliency, operational risk, and of course my personal favorite, regulatory and corporate compliance. Those of you that attended the Archer Summit saw this underscored throughout the week and in fact many of you were the ones actually driving those discussions and telling the best stories of all!


So for fun let’s give Mr. Kotter’s theory a try. Here’s a possible take on the big opportunity that exists in the area of regulatory and corporate compliance. And while we’re at it, how about we throw in a nautical theme after last week in the desert? Here goes…


For some industries regulatory scrutiny has been a daily reality for decades. However the days of “those guys” being the only ones with compliance challenges are long gone. Today any modern enterprise regardless of industry is feeling the pain especially when it comes to technology and protecting sensitive information. This is on top of merely trying to keep the business afloat amidst the increasingly dicey seas of global competition.


Since compliance is NOT the average company’s main business focus, this rising tide of obligations serves to increasingly distract companies from their core missions. Costs and negative effects on productivity continue to pilfer resources away from strategic initiatives, squeezing companies from both sides until their only options left are bad ones. Which poison should they pick? Do they continue ratcheting up compliance spending as their business suffers setbacks? Or do they hold fast and roll the risk dice against a negative event such as a security breach or serious violation? An armada of competitors is on the horizon while regulatory sharks constantly patrol for their next meal. Not the situation to be in with a leaky boat and a nervous crew.


Imagine a different world with calm seas and favorable winds where compliance wasn't nearly so painful or expensive because things just “worked” as they should. What if your compliance program could be like a fast, watertight ship gliding effortlessly across the open water and speeding safely to whichever ports of call beckoned the business next? What if your crew were so practiced they could respond to changing conditions with minimal effort and without drifting off course or losing speed?


We believe this describes how a streamlined compliance program should function. Companies that embrace this philosophy stand to fundamentally transform compliance from a success barrier into a true competitive advantage. They will prosper while their competitors are tossed about in the wake, struggling to keep up. This is not a future fairy tale. The capabilities are here today with a clear direction to navigate for those adventurers that choose to set sail on these compliance winds of change.


Is there a new story you'd like to tell around your dockside water cooler? We can help!

I often get asked for advice on manipulating content in and out of Archer, how to relate certain things & build reports, etc. Somebody recently asked the following and I figured hey, why not blog the answer.


“I’d like to do a review of my PCI control standards offline in Excel. What’s the best way to do this?”


Great question…This is part of a broader topic around working with mappings in Archer. The tips I outline here will work for a single authoritative source, multiple authoritative sources, and pretty much any other situation involving similar applications in Archer.


First recall that Archer’s Authoritative Sources application is what we call “leveled” meaning it has a hierarchy as opposed to a flat application which doesn’t. (Actually flat apps are essentially leveled apps with only one level but that’s beside the point.) The purpose of a leveled app is to provide a means for representing the native hierarchical structure common to most narrative documents such as structured standards, policies, and so on. The top level is usually a single record that describes the source such as “Payment Card Industry Data Security Standard v3.0”. The next level down might take a similar form to a table of contents and the remaining child levels will then contain the rest of the structural text. The leveled application structure allows us to deconstruct the source into its granular constituent components which is useful for clarifying the context of individual statements within the source.


Therefore when we map authoritative sources to Archer’s Control Standards library we typically map at the lowest levels meaning the most granular elements since the mappings are intended to reflect contextual relationships. Using PCI as an example if we were to merely identify all the Archer control standards that related to all of the individual aspects of PCI and lump those into a single cross-reference at the top level we’d obscure a lot of useful information. You’d only see the top level record and several hundred related control standards but no visibility into the context of why one thing is mapped to another. You may also obscure performance measurement by hampering the ability to inform findings, risks, and other upstream and downstream operational elements that may be tied to those standards.


Establishing the mapping connections further down at the lowest levels eliminates this issue. So when you view an individual record like PCI:8.2.6 which describes a requirement around setting first-time passwords, suddenly the related mapping to Archer control standard 308 (“Initial Passwords”) makes a lot more sense. Furthermore if you have individual stakeholder ownership assigned to different control standards it’s much easier to translate that ownership up to the external requirements those folks are also responsible for. Or, go the other way and identify specific compliance objectives and then easily correlate the related control standards, policies, and so on that drive compliance against those stated objectives.


So back to the original question about analyzing these offline and continuing with PCI as our example, PCI has mappings in its bottom two levels (Section and Sub Section). So both levels need to be considered in the analysis. Starting from the Authoritative Sources application click “Advanced Search“, then click “Add New Relationship” in the left dialog box and choose “Control Standards”. This creates an n-tier report which is really just a fancy way of saying you want Archer to crawl the cross-reference relationship between Authoritative Sources and Control Standards so you can include additional fields from the Control Standards library in your output. Next choose your desired fields to include in the report such as Source Name, Topic ID, Topic Name, Section ID, Section Name, etc. (Note: I’m stopping at the Section level for a reason.) Now scroll down in the left-had field selector and grab some fields from Control Standards such as Standard ID, Standard Name, Description, and Owner, or whichever ones you want.




Now add a new filter criterion to “Filter By Record” from the Source level and in the filter value dialog click the selector button & find the authoritative source(s) you want to include. Set the report type to “Column – Flat” in the Display options and click the Search button. Archer will return a flat list of the authoritative sources you selected (including native structure) down to the section level along with any control standard(s) a given section record is mapped to, each on its own row.




By default this will also include unmapped records too. You can optionally check the “Enforce Relationships” box to strip those out but I find sometimes it’s better to keep them in so I can also see anything that isn’t mapped. Plus it’s easy to filter them out in Excel later anyway.




Export the results to Excel format or a CSV file and then go back and modify the Archer search criteria. Add the Sub Section ID and Sub Section Name fields from the field picker on the left and remove the section level fields on the right by clicking the “X” button next to each one. Leave the Control Standards fields you chose for the first report alone and run the search again. Export those results to a second file. Open both files in Excel and then paste the contents from one into the other to render a single flat list of all mappings for that authoritative source (I usually paste the Sub Section records to the end of the Section file but the order doesn’t really matter). You can use these same techniques for any leveled application scenario.



Note that if a control standard has been mapped more than once it will appear multiple times in the list. Use Excel’s highlight duplicates feature on the Standard ID or Standard Name column to color code the duplicates and filter them down further if needed for pivot table analysis or whatever you want to do. Don’t forget you can already do tons of analysis like this in Archer too but sometimes it’s nice to take it offline to the beach or...ahem, wherever you choose to be productive outside of the office.



That does it for this issue of the content mailbag. Got some tricks of your own to share? We’d love to hear them! And keep an eye out for exciting new content headed your way soon!











Filter Blog

By date: By tag: