Skip navigation
All Places > Products > RSA Archer Suite > Blog > Authors Patrick Potter
1 2 3 Previous Next

RSA Archer Suite

34 Posts authored by: Patrick Potter Employee

What is crisis management?

Crisis management is preparing for and handling larger and more complicated disruptive events from start to finish. Crisis management is aligned with business continuity and disaster recovery planning and execution, allowing organizations to respond holistically in crisis situations to protect and resume ongoing operations and infrastructure.

Why is effective crisis management important?

According to a 2018 Deloitte study, Nearly 60 percent of respondents (of more than 500 crisis management executives) believe that organizations face more crises today than they did 10 years ago. Further, 80 percent of their organizations had to mobilize their crisis management teams at least once in the past two years. It's a sobering statistic which leads to an obvious conclusion that crisis management shouldn’t start with a crisis because at that point it is probably already too late. 

 

Effective crisis management entails preparing for different types of crisis events that could likely occur, as well as adequately managing the event when it happens. Much goes into being ready for a crisis event, in fact 99% of the work happens before a crisis event ever occurs. For example, organizations must identify what types of events could occur (natural and man-made disaster), what could go wrong, and which areas of the organization could be impacted. Crisis plans must be coordinated with recovery plans for areas of the business or IT that could be disrupted. Testing must be performed to see how crisis and recovery plans stand up under different potential scenarios.

 

Crisis management is also important because most organizations have separate teams that manage their business continuity (BC), IT disaster recovery (DR) and crisis functions yet they all need to work seamlessly together. Resiliency means “bend but don’t break”, and it entails evolving into an organization that is naturally able to adapt to adverse conditions, make midcourse corrections and elude the negative impacts of a disruption. When you consider the increasing challenges in today’s complex, global organizations, alignment between these separate groups becomes more imperative to build resiliency across the business. Now more than ever, these teams must work closely to help their organizations become more resilient and minimize the impact of any disruption to their reputation, finances, legal status, employees and customers.

RSA Archer Crisis Management

The RSA Archer Crisis Management use case addresses the problems outlined above through key features that include:

  • Workflow, notifications and reporting that are integrated across BC, IT DR and crisis teams so they can better manage crisis events from start to finish
  • Centralized contact and notification capabilities that can be used for communicating with key constituents before and during a crisis event
  • A lessons-learned assessment that helps these integrated teams evaluate where they can improve before the next event

With RSA Archer Crisis Management, you are able to:

  • Communicate more quickly and effectively, reducing lag time in assessing damage, determining safety of employees, and ascertaining status before, during and after the event
  • Reduce impacts of crisis events by being better prepared for them
  • Reduce downtime of critical business operations or IT systems disrupted by the crisis event by quickly activating BC/DR plans and better coordinating recovery
  • Better incorporate lessons learned from tests or real crisis events back into your plans and activities, which builds resiliency into the organization

RSA Archer Crisis Management is a critical element of Integrated Risk Management. As your company drives business growth with new initiatives, technology adoption or market expansion, it becomes even more susceptible to events that could disrupt your ongoing mission. Your crisis and resiliency programs must evolve and help manage risk with more agility and integration than ever before.  Managing the negative impacts of crisis events is a key ingredient to reducing risk. RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

What is Incident Management?

Incident management is tracking, treating and resolving incidents that are more common and operational in nature, ranging from cyber and physical events, to minor social media outbreaks or others. Incident management includes capturing the details of the incident, assessing the criticality and executing the appropriate response procedures.

 

Why is effective incident handling important?

Many organizations have developed incident response processes but they are often manual, ad hoc and dispersed, and incidents are managed using spreadsheets or homegrown solutions. As a result, there is usually no end-to-end process to effectively handle them uniformly. An effective incident management process should include prioritizing the incidents as they occur and letting that drive a measured response. Incidents should be categorized, teams assigned to manage them, status tracked, resolved, and post-event investigation performed where necessary. Additionally, reporting should be in place for internal teams and because of requirements to track fraud, cyber incidents, whistleblower and physical security threats mandated by regulations, including the Public Disclosure Act and the Sarbanes-Oxley Act.

 

Organizations are spending more time and resources than necessary to manage their incidents due to the lack of an effective process. More importantly, if not handled correctly or quickly, simple incidents can turn into crisis events that have the potential to interrupt business and cause serious harm to the organization’s people and operations, hinder compliance, damage reputations and so on. Organizations of all size and scope must have an incident management process that allows personnel to react quickly and effectively when events occur.

 

RSA Archer Incident Management

The RSA Archer Incident Management use case addresses the problems outlined above through key features that include:

  • Central repository for reporting all incidents and managing the entire incident lifecycle
  • Workflow and procedures to be implemented as incidents occur, categorized by incident type (denial of service, phishing attack, and more), team or other criteria
  • A fluid connection to crisis management teams and procedures for incidents that escalate into crises

With RSA Archer Incident Management, you will be able to:

  • Centralize all incident management into one tool, eliminating duplicative processes, tools, resources and costs
  • Control access to incident data to protect the integrity of confidential information
  • Link incidents to related findings and monitor related remediation efforts
  • Quickly view dashboards and reports to manage incidents and identify trends, similarities, and relationships

 

RSA Archer Incident Management is one element of Integrated Risk Management. As your company drives business growth with new initiatives, technology adoption or market expansion, new incident types could impact your organization, so you must evolve and manage them and associated risk with more agility and integration than before.  Managing incidents is one ingredient to reducing risk by acting quickly to control incidents before they become larger crises that potentially result in physical damage, financial loss, reputational damage or other negative impacts to the organization.

 

RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

What are audit engagements and workpapers?

Audit engagements are the mechanism that internal audit teams use to scope, plan and execute their evaluations of risks and associated internal controls, and related areas of their organization. Audit workpapers are the means to document the results of their evaluations, or test work.

Why is the proper execution of audit engagements, including workpaper documentation, so important?

A significant challenge internal audit teams face managing their audit engagements is lack of risk-driven audit coverage, inconsistency and inefficiency. Many internal audit groups cannot focus more time on risk and compliance activities because they are too absorbed in administrative work. Further, audit procedures and engagements are often performed inconsistently, and audit teams spend countless hours inefficiently managing audit resources.

They also struggle to track the status of engagements and workpapers because their teams use multiple documents and systems. Teams cannot effectively reconcile their time and expense back to their audit plan nor report real-time updates to audit executives. They lack visibility into the status of findings generated during past audits. Audit reports are not easily updated with changes to audit findings, remediation plans and workpapers, and there are constant fire drills getting information to external auditors.

RSA Archer Audit Engagements & Workpapers

The RSA Archer Audit Engagements & Workpapers use case addresses the problems outlined above through key features that include:

  • Audit universe tracking with automatic updates on time and expense from audit engagements
  • Best practices and industry standards are built into workflows for audit engagement and workpaper documentation, review and approval workflow
  • Centralized Audit Program Library and workpaper repository
  • Audit report and planning memo templates
  • Audit findings and remediation plan management with review comments capabilities through the RSA Archer Issues Management use case (see Data Sheet)
  • Offline audit engagement capabilities

 

With RSA Archer Audit Engagement & Workpapers, you will be able to:

  • Ensure audit engagements and workpapers are performed consistently and per prevailing standards
  • Reduce external auditor time and requests by allowing them to self-serve the information they need
  • Easily generate audit reports with up-to-date detail and findings
  • Free up time to place more focus on risk-based auditing and strategic projects
  • Provide management and the Board with the information they need more readily

 

Often, internal audit teams cannot focus on helping the business evaluate new risks and opportunities because they are spending too much time performing administrative and duplicative tasks. The RSA Archer Audit Engagements & Workpapers use case helps transform the efficiency of the audit department, complete better-scoped audits more efficiently, and decrease audit expenses. The use case is also integrated with other RSA Archer risk and compliance use cases enabling your organization to move toward Integrated Risk Management (IRM). As your company drives business growth with new initiatives, technology adoption or market expansion, your overall governance, risk and compliance (GRC) or IRM program must evolve, innovate and manage risk with more agility and integration than before.  Managing the audits performed by internal audit - the third line of defense, alongside risk management and compliance testing performed by second line of defense groups, and control self-assessments performed by management is one ingredient to becoming more integrated, efficient and effective across all three lines of defense.

RSA Archer can help your organization manage multiple dimensions of compliance and risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

For more information, visit RSA.com or read the Audit Engagements & Workpapers Datasheet.

What is audit planning?

Audit planning is the practice where internal audit functions assess the risk across their audit universe and determines the audit engagements they need to perform in the months and quarters ahead. They plan their audits based on risk and compliance gaps, strategic objectives of the organization, important topics and other priorities.

 

What is audit quality measurement?

Audit quality measurement is the execution of quality surveys to monitor the effectiveness and comprehensiveness of audit processes.  These surveys provide key insight on how well the audit function is meeting the business' needs and working with business and IT management during an audit.

 

Why is audit planning and quality important?

According to PwC’s 2018 State of the Internal Audit Profession Study and survey of more than 2,500 audit executives, 82% of innovative audit functions collaborate with other lines of defense to align technology tools' uses and functions, vs. 45% for non-innovative audit functions.  Internal audit’s main challenge is not having access to broad, dynamic enterprise risk and control information and analysis, but it's actually using the information for agile audit planning.  Instead, many audit teams rely only on their point-in-time risk assessments to drive audit work. This prevents internal audit from adjusting their audit plans to rapidly changing risks and business concerns.

 

With decentralized audit plan and risk assessment documentation captured in multiple tools and systems that are difficult to integrate, there is no easy, fluid way to manage audit plans, let alone coordinate objectives among risk and compliance groups.  Internal audit is also under pressure from audit committees and management to improve their processes; yet their quality control procedures are sporadic, inconsistent and difficult to follow up on.

 

RSA Archer Audit Planning & Quality

The RSA Archer Audit Planning & Quality use case addresses the problems outlined above through key features that include:

  • Complete workflow to create and assess audit entities, perform risk assessments, and create and manage audit plans
  • Workflow to schedule audits and tie forecast and actual expense and time in between audit engagements and the audit plan
  • Centralized location for storing and managing audit plans, audit entities, and assessment results
  • Audit quality assurance and review questionnaire workflows

 

With RSA Archer Audit Planning & Quality, you will be able to:

  • Execute a more dynamic, risk-driven audit plan that is easily adjusted to match the organization’s priorities and focuses on the most important risks
  • Easily provide Board-level reporting that keeps the audit committee well-informed of the status of audit plans, risks and critical findings
  • Demonstrate the strategic value of internal audit and more efficient use of audit resources
  • Reduce external auditor fees by providing self-access to information they need

 

RSA Archer Audit Planning & Quality enables internal audit teams to define their audit universe, assess risks and plan audit engagements that better address risk, and manage their audit staff and audit schedule. RSA Archer Audit Planning & Quality is a critical element of Integrated Risk Management (IRM). Since RSA Archer Audit Planning & Quality integrates management risk and control information, internal audit can ensure their audit objectives are aligned with IRM teams and play their essential role as the third line of defense. As your company drives business growth with new initiatives, technology adoption or market expansion, your internal audit function can evolve and react to risk with more agility and integration than ever before.

 

RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

What is Business Continuity & IT Disaster Recovery Planning?

Business continuity (BC) and IT disaster recovery (DR) planning is defined as the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise.

 

Why is Business Continuity & IT Disaster Recovery Planning important?

In today’s world, 24/7 service delivery requirements are putting greater pressure on business and IT resource availability, making it even more important to have effective recovery plans. Interruptions ranging from isolated infrastructure failures to natural disasters have the potential to cause serious harm to the organization’s finances and reputation. Unfortunately, recovery efforts are often chaotic, ad hoc and uncoordinated due to little or non-existent planning efforts and business recovery and IT disaster recovery teams working in silos.

Your continuity and recovery teams live in a world of regulatory saturation, with dozens of regulations, methodologies, maturity models, guidelines and laws. These authoritative sources affect how you implement and manage your business continuity programs. The demands from regulators for strengthened programs have increased, while the number and type of catastrophic man-made and natural disasters are on the rise, resulting in regulatory fines and penalties due to the inability to comply during a disruption.

 

Another challenge affecting the ability of companies to recover after a disruption are recovery plans kept in multiple, inadequate tools that don’t allow management visibility to quickly answer questions, like which business processes or IT infrastructure are missing recovery plans or which plans have not been tested. Further, many IT disaster recovery teams are working with an understanding of what is critical or most important to recover that is different than that of business continuity teams. This results in an inability to align on and recover critical business and supporting IT infrastructure to deliver products and services according to recovery objectives.

 

RSA Archer Business Continuity & IT Disaster Recovery Planning

The RSA Archer Business Continuity & IT Disaster Recovery Planning use case addresses the problems outlined above through key features that include:

  • Centralized location, templates, workflow, review and approval processes for developing standardized business continuity and IT disaster recovery plans that are built around best practices and industry standards
  • Project management capabilities to help drive the entire lifecycle of continuity planning, from plan development, to testing, to continuous improvement
  • Dashboards and reports that provide visibility into the current state of the organization’s plans status, review dates, test results and remediation status
  • Workflows and reporting that enables coordination between business continuity, IT DR, and crisis teams

With RSA Archer Business Continuity & IT Disaster Recovery Planning, you will be able to:

  • Improve your response to disruptions, which can reduce the impact on revenue, brand and customer loyalty and availability of products and services for customers, employees and third parties
  • Implement a consistent and coordinated planning process and methodology for business and IT supported through one central tool
  • Increase trust by senior management, the board, regulators and employees with higher-quality, tested recovery plans
  • Ensure plans are aligned with the organization’s priorities and include the most critical processes and company assets
  • Coordinate information, priorities and objectives among business continuity, IT disaster recovery and crisis teams, and responders, enabling better focus on the right priorities in the event of a disaster

 

RSA Archer Business Continuity & IT Disaster Recovery Planning is one element of Integrated Risk Management. This use case provides a coordinated, consistent and automated approach to business continuity and IT disaster recovery planning and execution, allowing you to respond swiftly in crisis situations to protect your ongoing operations. As your company drives business growth with new initiatives, technology adoption or market expansion, your program must evolve and manage risk with more agility and integration than before.  Managing recovery planning is one ingredient to building resiliency across the organization and reducing risk.

 

RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

According to Oxford Metrica, during the next five years, over 80% of companies will face a crisis that negatively impacts their share price by 20% to 30%. Business disruptions from events such as cyber threats, natural disasters or third-party interruptions have the potential to cause serious harm to the organization’s operations, finances and reputation.  In today’s increasingly digital world, 24/7 service delivery requirements are putting greater pressure on business and IT resource availability, making it even more important to have effective continuity plans.

 

Business continuity, IT disaster recovery and crisis management teams are facing surmounting challenges. From trying to build resilience in increasingly complex businesses, to dealing with more diverse and frequent disruptions, to living in a world with a growing number of regulations, methodologies, maturity models, guidelines and laws that affect their resiliency program requirements. Driving recovery and resiliency in today's organizations isn't getting easier.  

 

Too often, approaches to continuity and recovery in today's organizations are overly complex and not built on a solid foundation. Manual processes, information silos, separate teams with conflicting priorities, and lack or ownership just complicates things even more.

 

Join me on November 15 for a webinar to discuss these and other challenges, as well as focus on the basic building blocks of a solid business continuity program. 

 

You can register here Event Registration and take the first step to ignite your business resiliency program!

What is Business Impact Analysis?

The Business Impact Analysis (BIA) is a very well-known step in the Business Continuity Management (BCM) lifecycle used to identify and evaluate the criticality of the organization’s business processes and supporting IT infrastructure. This criticality in turn drives such areas as recovery planning and strategies, incident prioritization, and plans and resources to develop better resiliency across the organization.

 

The Business Impact Analysis process can also provide valuable information for other risk and compliance processes.   While the focus of the BIA is typically to determine availability requirements,  business process owners and those inputting into the BIA can also identify compliance, risk, security or other requirements.  These additional perspectives can be valuable input to prioritize issues, determine compliance or control requirements or assess business risk. 

 

Why is assessing business impact important?

Investors, customers, regulators and boards of directors are becoming more interested in management’s capability to not only recovery quickly, but continue operations through any disruption. However, organizations that fail do so because they have not adequately assessed the criticality of their business processes and planned accordingly.

One major challenge to management is keeping track of the constantly changing landscape of business processes and their supporting infrastructure, such as their connection to IT systems, third parties, locations and critical information.

 

Another challenge is making sure current BIAs have been performed for all business processes so that management can understand their criticality to the business. The issues for most companies today is:

  • BIAs are not completed often enough or consistently
  • BIAs are completed in separate systems and spreadsheets
  • BIAs are performed differently throughout the organization
  • IT and the business complete separate BIAs

Now more than ever, business process managers and BCM teams must work together to perform BIAs to understand the strategic, financial, reputation and other key impacts of a disruption.

 

RSA Archer Business Impact Analysis

The RSA Archer BIA use case addresses the problems outlined above through key features that include:

  • A Business Process catalog that tracks processes and their relationship to supporting infrastructure, such as IT systems, third parties, locations and critical information
  • A pre-configured BIA that follows standards and best practices and includes workflow, notifications and reference data that BCM teams can use to determine the criticality of all business processes
  • Dashboards and reports that enable each user to see and respond to the information they rely on

With RSA Archer BIA use case, you will be able to:

  • Maintain one consolidated system of record for all BIAs
  • Implement a single, best practice and standards-driven approach to completing BIAs with workflow, notifications, review and approval processes
  • Quickly access reporting that shows key metrics and reports so BCM teams, Business Unit managers and business process managers can manage their BIAs

 

The RSA Archer Business Impact Analysis use case is a critical element of Integrated Risk Management. As your company drives business growth with new initiatives, technology adoption or market expansion, your BCM program must evolve and manage risk with more agility and integration than before.  Managing the recovery and resiliency of what is most important within the organization is one required ingredient to effective integrated risk management. The BIA helps establish the business context and prioritization which are fundamental elements of managing risk.

 

RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

For more information, visit RSA.com or read the Datasheet.

What is issues management?

Issues Management is the process an organization follows to treat issues, gaps or findings, as well as related remediation plans or exception requests that are generated by multiple groups, such as audit, risk and compliance.  Issues Management is one of the most fundamental processes for Integrated Risk Management.  Control gaps, findings from risk assessments, testing failures from compliance, security, and other types of audits or any issue identified within the business that could lead to an operational error or failure are indicators of risk.  Issues Management is the process by which those items are cataloged, reported and tracked from identification to resolution or acceptance by the business as a known risk or gap.

 

Why is the proper management of issues and remediation plans so important?

Organizations of all size and scope have issues that are generated from internal or external audits, regulatory reviews, vendor assessments or other sources. These issues usually have related remediation plans that the owners have committed to. However, in our experience neither issues nor remediation plans are managed as well as they should be. They’re usually tracked in scattered documents or siloed systems, there’s no effective way to follow up with the owners, and no consolidated reporting or visibility for executives into overall status. Sometimes, management needs to push back on these issues and there is typically no exception request process to do so. Finally, some issues are symptoms of bigger problems, and without a way to look at them through a more strategic lens, the bigger problem might not ever be properly addressed.

This causes three major concerns. First, there is additional cost and effort that comes from this duplicative and inefficient way of handling issues. This ties up multiple teams with tracking, following up, consolidating the issues and reporting. However, secondly, and more importantly, is the fact that most of these issues don’t get properly addressed because the remediation plans aren’t tracked or implemented on time, if ever. This is a major reason auditors identify repeat findings. What’s even more concerning is some of these repeat findings are very critical, and result in financial losses, regulatory fines or sanctions, fraud, reputation impairment or other risks that could have been avoided. Finally, in this day of risk management, most organizations have no way to relate issues to their measurement of risk, and determine whether their remediation plans reduce risk.

RSA Archer Issues Management

RSA Archer offers the Issues Management use case which addresses the heart of the problems outlined above. The key features include:

  • Pre-defined workflows, reporting, user roles and notifications, which enable immediate best practices in managing the entire lifecycle of your issues, remediation plan and exception requests
  • A repository to establish your corporate hierarchy (business unit, division) and business and related IT infrastructure (contacts, business process, IT applications, locations, information assets), with connections between issues and your risk register
  • A consolidated and coordinated repository of issues and remediation plans from all sources, including risk, compliance, audits and management assessments

 With RSA Archer Issues Management, you can:

  • Immediately implement best practices in managing the entire lifecycle of your issues, remediation plan and exception requests, including measuring real reductions to risk
  • Establish your business context and relate findings, remediation plans and exception requests to the right targets and owners.  This is fundamental and sets the foundation for your governance, risk and compliance (GRC) program and establishes ownership over issues and remediation plans
  • Consolidate and coordinate issues and related remediation plans or exception requests from all sources and identify redundancies, reducing time, frustration and expense
  • Reduce repeat findings, time to resolve issues and implement remediation plans and reduce overall risk

As long as audits, regulatory reviews, self-assessments by business areas or assessments by others are done, management, GRC teams and internal auditors will continue to create issues and require remediation plans. However, the days of managing them ineffectively or in siloes must be put in the past as business growth is dependent on better and more integrated ways of handling issues and related risk.  

 

RSA Archer Issues Management is one element of Integrated Risk Management. As your company drives business growth with new initiatives, technology adoption or market expansion, your risk management program must evolve and manage risk with more agility and integration than before. Managing issues and remediation plans effectively is one ingredient to showing real progress and improvement and decreasing business risk. The use case is also integrated with other RSA Archer risk and compliance use cases enabling your organization to move toward Integrated Risk Management (IRM).

 

RSA Archer can help your organization manage your issues, remediation plans, exception requests and multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

I recently attended the Disaster Recovery Journal (DRJ) Fall World 2018 conference in Phoenix, Arizona.  The conference was chock full of helpful discussions about business continuity management (BCM), but another consistent theme this year was risk management.  RSA is the market leader in risk management solutions and we had a strong presence with dozens of interested visitors at our booth. I was also interviewed (listen to the full interview at the bottom of this blog) at the conference and asked by the host about what RSA does. I explained our mission and emphasized we try to help our customers understand two very important concepts as they implement and mature their resiliency and risk capabilities - Business Driven Security and Integrated Risk Management (IRM).

 

First, I explained that Business Driven Security is so critical because cyber risks and threats are no longer only an IT problem.  They are a business problem and a challenge to building a resilient business.  However, a "gap of grief", or lack of mutual understanding between IT and the business, gets in the way of the business' ability to prioritize risks and threats and take appropriate actions.  In fact, this gap can exist within IT as well, as IT risk, recovery and security groups may not be working well together either.

 

Next, I explained that IRM is the integration, operationally and strategically, between risk, compliance, BCM, audit and other groups striving to manage risks and compliance.  These groups are often siloed, use different tools and approaches, and because of the separation cannot combine or communicate risk and compliance status holistically enough for executives to understand or make decisions with.

 

These two themes resonate with our customers and give them guiding principles upon which to build their risk programs.  However, the principles are not just important to risk management.  They are also fundamental to developing resilient organizations that can stand up to the increasing onslaught of disruptions impacting today's enterprises.  These principles help resiliency programs with similar challenges of bridging business and IT recovery, better managing risks, and communicating the right priorities up the chain.  Resiliency activities and goals are a critical part of IRM and can become a competitive advantage for organizations that strive to mature. 

 

Global businesses with an online presence know that customers from any part of the world can opt in for their services and provide their personal information. As good for business and innocuous as this may seem, it opens up these businesses to regulation – the most visible right now being the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. GDPR will impact any business, whether based in the European Union (EU) or not, that processes the personal data of EU residents.  While GDPR may seem like "old news", the regulation provides a opening to talk about how your company's resiliency efforts are affected by privacy requirements.

 

To comply with GDPR, organizations will have to review their approach to data and privacy management to evaluate how they control data as part of their business continuity (BC), IT disaster recovery (ITDR), crisis management and resilience planning systems and processes. Because GDPR rules are applicable to backup and DR systems and practices as well as production systems, these key requirements include:

 

  • the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

 

Recovery planning has long been subject to Data Protection legislation, but the wider remit within GDPR is something organizations will need to look at to ensure they can comply with the new rules. The following are a few areas and examples:

 

  • Data privacy has often been the responsibility of the Compliance or Legal group, however, where a Data Protection Officer (DPO) is appointed, there must be proper alignment between the DPO and BC/DR programs to ensure they look at GDPR compliance holistically and coordinate their efforts accordingly
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) take on greater importance and have to very closely align internally (between business process and IT system recovery)
  • If your DR provider is non-compliant with GDPR it could render you non-compliant, so RTO and RPO between your organization and the DR provider also have to be aligned. Questions need to include: where is the customer data held? Will customer data be accessible and available according to RTOs? Does your DR provider perform regular testing and evaluation to ensure they can achieve the RTOs and RPOs?
  • Breaches that are deemed to be high risk have to be reported by a data controller within 72 hours of becoming aware of such breach and may also require crisis management response. Therefore, IT risk and security processes must align with crisis response and management.

 

In summary, the disparate parts of the organization that manage data privacy management and business resiliency, internally and externally, must better coordinate their efforts to enable compliance with GDPR.

Summer – it’s finally here! (well, at least in the northern hemisphere) It’s warmer, people are going outside, planning vacations, having barbeques, and taking it easy. As much as we here at RSA Archer believe in taking some well-deserved summer vacation, we’re also hard at work planning the RSA Archer Summit, taking place in Nashville, Tennessee, from August 15 – 17. If you haven’t registered, here’s the link – don’t miss this great, RSA Archer-focused event!

 

If you have a role at any level in: integrated risk management (IRM), internal audit, business continuity, third party governance, IT security risk management, compliance or any other related function, you’ll want to attend the Summit, where you’ll learn about using RSA Archer to: 

 

  • Improve compliance testing across diverse functional teams through an enterprise-wide, consolidated quality control program
  • Create greater efficiencies for compliance teams and improve executive oversight
  • Move from a compliance mindset to a culture of risk management through continuous risk management
  • Avoid key cultural and communication pitfalls in implementing IRM
  • Help Internal Audit become an early adopter of IRM
  • Support business compliance and risk management goals and activities
  • Enable an agile approach to implement IRM while providing business value and remaining lean and fast
  • Adapt and mature your cyber security program

 

As you can see, there’s something for everyone – from compliance to risk management; from business to IT; and for each of the three lines of defense. Everyone can benefit from attending the Summit.

 

Another great aspect of the Summit is most of the speakers are RSA Archer customers, and there is an all-star lineup again this year from almost every industry you can imagine, and if all this didn’t pique your interest, then check out the working groups you can sign up for in the areas of:

 

  • IT and Security Risk Management
  • Regulatory and Corporate Compliance
  • Archer System Administration
  • Digital Risk Management
  • Integrated Risk Management
  • RSA Archer User Experience
  • Quantifying Cyber Risk

 

Finally, if you’re mainly coming for the networking, that’s ok because you’ll have plenty of time to get to know your peers, and the events each night are awesome!

 

Hey, it’s Summer – time to party! I hope to see you at the RSA Archer Summit!

If you read Steve Schlarman’s blog from last week (RSA Archer Summit 2018 - Call For Speakers Now Open), you now know a few important facts.  First, RSA Archer Summit is August 15-17 in Nashville this year, and it’s dedicated entirely to Archer customers!  Second, the Summit revolves around our customers, and most of the sessions are presented by our customers, which makes the content fantastic.  And third, it’s time to get your session ideas submitted through our Call For Speakers process - that’s right, we want you to speak at Summit!  The process is simple:

  1. Download the form
  2. Fill out the form completely.
  3. Send the form to:RSAArcherSummit2018@rsa.com. Include “Speaker Submission” in the subject line.

 

When you submit a topic to speak at Summit you’re definitely not alone! We will work with you to make sure the presentation topics you submit will add value and then once selected, we work with you on your presentation to help you be successful.  Being a speaker at Archer is like presenting to your friends because Archer customers at all levels of maturity are looking for new connections with good ideas of how Archer can be used.  We want this to be an excellent experience for you, and in turn make the Summit an awesome event, so we work with you along the entire way.

 

What makes the RSA Archer Summit such a valuable experience are the relationships you build while you’re there.  Relationships with other Archer customers and users; with RSA employees that sell, support and develop Archer for the future; and with our partners, professional services, consultants and more.  When you present a session at the Summit you’re much more visible and definitely have the opportunity to connect with even more contacts there.

 

This Summit marks our 15th anniversary.  You’ll meet a few folks that have been to each Summit (or Charge), more that have attended a few events, and even more who are new to Summit.  Whether this marks your 15th or 1st Summit, we want to hear from you!  So, submit your presentation ideas via the instructions above and we look forward to seeing you at Summit!

 

MARK YOUR CALENDARS: The Call for Speakers ENDS FEBRUARY 28, 2018.  

The theme of the latest RSA Archer 6.3 release is “Privacy, Resiliency and Flexibility”.  I can’t think of three better words to describe some of the biggest challenges organizations of all size and shape face today. In this blog I’ll focus on Resiliency.

 

Resiliency is the ability to quickly bounce back from a crisis, large or small.  Bouncing back implies two aspects: one, not completely breaking upon impact; and two, having the mechanism to quickly recover and resume activity.  Resiliency may entail heroic efforts, but what is more important are the plans, processes and practices that enable organizations to be prepared to quickly bounce back when a crisis hits.

 

One barrier to building resiliency is lack of coordination.  In any organization, there are siloes - separate departments, processes, systems and information.  Even within a Business Resiliency program, there are siloes – such as separate teams that handle daily incidents, perform business continuity and IT disaster recovery, and that manage crisis events.  This separateness impedes coordination, reduces the ability of the organization to be resilient and forces them to rely on those heroic efforts I mentioned.  Effective coordination is especially crucial in dealing with incidents and crisis events.

 

Incidents are the day-to-day occurrences that happen in any organization, such as minor employee, physical or IT events.  Most organizations handle enough of these that their processes are very standard so these incidents don’t create much disturbance.  However, where some damage can occur is when these incidents turn into crises, and when incident management teams are not coordinated enough with crisis management management teams to ensure an effective handoff.  Some reasons for the lack of coordination might include:

 

  • Separate teams. As mentioned in the organization, there are typically separate teams that manage incidents and crisis events. This slows down and often hinders the process of transition the incident to a crisis event, and when dealing with a crisis, minutes often matter.
  • Confusing Communications. Communications surrounding an incident usually involves a small group of individuals directly involved in the incident resolution and it is very prescribed and basic.  However, communication changes drastically during a crisis event, and may very quickly extend to much larger groups like employees and executives, or external parties like regulators, law enforcement and emergency personnel.  It becomes much more complex and ad hoc making the transition difficult.
  • Multiple Systems. Different systems are often used to manage incidents and crisis events.  This may be due to different teams acquiring them or the focus of these point solutions.  This causes a lack of coordination because information is housed in different systems and is not connected to paint the bigger picture, such as what caused the event and its evolution.  This is critical during a crisis event because having the history of the event, those involved and next steps housed in one system helps crisis teams to not miss critical elements and is vital to better managing the event.

 

Updates to the RSA Archer Incident Management and Crisis Management use cases in the 6.3 release have been added to significantly help with these issues and enable better coordination between incident and crisis teams.  Workflow, discussion forums, event tracking, post-event analysis, and reporting and dashboards have all been developed to enable incident and crisis teams to:

 

  • Manage the event as one and ensure a more seamless handoff from the incident team to the crisis team
  • Provide a holistic history of the incident and related crisis event so teams can see the bigger picture around the event, make better decisions, and help in planning for subsequent events
  • Reduce confusion between incident and crisis teams with workflow and user roles that help with decision-making, crisis declaration, and transition.

 

These updates will help disparate resiliency teams improve their management of disruptive events from their inception to closure.  Other departments will also find value in these use cases.  For example, resiliency risk has risen to the Board level in recent years and is also on the radar of most regulators and auditors. As such business risk management teams also have a vested interest in better managing the resiliency of the organization.

 

Siloes will continue to exist because organizations are complex, however, resiliency can be strengthened by creating more effective and seamless handoffs between siloed areas. These critical updates in the RSA Archer Incident Management and Crisis Management use cases can help reduce resiliency risk to the organization.

I’m excited for this year’s RSA Charge event because, one, it’s Charge, and two, it’s in Texas! I used to live in El Paso and Ft. Worth, Texas so I consider myself an honorary citizen and always enjoy returning.  I also love returning to the RSA Charge conference each year - this ain’t my first rodeo, in fact this is my sixth time attending Charge and each year it gets better. Check out the schedule here and you’ll see what I mean.  RSA Charge 2017 Agenda.  

 

Why do I enjoy RSA Charge so much? I love getting together with my RSA Archer Audit Management and Business Resiliency working groups and discussing how we can make our solutions even better, as well as meeting face-to-face with the RSA Archer Champion Network – real Archer experts. What I’m as excited for this year though is managing the Transforming Compliance presentation track and working with all of the speakers who are preparing to knock your boots off with some phenomenal customer presentations.  It’s the second time I’ve managed one of the presentation tracks, and although it’s a daunting responsibility driving this herd and helping shape the body of knowledge that will be shared with you at Charge, I really enjoy getting to know the speakers and helping them make their presentations the best they can be.

 

The sessions in the Transforming Compliance track (check it out here: Transforming Compliance Track) are designed to help you break that “buckin' bronc” of compliance.  Just listen to these topics – transforming compliance, accelerating the journey, innovating, improving the use of self-assessments, and bringing different compliance functions together.  If those topics don’t blow that stetson hat off your head, then I don’t know what will! Another benefit of attending RSA Charge is not only listening to these amazing topics but being able to mingle afterwards with the presenters, making lasting contacts and staying in touch after the conference with folks who can help make your ride down that long trail using RSA Archer so much better.  It’s a win-win-win!

 

I’ll wrap up by saying if this ain’t enough to get you excited for this amazing event, then in memory of Glen Campbell, head to “Galveston”...I mean Dallas.  Register for RSA Charge, and come to where, "the lights are gonna be shinin’ on you - like a Rhinestone Cowboy" (or Cowgirl of course)!

 

See ya'll at Charge!

 

RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17 – 19 at the Hilton Anatole in Dallas, Texas.

RSA Archer is thrilled to be a major sponsor at the 2017 Governance, Risk and Control Conference being held August 16-18 at the Gaylord Texan in Dallas, Texas. Check out the conference details here: IIA GRC Conference.  

 

RSA will be joined by more than 600 governance, risk, and control professionals from 40+ countries at this event that draws together the best and brightest minds to embrace challenges, forge solutions, and define the future of global GRC.  

 

This conference will be a venue for learning and breaking down barriers and issues we all face.  RSA Archer GRC and Audit experts will be demonstrating the latest version of the RSA Archer suite of solutions, focusing on our Audit Management, Risk Management and Compliance solutions.  In addition, since RSA is a premier IT security company, we will also have experts on hand sharing their experience with conference attendees on one of the most complex areas internal auditors have to face - and that’s IT security risks and controls.  Stop by our booth to discuss the specific issues your organization is facing.

 

You know the term, “A Rising Tide Lifts All Ships”? This conference will be the time to come together and share best practices so the field of GRC can advance collectively, and improve every organizations’ ability to implement capabilities that are effective, efficient and mature.  RSA is proud to be part of this great conference! 

 

 

Filter Blog

By date: By tag: