Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Mason Karrer
1 2 3 Previous Next

RSA Archer Suite

44 Posts authored by: Mason Karrer Employee

I’m pleased to announce the latest localized versions of the [DEAD LINK /docs/DOC-15636]Archer Control Standards library. The Control Standards translations have been updated for all languages currently offered on the Archer platform. Customers with an active support contract can contact their sales or Customer Support to obtain import packs for the language of choice.


Thank you!

Or, as they say…Merci, Danke, 谢谢, Gracias, Спасибо, ありがとう, Obrigado, Grazie!

I was very excited about the release of RSA Archer’s enhanced mobile capabilities last week. This is a huge step toward unlocking the potential of RSA Archer in today’s distributed, mobile workplace. Here’s a brief rundown on this latest RSA Archer Platform feature and some tips for how to take full advantage of it.


What is it?
RSA Archer GRC Mobile combines a new mobile application with Archer platform enhancements to enable you to easily leverage assessments and content from any Archer Solution remotely on your iOS mobile device.


What can you do with it?
RSA Archer GRC Mobile allows you to perform any kind of assessment against a defined target in Archer. This simple concept can drastically transform time-consuming operational chores into efficient, value-added processes that significantly reduce overhead and cost. Here are just a few customer examples already in play.


Facility Assessments
One of our large customers with thousands of locations around the world is currently piloting a program to complete weekly onsite facility assessments using Archer Mobile. Since Internet connectivity is nonexistent in most of their locations, it’s impossible to log into Archer directly to do the assessments. So they have been limited to performing them using the original word processor (paper & pen) and then manually re-entering the results later. Talk about painful!


With Archer’s new GRC Mobile app local managers and their teams can actually walk around their locations completing the assessments in real-time, as well as capture additional details and evidence on the spot. What happens if they get interrupted by a priority like overseeing a loading dock delivery? No problem, they can simply pick up later where they left off and sync the rest of the results when they’re done.



Not only does this new mobile approach yield efficiency gains it also establishes a stronger gated process to improve data integrity. Since the assessment forms are pre-configured, managers can more easily delegate the completion of certain sections to staff members without the need for direct interaction or supervision. Paper pushing and duplicate efforts are eliminated. Everyone wins.


Compliance Evaluations
A transportation customer anticipates Archer Mobile will drastically improve the speed and reliability of aircraft safety audits performed around the world. Their planes can’t operate without a current inspection and every minute an otherwise perfectly good aircraft sits on the ground costs the airline money. The inspection interval varies depending on the type of aircraft, duty roster, maintenance schedule, etc. Imagine trying to coordinate this for an entire fleet of planes and inspectors globally!


With Archer’s new mobile capabilities global safety inspectors can centralize the inspection effort while working in their local language. Since they’re able to easily capture notes and attach images as evidence on the spot as part of the documentation, they reduce downtime required to collate and submit responses. Planes are cleared for service operations faster so they can spend more time in the air earning revenue. Plus the increased operational efficiency and reduced administrative overhead translates to direct cost savings.


Onsite Audits
A large financial services client plans to leverage Archer Mobile to support internal audit activities such as capturing self-assessment results and reducing the paper trail for audit evidence. Auditors can guide business owners and team members through completing the assessments in person while onsite rather than having to chase them down remotely afterward. The ability to aggregate evidence into a single system of record more quickly means less time in the field and less follow up required. Reducing the administrative overhead for audits means they can be wrapped up faster and with less hassle which benefits everyone involved.


How does it work?
The RSA Archer GRC Mobile application is available for download from the Apple iTunes store. Mobile capabilities can be enabled on any Archer Platform instance v5.4 SP1 or later once a separate mobile license has been applied. Both are free. In terms of platform changes you’ll see new layout options to support mobile versions of questionnaires. The original layout builder has been renamed “Web Layout” and a new “Mobile Layout” tab appears when you check the option to make your questionnaire “Mobile Ready.”


You can drag and include many field types onto the mobile layout. Since the mobile assessments are content-driven they can be developed and displayed in any language on the mobile app. Security features include encryption, access control, secure wipe and more.


What should you do next?
Explore! The examples above are tip of the iceberg for how RSA Archer’s new mobile capabilities can quickly make a difference in a company’s operations. The potential for additional creative implementations is much broader. Remember, Archer Mobile is really just an extensible front end to the Archer Questionnaire feature, which itself possesses many of the same capabilities as a full-blown Archer application. So there’s plenty of latitude to adapt it to non-traditional and even esoteric use cases.


Additional resources are available if you’re interested in learning more about RSA Archer GRC Mobile. An overview is posted on the RSA Link ArcherGRC Community as well as the Platform 5.4 SP1 documentation that provides detailed information about how to enable these mobile capabilities for your instance. Check it out and let us know how you are planning to take your GRC program mobile!

Hello everybody! Happy 2014! We are very pleased to announce the RSA Archer eGRC Content Library quarterly bundle is now available.


Santa’s content helpers kept busy through Christmas and right up to the last day of the year to bring you some exciting new content. With the brief holiday break behind us it’s time to get back to work! So let’s jump into these enhancements to the Archer content library.


Earlier last quarter we released the 2013 version of the Information Security Forum’s Standard of Good Practice. We wanted to get that in your hands ahead of the ISF’s annual World Congress event in Paris. For the remainder of the quarter we turned our attention to three major new items which I know you’ve been eagerly anticipating. We’re very pleased to bring these to you first and only through Archer.


Here's a snapshot of the Q4 quarter's full bundle:


Authoritative Sources:

  • [DEAD LINK /docs/DOC-15651]Information Security Forum Standard of Good Practice 2013
    • 8,886 mappings to Archer Control Standards
  • ISO/IEC [DEAD LINK /docs/DOC-15608]27001 and [DEAD LINK /docs/DOC-15609]27002
    • 585 mappings to Archer Control Standards
    • 27002 as mapped Control Procedure content
    • ISO/IEC 27001 Question Library content to drive targeted questionnaires
  • [DEAD LINK /docs/DOC-32101]NIST Cybersecurity Framework
    • 3,337 mappings to Archer Control Standards
  • [DEAD LINK /docs/DOC-32040]Payment Card Industry DSS v3.0
    • 588 mappings to Archer Control Standards
    • Mapped companion Control Procedure content


Control Standards Library: 45 updates, 1 new control standard


Control Procedures Library: 500 new control procedures

  • ISO/IEC 27002
  • PCI DSS v3.0


Question Library: 204 new questions

  • ISO/IEC 27001 questionnaire pack


Special note: ISO/IEC 27001 & 27002 and the ISF SoGP are restricted by third party license so are not included in the bundled import packs. Separate imports are provided for those items.


The Release Notes for this quarter are posted on the RSA Archer Exchange and content import packs are available through Customer Support.

Happy Halloween Archer Community members! We are very pleased to announce the Information Security Forum 2013 Standard of Good Practice as the latest addition to the Archer content library.


RSA has been pleased to share a relationship with the ISF for several years both as a member and as the only GRC vendor to offer the venerable Standard of Good Practice. As it’s grown in popularity, each version of “the Standard” has evolved in comprehensive security coverage and this latest round raises the bar once again. Here at Archer we’ve responded in kind by completely reworking the content presentation to make the Standard more useful than ever before. This improved granularity resulted in nearly 8,900 discreet mappings to Archer Control Standards!


If you like ISO 27002 then you’ll love the ISF Standard of Good Practice. In addition to providing complete coverage across all ISO/IEC 27002 topics, the ISF SoGP’s expanded coverage includes:

  • Cloud computing and privacy
  • Supply Chain
  • Consumer devices and BYOD
  • Cybercrime attacks
  • Critical infrastructure


Plus the Standard also overlaps COBIT 5, SANS 20, DSD Top 35, UK Top 10, and PAS 555.


The structure of the Standard is organized under four basic categories which extend to 26 Areas and 188 Topics (see figure below). The Standard is further bolstered by the underlying ISF Security Model that provides a basis for addressing information security needs by defining a balanced set of tools and methods that intersect basic GRC concepts with the people, processes, and technology embedded in the organization.






The Information Security Forum is an international member-driven organization with several regional networks and more than a dozen local chapters in place. Over half its members are included on the Fortune 500 and Forbes 2000 listings. Other member organizations include public sector bodies, government departments, and some of the world’s largest international corporations. Local chapter events are held throughout the year and every November the ISF hosts its “World Congress”, the ISF flagship global event. Held in a different city each year, 2013 marks the 24th annual Congress which begins in just a few days on November 2nd in Paris.


Like most other things membership has its privilege. ISF membership offers a unique private forum for security professionals to collaborate and further the practice of information security. In addition to the local and international events, membership provides access to the ISF Standard of Good Practice and the ability to benchmark security performance against other member organizations in a confidential and useful way. Other resources such as IRAM, the ISF’s risk assessment methodology and the ISF Live social business website are also available to members in good standing.


I highly encourage you to explore the ISF and consider having your organization join its member ranks. If you’re already a member and happen to be attending World Congress in Paris this year then please stop by the RSA booth and check out the latest version of the Standard of Good Practice in Archer.


Archer content import packs for the 2013 Standard of Good Practice for Information Security are available to ISF members through Customer Support.

Hello everybody! We are very pleased to announce the RSA Archer eGRC Content Library quarterly bundle is now available.


Earlier this month we released NIST SP 800-53 Revision 4. We’ve since added a major update to HIPAA as well as the latest version of the Monetary Authority of Singapore’s Technology Risk Management Guidelines. In support of these several additions to Archer Control Standards and the Archer Question Library are also included. For folks that haven’t yet obtained the NIST 800-53 update we’ve also packaged it the Q3 bundle for convenience.


Here's a snapshot of this quarter's full bundle:


  • Authoritative Sources:
    • The specified item was not found.
    • HIPAA Privacy and Security
    • The specified item was not found.


  • Control Standards:
    • 80+ updates and new standards


  • Questionnaire Assessments:
    • 600+ new questions


Something to note on the HIPAA content specifically – we have migrated the changes to the regulation into the existing authoritative source content, expanded the structure, remapped it, and developed a questionnaire assessment that also maps back to the authoritative source. So this import will update your existing HIPAA records with those changes. HIPAA sections which are no longer present in the current version of the regulation will be tagged as superseded in Archer so you can easily locate and remove them at your discretion.


The Release Notes for this quarter are posted on the RSA Archer Exchange and content import packs are available through Customer Support.


Thank you for your continued support in making RSA Archer the leader in GRC content. And check back soon for additional updates to the Information Security Forum’s [DEAD LINK /docs/DOC-15651]Standard of Good Practice and a forthcoming update to the Unified Compliance Framework.

I’m happy to announce the release of [DEAD LINK /docs/DOC-27046]NIST SP 800-53 Revision 4 as Archer content. This newest addition to the library is offered as a full-text authoritative source with over 1,100 mappings to Archer Control Standards.


Special Publication 800-53 is one of the foremost flagship security control catalogs in the world. This latest version reflects a multiyear effort on the part of NIST to refine the control set, and expand with additional coverage for current and emerging trends in various technology areas. With a title of “Security and Privacy Controls for Federal Information Systems and Organizations”, SP 800-53 is often mischaracterized as only being relevant to the public sector. However the control catalog and methodology serves as an excellent baseline resource for any company looking to rationalize and improve their security control environment. The Presidential Policy Directive and Executive Order released earlier this year underscores the trend toward public and private sector security practices beginning to align. Guidance provided by NIST will be deeply integrated into these public initiatives, so it’s worth turning to SP 800-53 as a reference whenever security control designs are being considered.


If you caught our webcast with Dr. Ron Ross earlier this year you’ll recall one of the major updates in SP 800-53 Rev 4 is the addition of a new family of privacy controls. This is a big deal since NIST has only added one other control family since the inception of 800-53. Another new element is the introduction of the “overlay” concept. Think of this as an additional way to uniquely identify and allocate controls based on overlaying the deployment context of the platform being protected. These additions further illustrate a growing overlap of security concerns shared by public and private sector organizations alike, and complement a concerted effort by NIST to reach out and collaborate with the private sector.


The addition of Revision 4 in Archer together with the addition of [DEAD LINK /docs/DOC-15427]800-53A as Archer Control Procedure content released earlier this year, you have everything you need to drive a serious security control assessment program or transition your existing program across to the latest version as part of your security control environment lifecycle management process.


If you’d like a deeper dive on using SP 800-53 Rev 4, be sure to check out our upcoming webcast on September 12, 2013.


Content import packs are available through Customer Support.

Those of you that have followed Archer’s multi-lingual march around the globe already know about Archer’s core libraries we’ve previously translated into French, German, Spanish, and Japanese. I’m pleased to announce the addition of Italian, Portuguese, Russian, and Simplified Chinese to the collection. Specifically the following libraries are now available in all eight languages:


  • Archer Control Standards
  • Archer Policies
  • Archer Question Library
    • Archer Control Assessment Bank
    • Archer Risk Assessment Bank


Additionally, since the Archer Control Standards library has changed since it was last translated into French, German, Spanish, and Japanese, we have incorporated those changes into newly translated versions for those languages as well.

Customers with an active support contract can contact their sales or customer support representative to obtain import packs for the language of their choice.


Thank you! Or, as they say…Merci, Danke, 谢谢, Gracias, Спасибо, ありがとう, Obrigado, Grazie!

When the Edward Snowden story first broke I remember how the crazy theories ran wild about his identity, his motivations, and (gasp!) whether we were safe. Heck they still don’t seem to know exactly what this guy took and what his endgame truly is. As the story has continued to unfold, one thing that became very interesting is not who he is, but WHAT he was. He wasn’t some agent gone rogue or a foreign super spy, he was a systems administrator! An IT contractor for crying out loud! So as congress continues “demanding answers on behalf of the American people,” cynical folks like me regard the whole thing as a charade. When millions of people have top secret clearances, how it not happening all the time?


I don’t need some fancy forensics team and congressional hearings to know the IT group holds the keys to the kingdom. Anybody who’s ever worked any kind of basic IT job knows that already. Those of us who rose the ranks through security and audit understand very well just how pervasive access control gaps are on public and private sector networks alike. So while the general public is shocked and outraged, the only thing that surprises me is that it hasn’t happened sooner or more often for that matter. Wait a HAS happened before. And it happens more often than you think. The difference is we rarely hear that much about it.


Some people are calling for Snowden’s head on a pike while others label him a whistleblowing hero. Straw men abound and as the media debate rages on around the latest news story about thousands of NSA privacy violations, I’m left wondering how much of a sign this is of things to come. National security is one thing, but what about the people who have access to your company’s “top secret” info?


Remember it’s not like Snowden was an underpaid government drone turned espionage actor, lurking in the shadows to supplement his retirement by selling secrets. On the contrary, from the sounds of it he had a pretty sweet private sector gig. So what’s it take for an IT guy with a great job and a girlfriend in Hawaii to walk away from it all, publicly turn his life upside down, and become the most wanted guy on the planet? He says it was a belief to do the right thing in exposing his employer’s egregious violation of your civil liberties. Is that really true? Could he really be that sincere? What kind of person actually does that? Well, for starters an ideologue does. So maybe it's not such a stretch after all. Doesn't mean he's right, or sane for that matter. But if I’m the CEO of a company with serious trade secrets or a checkered past (or both), maybe I’m starting to wonder what could happen if one of my employees drew inspiration from Snowden and decided to go rogue.


The global economic conditions over the last few years have boosted anti-corporate activism. This combined with porous security, flash drives the size of a gnat, and anonymous access to a nearly instantaneous global news cycle, and it’s not hard to conclude that whether for profit or popularity, a motivated insider poses a greater operational risk than ever before. If the President of the United States can’t touch an IT guy then what’s an average CEO really going to do to an employee who blows the whistle? Prosecute them? Sue for damages? Pursuing criminal charges could quickly backfire and land the CEO in the clink if the employee was shining a light on criminal fraud. On the civil side any punitive awards would pale in comparison to the cost of pursuit, the PR fallout, and repairs to the brand, presuming the company actually wanted to expose anything else internally in open court anyway. So even to serve as a deterrent, any decision to initiate a lawsuit would require a serious corporate gut check as a pre-requisite. When a subset of the population is guaranteed to rally behind the employee (little guy) regardless, at the end of the day what’s winning really look like suing somebody you just fired?


The other sad, simple reality when you boil it all down to essentials is that the security issues at play are still largely the 101 stuff. Maybe it's time to play offense for a change. Technology always advances; budgets grow and shrink; but at the end of the day it’s always back to basics. It’s the same reason coaches preach fundamentals time and time again even at the professional level. Information classification, least-privilege, role-based access control, segregation of duties, policy, and culture…these basics will make or break the security posture in any organization. “Making it” hinges almost entirely on commitment and execution.


Information Classification (“Know what you have and what should be protected”) – One of the most boring, tedious tasks to undertake. Executives will magically be on retreats anytime you try to initiate it. Legal departments hate dealing with it. Nobody wants to “restrict” people in today’s politically correct culture and everybody is scared they’re forgetting something. But the fact is if you can’t name it you can’t protect it and there has never been a valid reason that everybody should be privy to everything. So for goodness sake stop dancing around the issue and lock things down already.


Least-Privilege Access (“If you don’t need it, you don’t get it” part 1) – Bedrock fundamental. In the public sector terms like “clearance” and “need to know” are used. Guess what? The same authentication and authorization rules apply in the private sector too. And yes they also apply to the IT staff. Encryption can help here tremendously but only if you know what needs to be encrypted.


Role-based Access Control (“If you don’t need it, you don’t get it” part 2) – If the principle of least-privilege defines the rules, the role-based access control model enforces them. Certain staff members require elevated privileges. It’s a fact. Own it. “HOW” they get and keep those privileges makes all the difference. Yes “Everyone – Full Control” on the corporate <fill in the blank important file share> is easier to manage but it’s also insane. Neither good basic access control practices nor even the more advanced multi-factor IPSec and encryption setups require a PhD to implement. With a little know-how, some elbow grease and the right technology products and guidance it’s actually pretty reasonable. So roll up your sleeves, get your people with people who know what they’re doing, and insist the job’s done right. Your efforts will be rewarded.


Segregation of Duties (“You do your job and I’ll do mine”) – One of two things typically happens when jobs get cut. Either less work gets done (productivity suffers) or the remaining people pick up the slack and security can often suffer either way. Pretty soon the same accountant is preparing and posting journal entries, or the same procurement person is setting up vendors and paying them. You get the idea. Permit the lines to blur too much and the risk of fraud and other exposures skyrockets.


Sometimes cutbacks are required. It’s often easier to believe the executives are heartless but in my experience it’s one of the most dreadful things they every have to contend with. Almost without exception though, the company emerges healthier as a result. So it’s a necessary evil. That said Mr./Ms/Mrs. CEO, it’s grossly irresponsible not to ensure that continuity of the control environment is baked into your plan. You don’t get a free pass on security gaps just because you had to make some tough calls in between vacations. Suck it up and do the right thing. And if your control environment stunk before your cutbacks then I’m definitely selling your stock now.


Policy and Culture (“Lead by example and make sure it’s a good one”) – The difference between leadership and merely being in charge is often all about the tone you set. Every CEO will say they insist on quality and excellence. But truly great leaders walk the walk and earn the respect of their people as a result. Even if they’re not always enjoyable to be around or work for at times, chances are you’d still rather be in the camp of a leader who leads by example. Because you know, even though they may delegate most of the heavy lifting, if push comes to shove they’ll grab a shovel and dig in alongside you if that’s what it takes for the group to succeed. To me that’s what policy and culture are really all about. Policy reinforces that tone set at the top and the culture of the organization flows both from and back into it. If the tone is flaky and insincere the policies will be useless and the culture will be listless and indifferent.


On the flipside, it’s simply impossible to have too much integrity. So set good examples for your people. Challenge them for the same. While mistakes cannot be overlooked, try first to embrace them as teachable moments before jumping to negative consequences. And reward your people handsomely when they succeed. Accept that rules are needed so insist on having good ones and insist they’re clearly understood and followed by all. With strong leadership, good morale, and a solid security posture blended into the background, the positive momentum shift is measurable. In a proactive environment like that people want to do the right thing on their own because they’re inspired. And the risks of the next “Snowden-gate” landing at that company’s doorstep are substantially reduced.


Need help getting started? Stuck on a problem? We’re here to help. We understand this stuff as well as anybody and our cutting edge products are literally redefining security, risk management, and compliance.

Remember driver education class when the instructor would sound like a broken record telling you to look over your shoulder to check the “blind spot” before changing lanes? Never mind the questionable wisdom of consciously looking in the opposite direction of travel. I could never wrap my head around the supposed reality that every car on the road had such an obvious safety flaw. Granted I’ve always been the inquisitive type but it just didn’t compute to me. Engineers are supposed to be smarter than that right? Why bother putting mirrors on at all if they don’t work?


Suffice it to say my instructor was not impressed. It was a terribly hot summer and he was stuck in a poorly ventilated, semi-trailer classroom conversion full of teenagers driving him crazy (pun intended) with inane questions. “What if we couldn’t see out the back window? What if we had a chronic neck injury?” On and on it went until our weary instructor played his trump card and squashed the automotive design debate for good. “Do you want to drive to school this fall or walk?” Despite the burning desire to prove him wrong, the taste of freedom that laid waiting on the other side of that driving test was too much to risk. So we relented. But I never forgot how silly the whole thing seemed then and how influential experiences like that were in fueling my passion to “figure things out”.


Fast forward to present day: Drivers ed has long faded from my rear view mirror and low and behold we just purchased a new car with a “blind spot alerting system.” What’s this contrivance you ask? Here’s how it works: There are sensors mounted around the vehicle that function like radar. If those sensors detect another vehicle positioned in the “blind spot,” a light will flash in the corresponding side mirror to alert the driver. Personally I convinced myself a long time ago that the blind spot was a myth. But since this will be our primary family vehicle, the more safety features the better I say.


As I was studying the owner’s manual on all this new technology it got me thinking about these new safety features in the context of a system of controls. In terms of the blind spot awareness sensor our stated risk is colliding with a vehicle in another lane. The mirrors provide a detective control to see other vehicles. Other drivers possibly provide a secondary detective control function (preventive from their perspective) if they honk at us (and we hear it) plus a compensating control if they can swerve out of our way.


But none of those are deemed reliable enough so some genius concocted the additional “preventive” control to look over our shoulder and check manually. While this may mitigate one collision risk, it creates a different, potentially much larger risk if the driver directly in front of us slams on their brakes while we’re busy looking backward. Furthermore, cars are built differently today. They’re bigger, faster, and while safer all around, go ahead and try to actually see anything out the back of an SUV with three rows of seats and oversized headrests. It’s practically impossible and certainly unreasonable to do justice to the task in the split second the average glance seems to last.


Hmmm...interesting. We have risks and multiple controls for those risks but those controls seem to have some weaknesses in common. For instance all are manual, none are reliable due to inconsistency & human error, and one could argue the residual risk (risk after controls) is nearly equal to the inherent risk (risk in absence of controls) in several plausible driving scenarios. Not good. How on earth have we ever managed to drive anyplace safely up to now? This is a marketer’s dream scenario. Magnified risks, diminished controls, and the straw man’s seed of impending crisis in an uncertain world firmly planted in our minds with a few images of our loved ones in a collision that thanks to modern technology is now totally preventable.


Enter our new friend the blind spot alerting system; the holy grail of the control universe, the all-seeing, all-knowing, all-powerful, automated control! We’re saved! That is until we read the fine print in the owner’s manual. Seems it only requires one short paragraph to describe how the feature should work but several more paragraphs with graphics and warnings to point out all the potential ways our fancy new automated control can fail. If the sensor is blocked or dirty it may not register other vehicles (false negative) or cause repeated false positives by alerting erroneously. Certain angles and other driving conditions may also trick the system, and so on. So now we have a new problem. How do we know if our automated control fails? Well we’ll certainly know if we change lanes and smack another car I guess. In information security this would be synonymous with a control failing “open” rather than failing “secure”. Not good.


So what do we do? As Bob Dylan said, “the answer my friends, is blowing in the wind.” Our trusty side mirror relegated to hanging off the door as a mere ornament may yet save us after all. Manual controls get a bad rap because they’re perceived as costly and labor intensive which causes people to either not perform them properly and consistently. When it comes to controls performance, inconsistency=unreliability and that leads to control failures and audit findings. Otherwise there’s nothing inherently wrong with a manual control and in many cases (on a control by control basis) it’s often cheaper than an automated alternative. Case in point: The side mirrors came for free on our new car. Heck they’re actually required by law. However the blind spot awareness system was an additional cost option.


So now we come full circle. We need our side mirrors because we can’t look over our shoulder but as a risk-based control our side mirrors are unreliable, right? That’s what they told us in drivers ed but we never really established why. Let’s assume there was a way we could gain more confidence in our side mirrors as a primary key control. If we could implement a policy change that would improve the accuracy and completeness then we might be able to strengthen the control’s performance enough to sufficiently reduce the residual risk. Let’s call it control refinement or tailoring. If this new policy works we’d essentially have a new system of controls featuring complementary automated and manual controls that backstop each other in a way that always manages the risk.


So with that as our backdrop, please allow me to present the following graphic taken from a 2010 article in Car and Driver Magazine, entitled “How To: Adjust Your Mirrors to Avoid Blind Spots”. That’s right Mr. Driving Instructor, eat my dust.





This is proof that simple solutions are always the best. While I won’t suggest this is perfect for everybody, I will say I’ve used this method for years without fail. It’s worked for me on all sizes of vehicles and has saved me more than once.


Just for fun, in preparation for this article I took our new car out to test my theory that a properly adjusted mirror (tailored manual control) was actually just as reliable as the automated control.


Guess what? Not only was it equally good, it even outshined the blind spot system. While the automated control never missed, the mirror actually detected the approaching vehicle earlier every time. Multiple controls that are each reliable enough to be primary?? What a great problem to have!







So let’s recap: We had a stated risk and a control environment that was failing to adequately manage that risk reliably. Through a disciplined approach to remediation we were able to root-cause our inherent control deficiencies and find a new way to leverage existing resources toward a suitable solution. By retailoring our controls we were also able to rationalize away one of our manual controls (looking over the shoulder) that was costly in terms of risk and unbeneficial. So not only did we achieve control nirvana for no more than the cost of a policy change and a little awareness retraining, we actually reduced our manual controls by 50%! Plus, newly acquired technology allowed us to add an automated control to the mix that not only strengthens and reinforces our existing manual control environment, it also expands our risk coverage into lower likelihood (but high impact) scenarios such as a vehicle with no headlights in our blind spot at night.


And there you have it folks: Policy, risk, controls, and ultimately compliance all from the comfort of your driver’s seat. Have high speed stories of your own to share? I’d love to hear them!

Hello from baby central! If you detected radio silence from me lately it’s with good reason. We welcomed a little bundle of joy into the world recently and suffice it say I’ve been busy at home! Nevertheless I’m back and eager to wrap up this conversation on policy management so we can move on to other exciting things on the horizon.

The backdrop for this series was a multi-part panel forum I participated in for OCEG and Compliance Week, led by the venerable Michael Rasmussen. We began with a look at the effect external business impacts can have on the enterprise policy management program. From there we moved from detecting changes to identifying cohesive impact assessment and policy change workflow processes necessary for a strong diligence program. Now we’ll tie it together with a look at the ongoing maintenance aspects of a robust policy management program, including monitoring and accountability.


Beginning with policy measurement and evaluation, it goes without saying that effective policy management requires periodic review. Conventional wisdom tells us policies should be reviewed as needed to maintain state with changes in the business and otherwise annually at a minimum. Let’s explore why in more detail from the perspective of somebody who thinks it’s unnecessary busywork (like Morty K., the CEO of Morty’s International Widget Emporium for instance.) From Morty’s perspective the business is the same as it was last year. He still sells widgets, his tolerance for acceptable use hasn’t changed, and so on. But, like everybody else he needs to cut costs wherever he can. So he challenges the value of bothering his people to keep up appearances with some administrative review that increases his costs without a tangible return on the investment.


Okay so Morty’s thrown down the gauntlet. Now let’s respond. All other things being equal, those administrative gymnastics actually go a long way toward demonstrating diligence, and good diligence reduces exposure risk and compliance costs. Even if policies happen to be out of step with the business at any given time of examination, it’s hard to argue a company isn’t trying to be diligent if it can produce a consistent trail of reviews. Think of it as cheap insurance, for no more than the cost of a few hours per year. That doesn’t mean there won’t be findings around accuracy, but that’s a whole lot better the absence of policies entirely which is the de facto opinion of policies that are never reviewed. Plus there’s the intangible benefit of increased operational stability through raising cultural awareness stakeholder participation. So, when it comes to the “burden” of annual reviews, to quote Nike, “just do it.”


In terms of active diligence and regular review cycles the following factors can influence whether policy revisions may be required:

  • Have changes to the business occurred which may affect this policy?
  • Are there regulatory/legal changes requiring a policy update?
  • Is an unacceptable amount of exceptions being generated?
    • Could indicate issues with policy language, divergence from the business state, or training and awareness issues.
  • How many policy violations have occurred and why?


If the organization waits for problems to visit before policies are revisited, it will always lag behind the curve. This is an area where technology can be a force multiplier to ensure the train stays on the track and runs on time. Systems are great at performing repetitive tasks, like pestering policy owners (and managers) to do their reviews and capturing all of that in a verifiable system of record, year in and year out, over and over again. Anymore if a company is trying to do this by hand rather than leveraging a tool like Archer Policy Management, then they’re probably not doing it effectively at all. Instead they’re stumbling through some haphazard, analog process that will ultimately fail them when they need it the most; namely, crisis time.

The folly of a manual policy management program is further revealed in organizations with a disparate, document-centric approach. Static, dusty paper policy binders are relics of the past, not to mention boring and ineffective. Why not modernize with embedded multi-media awareness training and automated acknowledgement and acceptance features baked right into the same portal used to demonstrate that almighty diligence to the external auditors? People are engaged more effectively and disparate tracking is replaced with a single verifiable system of record.


Why is this important? Because without effective policy awareness what’s the point? Consistent publication and communication is the best way for the company to participate in an ongoing basis. Policies are conditions of employment. Employees must accept these terms and they can’t do that if they’re not aware. When that process is centralized and streamlined the company benefits multiple ways. First, the staff is kept up to speed as an integrated part of normal business so behavior is influenced more quickly and naturally. Second, capturing the acknowledgements reminds the staff they’re accountable plus provides good evidence of the overall process. Everything works in concert and the business gains confidence it can remain a step ahead of its risk.

So we’ve detected changes to the business, put those through a workflow to analyze the impact, adjusted policies to match new expectations, raised awareness, captured staff acknowledgements, and established useful metrics to measure and monitor the program. Overall our diligence picture is shaping up nicely. Let’s wrap up by covering one last item, the audit trail.


Policy archival and history is something that often gets overlooked which can often bite an organization in a bad way. When policies must change or retire, it’s extremely important to preserve legacy versions for historical reporting purposes. Otherwise how can they demonstrate adaptation over time? Remember, corporate policies are the codified basis for business operations. So they’re almost always legally discoverable as evidence in addition to being a living history log of changes to the business. The more closely the policy history coincides with shifts in business, the tighter the diligence connections are made. It’s never a good idea to enable a plaintiff to define how the business operates. A robust and complete policy revision history that is producible on demand is a very powerful indicator of strong corporate governance. Failing to preserve and protect that is wasting an opportunity to improve compliance results and reduce organizational risk.


That brings us to the end of this series on policy change management. We’ve covered a lot of ground and I hope added clarity to the main aspects of a successful policy program. Managing enterprise policy in today’s global business climate of constant change can be a challenging story. I’d love to hear how Archer helps you tell it in your organization. Be sure to watch for several exciting announcements we have coming up including updates to the Unified Compliance Framework, enhanced PCI capabilities, and much more!

Greetings from the RSA Archer GRC nerve center! There are lots of exciting things happening which I’m eager to share with you as they unfold. In the meantime let’s continue our recap of the Compliance Week forum on organizational policy management that I participated in with Michael Rasmussen and OCEG.


We began our discussion in the first segment with an overview of regulatory change management and the importance of establishing and maintaining a strong diligence program to bolster compliance. To measure we must first detect; tracking internal and external change to the business plays a critical role in enabling an organization to remain nimble. The burden of regulation will only increase going forward. As we learned last time, the reality of climbing this steepening mountain has emerged as one of the key stated risks that trouble executive decision makers.


Keeping pace with change is only one aspect. What do we do about it? The legal and regulatory landscape shifting beneath our feet is one thing, but the business’ foundation itself changes as well. What happens when these intersect or better yet collide? How does this concert of change coalesce into an overall model of risk? Ultimately it comes back to the policies that define and drive how the business functions. Does your organization conduct a business impact analysis on significant changes impacting policy? When we asked this same question of our panel audience, 48% of organizations responded they did not. On the surface it’s troubling that nearly half of organizations surveyed do not formalize this process, but with the blistering pace of business, global economic volatility, and the constant swell of changes it’s an understandable struggle to stay ahead the curve. The question is how long can an organization roll the dice before they eventually fall the wrong way?


For example, suppose Company XYZ operates in a heavily regulated sector but over the past few years has been diversifying into different industries and markets. Now the XYZ execs decide to acquire a specialty alloy parts manufacturer to support a new product they intend to bring to market. Although a pain, compliance was always something XYZ was able to keep under control. They have a couple of key stakeholders that do a good job of keeping watch and handling it, and the regulators seem happy enough.


Right there we have a problem brewing. There’s little transparency into the process of compliance and a big chunk of success is wrapped up in a handful of people doing things in a silo. So what happens when XYZ turns in this new direction and executes the acquisition? Along with the patents, goodwill, and receivables, Company XYZ just unknowingly inherited a ton of new environmental regulations to boot. Because the language of risk within XYZ is not well established, there is no common thread to weave impactful elements together throughout the organization and raise an alert when a gap is encountered. Does your organization have a defined taxonomy of risks and regulations mapped to key subject matter experts and stakeholders? If the answer is no, you’re not alone. 52% of respondents we polled didn’t have any kind of taxonomy or structured process either.


For fun let’s say hypothetically as this acquisition deal is wrapping up that the SEC conveniently announces new revisions to regulations that govern a separate XYZ venture which also happens to be their primary revenue stream. Although these changes had been on the horizon for some time, unfortunately XYZ’s pseudo-compliance team doesn’t have any kind of continuous governance program and were caught off guard. Now they’re completely bogged down trying to scramble an impact analysis and response. Any M&A questions drop by the wayside and the alloy business acquisition sails through without a second thought.


Does any of this sound familiar? It should. The saying “when it rains, it pours” comes to mind, not to mention Murphy and his laws. These things happen all the time. The ability to react and adapt can often mean the difference between sinking and swimming for a modern business. It’s not unusual for the mistake that becomes the undoing to have been made months or years ahead of time in a seemingly innocuous or unrelated endeavor. Companies that maintain sound operational policies are always in a stronger position to respond to change. What would happen to XYZ if they learned post-acquisition that their precious alloy manufacturer was positioned to run afoul of new EPA mandates? An enterprise program with policies and standards for risk-based acquisition analyses as a natural part of its embedded “system of compliance” would have exposed this risk before it could impact.


When the only constant is change, organizational leaders must accept that it very often won’t be on their terms. The best way to hedge against this unknown is to proactively prioritize policy and compliance as the institutional guardians of corporate diligence. Together with sound risk management practices, this becomes a powerful combination that yields value far beyond its cost. Organizations in very highly regulated industries have already learned painful lessons and are embracing this new approach. However any company of any size or industry can benefit from this approach. Impact on policy is impact on the business, plain and simple. Analyzing those impacts and their ramifications is nothing more than intelligence gathering for the executive decision makers. Establishing a common taxonomy of risk within the organization is the best and often only way to piece everything together in a way that makes sense.


How does this contrast with your own organization’s practices? What resonates best with your executive leaders? Are there potential regulatory threats looming on the horizon and if so what do you need to examine and adapt accordingly? I’d like to hear from you and if there’s a way we can help then let’s get connected and start working the problem. From there we can begin to establish consistency and accountability, something I’ll discuss further next time.

Hello everybody! We are very pleased to announce the next installment to the RSA Archer eGRC Content Library. First and foremost, some clarification on quarterly intervals: Previously the quarterly content updates were retroactive for the prior quarter (e.g. the Q4 updated would go out in January). Originally this was to allow a full quarter's worth of development time at the end of the year, but could also be confusing and ended up being more trouble than it's worth. Beginning this year the quarterly update name will coincide with the quarter it falls. As such, to get things aligned this Q1-2013 update is also the Q4-2012 too. Clear as mud, right? Not to worry, it will get better. The Q2 update will go out in April, the Q3 in September, and so on. Hopefully all will be right with the world after that.


Our focus this quarter was NIST SP 800-53, or more specifically 53A, officially titled as the Guide for Assessing Security Controls in Federal Information Systems and Organizations. For those of you unfamiliar with “53 Alpha” it’s essentially the specialized assessment component of the NIST Special Publication 800-53 set of security controls. It describes the testing and evaluation procedures for each 800-53 control and is used to identify and prioritize control selection for a given asset.


NIST SP 800-53 Revision 3 was already an authoritative source in Archer and we’re pleased to be able to offer the companion control assessment resource as a set of integrated Archer Control Procedures. These control procedures have also been cross-mapped to both Archer Control Standards and the SP 800-53 authoritative source. As such, a new version of the Control Standards library and the NIST 800-53 Authoritative Source are also included in this bundle. (Note: The authoritative source content itself has not changed. The purpose of re-releasing the authoritative source import is to slipstream the updated mappings to Archer Control Standards and the new mappings to the companion Archer Control Procedures.)


At this point you’re probably realizing that the direct relationship between Authoritative Sources and Control Procedures doesn’t exist today so how will the import work? The beauty of having such a flexible platform like Archer is that adding this new cross-reference is a breeze. The original 800-53A taxonomy also contains several other useful categorization elements to support filtering and classification activities. In order to accommodate this and enable these 800-53A control procedures to be fully functional in Archer, several new values list fields are being added to the Archer Control Procedures application. A future platform release will make these additions permanent. The good news is you don’t have to wait to take advantage. You can very easily add these additional fields manually today with minimal time and effort. The field specs can be found in either this quarter’s release notes or the import tip sheet.


Not ready to make changes to your Archer instance just yet? No worries, this 800-53A base control procedure content will still import into a default instance of Archer without these new supplemental field values. This will establish the control records and language but the advanced 53A taxonomy filtering and direct mapping back to the authoritative source won’t be enabled.


Here's a snapshot of this quarter's full bundle:


  • Authoritative Sources:
    • The specified item was not found. (mapping release only – same authoritative source content)
  • Control Standards:
    • 20+ updates and new standards
  • Control Procedures
    • 656 new control procedures


Hopefully you will find this new content a useful addition to your eGRC library. I’m especially interested in how you’re able to use the 800-53A procedures to drive stronger ITGRC compliance in your organization, so please send me your feedback! The Release Notes are posted on the RSA Archer Exchange and content import packs are available through Customer Support.

Hello everybody! A slightly belated Happy New Year to you all. With 2012 barely behind us, 2013 is already shaping up to be a very busy and very exciting year for us as we race ahead with exciting product innovations and thought leadership. RSA recently sponsored a series of roundtable webcasts and I had the pleasure of participating as one of the panelists. Our moderator was Michael Rasmussen, noted GRC pundit and a member of the Leadership Council of OCEG, the Open Compliance Ethics Group. The focus of our discussions centered on the different stages of an organizational policy management program. Leading up to the discussions we helped to create a series of illustrations that were featured over several articles published in Compliance Week.


Over the next few posts I’ll recap these discussions and share some insights. One of the areas of focus was tracking changes that affect policies. Shifting regulatory landscapes, third-party relationships, business climate changes such as expanding into emerging markets or M&A, all serve to influence and impact organizational risk and policy. How do we detect and manage this swarm of change and measure the potential impact? What are the best ways to demonstrate diligence and manage risk? How do we ensure organizational policies remain aligned?


During the webcasts our audience was polled for how their organizations kept up with changes that could impact policy. This is one of the toughest challenges that companies face. Not only is the global regulatory environment a growing burden, but the ability to demonstrate consistent and timely diligence can itself be a burden. One of the most revealing statistics our audience reported was that over 80% of them used email and ad-hoc, fly-by-the-seat-of-the-pants approaches as their primary means of keeping pace. Perhaps that’s why a Gartner reported regulatory uncertainty as the top risk identified in a recent global CEO study. So where do we begin to gain a solid foothold on the problem?


Whether it’s legal & regulatory influencers or changes in business direction, the first step is to establish clear ownership of the process. This role may live in the legal department or maybe it’s just thrown out to the business. Recognizing this as a core enterprise process is the first step and then building a cross functional team to own the methods the organization uses to keep track of regulatory changes is imperative.


Secondly, there are several commercial “watch dog” services available that can monitor and report on changes to regulations and a variety of other things. These services may also bundle legal opinions and advice with certain subscriptions which can be helpful for their customers to gauge the initial impact. But there are also a number of free options available too. In the US for instance, nearly every major government agency provides RSS feeds to report their activities, including notices and proposed rule changes. Aggregation sites like also provide consolidated RSS feeds for most of the federal register.


Whether using a commercial service, tapping into free resources, or both, receiving alerts is only half the battle. What do you do with the information? How organizations respond to these changes will determine whether they remain compliant and having the ability to document the impact is critical. The ability to filter down to the business critical items and put them through a consistent process of review, impact analysis, and action is the key. This can’t just be a thread of emails bouncing around the organization.  It needs to be a defined process with a clear documentation trail to not only remain organized but also demonstrate proper diligence around the process. Next time we’ll explore the impact of internal changes and the elements of review workflow and response. Until then, all my best for 2013!



I'm fresh off the road from the 23rd annual Information Security Forum World Congress, held this year in Chicago! As many of you know already the ISF's Standard of Good Practice is a leading information security best practice framework that we're happy to feature as an authoritative source in Archer. The ISF is a member driven organization comprised of over 300 leading global companies including RSA. What you may not know about the ISF is they also host this fantastic annual event. Each year it's in a different city around the world and this year we were lucky to have it in the US, selfishly in my own time zone!


First and foremost, the keynotes this year were nothing short of awesome. Frank Abagnale gave an amazing account of his life and perhaps you'll see an upcoming blog about that too. But if you know anything about me by now you're undoubtedly aware of the soft spot I have for all things aerospace. So you can imagine how excited I was to see Gene Kranz, former NASA Flight Director give his amazing account of the early days of America's space program and the incredible story of Apollo 13. If you've ever seen Ron Howard's movie by the same name you'll remember Gene's character being portrayed by Ed Harris, complete with white vest and all.


Gene showed several pictures from that era as he illustrated key examples of the teamwork, leadership, and discipline the team demonstrated; and the goodwill from people around the world who pulled together to collectively will our astronauts back to safety. At one point he revealed a grainy picture of a simple procedure document which became one of the pivotal elements to crew survival. As if they didn't have enough to worry about, midway through their return in their battered spaceship, the crew encountered a major problem with their oxygen supply. Since their moonshot was scrubbed anyway, Mission Control had them utilize the Lunar Module as a temporary lifeboat to preserve the power needed for reentry to earth. As they solved one problem they unwittingly created another. All Apollo crews had three astronauts but only two landed on the moon. The third always remained behind in a lunar orbit to coordinate things when they reconnected. As such, the Lunar Module's life support system was designed to support two astronauts for a day and a half, not three astronauts for four days. This caused the CO2 levels to rise faster than the air filters could handle which posed a fatal risk to the crew. No problem, they'll just swap out a new filter from the other module, right? Nope. The filters were different shapes!


So the team on the ground quickly set about finding a workaround to solve the problem of literally fitting a square peg into a round hole. What resulted was a duct tape contraption that, to the uninitiated probably looked like a grade school science project.  But as the air started flowing and the CO2 levels dropped I assure you at that moment it was likely one of the most beautiful devices the crew had ever seen.


So there I am, jaw on the floor, as Gene Kranz is telling this story and displaying the actual written procedures for how to build this device. Remember, Mission Control couldn't just beam this new filter up to space, or even send them a picture! The crew had to listen to instructions for how to assemble it, under enormous stress, fatigue, and oxygen deprivation. So those instructions had to be clear and concise. Gene called our attention to the upper right corner of the page where they had incremented versions as they refined the document, scratching out the old version number and writing in a new one. Working round-the-clock on no sleep, the team on the ground and the crew went from major crisis to workable solution in a matter of hours and still produced versioned documentation by hand!


In that environment, documented procedures are just part of the deal. The process doesn't work without them so keeping the documentation squared away is baked into the protocol. It's not "extra work" they'll do if they have time left over. It's a core requirement, even in emergencies...especially in emergencies. It kind of puts things in perspective where today we have wonderful tools like Archer to help automate all of that; and leaves little excuse for not having a solid policy management program except that like most things, it ultimately comes down to leadership. After the Apollo 1 fire that killed Gus Grissom, Ed White, and Roger Chaffee, Gene Kranz held a staff meeting to address the issue. In what would come to be known as the "Kranz Dictum," Gene very clearly stated that the Apollo 1 disaster was their fault. By prioritizing schedules and perceptions solid solutions and procedures, they allowed themselves to be pressured into overlooking issues in the hopes it would work out rather than pushing back. In short, they didn't do their job. Gene issued an edict that from that point forward his Flight Control team would live and be defined by two words, "Tough" and "Competent." They would always be accountable, always be prepared, and would never again compromise their responsibilities.


Imagine if during the Apollo 13 mission the engineers on the ground just started hollering ideas for the crew to try, rather than methodically working the problem first? Or better yet, what if the higher order expectations set by Gene and others were not in place right from the beginning? Remember in the movie when Gene's character yells "We've never lost an American in space and we're sure not going to on my watch! Failure is not an option!" And later when responding to criticism that Apollo 13 would be regarded as a disaster for NASA, Gene's character challenged back to his boss (and everybody in earshot) his disagreement that it would instead be their "finest hour." Although creative liberties were taken with some of these exchanges for the sake of the screenplay, they were done to portray something difficult to articulate otherwise. The notion of failure not being an option was ingrained in everything they did. It was cultural, and still is.


Whether at NASA or anywhere, that kind of attitude and leadership truly makes a difference, especially against long odds. The integrity to take an unpopular stand because it's the right thing to do can dramatically inspire an organization towards excellence. Strong leadership calms fears and gives people focus and clarity in uncertain situations. In the case of Apollo 13, the refusal to waiver or even entertain the notion failure, and instead demanding and accepting nothing less than excellence meant the difference between life and death for astronauts Jim Lovell, Fred Haise, and Jack Swigert.


Fortunately the stakes aren't quite that high in our daily lives but the lessons are no less true. Company leaders have a responsibility to set clear direction and tone at the top to support effective policies and procedures as a matter of standard business practice. Frighteningly, many do not. Those who do rise and embrace that challenge and responsibility are much better positioned to ensure the next time their organization faces an incident, they too can look back on their preparedness and ability to manage through the crisis as one of their "finest hours".


Thank you Gene Kranz...for everything.

Filter Blog

By date: By tag: