Skip navigation
All Places > Products > RSA Archer Suite > Blog > Author: Antoine Damelincourt

RSA Archer Suite

4 Posts authored by: Antoine Damelincourt Employee

Let's talk about entropy. No, I'm serious, we have to talk about it. Entropy is the natural tendency for things to become less organized over time, a natural decay of order and planning that creates chaos and uncertainty. And it is a natural tendency. As the work piles up, the new tasks, the urgent tasks will replace the mundane and old tasks at the top of your conscious mind. They have not become less important, they just are a victim of entropy.


I fight against entropy all the time, we all do. We try to create order and structure through a calendar, a to do list, reminders… Anything can become a tool in the fight against entropy. And that does bring us to a new feature in Archer 6.6, the automated metrics update.


Metrics are a great tool to monitor data, whether is it performance, risk or control data. It can give you a quick snapshot of a situation, it can give you early warning if something is not quite right, it can be used for trending, it has a lot of uses. The issue is that what you get from your metrics program is what you put in. If your metrics are not updated on a regular basis then you won't get anything of value out of them. Entropy is fighting against you, who will remember to go in an update a key indicator when there are ten new tasks to perform?


That is why we leveraged the new rules based enrollment feature in Advanced Workflow to implement an automatic upgrade of key indicators. Based on the update frequency and the last update date, metrics that are past their due update date are now going to be automatically enrolled in a workflow. The metric users will receive a notification, and have a task created for them to update their outstanding metrics. It’s a simple one step process that will ensure the key indicators stay up to date.


The end result is that since metrics will be more reliably up to date, all the information you use them for, dashboard, reports, trends, alerts will also be more up to date and reliable. So will the metrics you decide to feature on a dashboard through the new featured metric feature. The insights you will get from them will be better and timelier. And your fight against entropy will be made easier since there will be no need to chase metrics owners down to get them to update their data.


Now, this is only one illustration of how the new rules based enrollment workflow feature can be used, I am impatient to see what you will actually use it for. What do you think will be the first workflow you build using this?

By now, you may have heard the good news – RSA Archer release 6.3 is now available! RSA Charge 2017 (Oct. 17-19, 2017 in Dallas, TX) is the ideal occasion for us to release our latest software with a bang.

RSA Archer release 6.3 includes two new use cases RSA Archer Data Governance and RSA Archer Privacy Program Management,  platform enhancements, and updates to Business Resiliency, Public Sector and Payment Card Industry (PCI) use casesLook for additional blog posts in the coming days and weeks for a deeper dive into this Release 6.3 functionality.


Use Case Enhancements

Regulatory and Corporate Compliance

Release 6.3 introduces two new use cases as part of the solution, RSA Archer Data Governance and RSA Archer Privacy Program Management. These new use cases will assist companies in managing the requirements set forth by applicable privacy regulations, including the GDPR regulation. PCI Management has also been updated to address the most recent PCI standard release, 3.2.

Business Resiliency

RSA Archer Business Resiliency use cases received a comprehensive upgrade to better help companies manage disruption and crises. Terminology and workflows have been realigned to better support the crisis management process and new out-of-the-box notifications and test plans will help with the velocity of the business continuity management process.

Public Sector

The Public Sector use case updates will improve customer efficiency as well as usability with ICS and SCADA controls. Specifically, the RSA Archer Assessment & Authorization (A&A) use case has improved usability through the use of advanced workflow. This will reduce the time and effort needed to assess information systems, maintain control documentation and manage remediation efforts.

Platform Enhancements

This release has several enhancements to the RSA Archer platform.  Some highlights include:


RSA Archer Administrators will now have access to a new dashboard that will provide insights into system health and activity. They will be able to report on system events such as data feed performance and user activity to improve troubleshooting, system maintenance and operations.


There are also several enhancements that aim to reduce the number of clicks necessary to perform tasks. For instance:

  • ‘Bulk Record Operations’, where a user can now select and update multiple records at once;
  • ‘Direct to Edit’ where a user can open a record in edit mode in one click; and
  • ‘ Save & Close’ where a user can save his work and go back to the previous screen in a single click.

From an appearance perspective, if you want to match your application to your own corporate branding and design, you will have a lot more options to play with and levers to push. RSA Archer 6.3 expands color configuration capability. Administrators can now configure the User Interface to match their corporate branding and design, as well as customize page and field border colors.  

This release contains other improvements as well so check out the release documentation to get the details.  As mentioned early, there will be new posts for a deeper dive into some of these items. Additionally, we invite you to join us for Free Friday Tech Huddles on 6.3 features - Please check back for details.

For more details, read the Press Release or visit the 6.3 Subspace on the RSA Archer community.

I was travelling to a user meeting last week and going through Logan airport in Boston, I saw very long lines at some Delta counters. This was on Wednesday, 3 full days after the IT system outage that grounded almost 500 flights on Sunday morning and they were still feeling the damages from that outage. Earlier this year, Southwest had to cancel 2300 flights after one router in one of its data centers failed, that’s thousands of grounded passengers for one incident. That’s a lot of angry customers, a lot of bad publicity and a huge operations burden to get back to normal.


I thought this was a good reminder to never consider risk in a vacuum, especially risk for your IT assets. A recurring conversation I have with customers is the separation of IT Risk, Security and Vulnerabilities Management from Enterprise GRC. You can argue that the processes are different, the technologies are different and the people using them are different, and you’d be right. An Operational Risk Manager and an IT Security Analyst do not do the same job, but, they pursue the same goal.


IT resources in an organization are there to support a business process and deliver a business outcome. A risk to an IT asset, say a router from an airline data center, is a risk that could derail the entire operations of the whole company for a whole day. I’d say that qualifies as a major risk. And yet, the only way you can assess the router’s risk correctly is by going beyond the IT resource itself and assessing the business process it supports, the criticality of the asset to the process and the criticality of the process to the operations. The router in itself is not critical; it’s a fairly simple IT asset, easy to replace, containing decent monitoring. It’s only critical because its failure would ground thousands of planes.


When considering recovery plans and controls you need to have plans and controls for the asset AND the affected processes. Otherwise it would be like slipping on a patch of ice and breaking your leg, then only working on removing the ice. You should probably get your leg fixed at some point. Context matters and downstream dependencies matter. How can you have a board level discussion when considering only the IT side? It won’t mean anything to the board that routers have a medium-high risk of failing. On the other hand, if you tell them that a router failure could result in 2300 grounded planes, it might be easier to get their attention.

With Glenn Frey’s passing last week, I was reminded of all the great songs he wrote for the Eagles. As I started going down a list of hits, something dawned on me, a lot of Eagles song can be used as recommendations for an efficient risk management program. Here are a few examples:


Take it to the limit: Risk management is all about knowing what level of risk is acceptable. Risk is a by-product of innovation and production. You need to have some risk in order to achieve goals. The key is to know what the limit is, what the acceptable risk is, your risk appetite and tolerance, and not go beyond.


You are not alone: If you are a risk manager, you are not the only person responsible for managing risk in your organization. In fact, you could argue that every employee has a responsibility to manage risk. This especially true when you look at the 3 lines of defense concept that outlines responsibilities for the 1st line of defense (Business Owners), the 2nd line of defense (Risk Managers) and the 3rd line of defense (internal auditors).


I can’t tell you why: But a Risk Manager should be able to. Whenever your company suffers a loss, you should be able to determine the underlying reasons for such a loss. Performing root cause analysis is crucial to avoid reproducing the same mistakes.


Life in the fast lane / The long run: There is a fundamental paradox with Risk management. It’s a reactive discipline that deals with emergencies and crisis as they arise but it’s also a long term program that relies on processes, planning, policies and tools to make dealing with the crisis easier. Solving that tension between the fast lane and the long run is not a small challenge.


Wasted time: Running a risk management program takes time. A Self-assessment campaign, where you need to get inputs from business owners throughout your organization is a big undertaking with a lot a low added value tasks. This process can be made easier and more time efficient by tools.


Lying eyes: I know the song is about kept women and cheating, but the idea that your eyes can not only betray you but also deceive you is relevant to risk management. Your eyes might be lying to you when assessing likelihood and impact of a risk. Expert opinion is valuable but so are hard data and analytics. Trust your eyes and your assessments, but back them up by cross-referencing losses, findings and Controls to root you assessment in reality.


Take it easy: Risk Management programs generate a lot of noise and traffic. There are events, new risks, failing controls, new findings on a weekly if not daily basis. It’s easy to get lost and feel overwhelmed without some kind of filter to sift through all the information and focus on what is relevant. Take it easy on the small stuff so that you can devote your resources to what is an actual threat.


Peaceful easy feeling: what you should ultimately feel, not that nothing wrong is going to happen, but being confident you have the processes and tools in place to deal with what will happen when it does.


Now, even if I tried really hard, I wouldn’t be able to explain how Hotel California relates to Risk Management, it has more of a Business Continuity Management feel to it I’d say.

Filter Blog

By date: By tag: