Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 4 5 Previous Next

RSA Archer Suite

438 posts

Cross-site request forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application to which they are currently authenticated.

 

CSRF vulnerabilities may arise when applications rely solely on HTTP cookies to identify the user that has issued a particular request. Because browsers automatically add cookies to requests regardless of the request's origin, it may be possible for an attacker to create a malicious web site that forges a cross-domain request to the vulnerable application.

 

CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email or chat), an attacker may force the users of a web application to execute actions of the attacker’s choosing. A successful CSRF exploit can compromise end user data and operation, when it targets a normal user. If the targeted end user is the administrator account, a CSRF attack can compromise the entire web application.

 

 

CSRF relies on the following:

[1] Web browser behavior regarding the handling of session-re-lated information such as cookies and http authentication information;

 

[2] Knowledge by the attacker of valid web application URLs;

 

[3] Application session management relying only on information which is known by the browser;

 

[4] Existence of HTML tags whose presence cause immediate access to an http[s] resource; for example the image tag img.

 

Points 1, 2, and 3 are essential for the vulnerability to be present, while point 4 is accessory and facilitates the actual exploitation, but is not strictly required.

 

Point 1)

Browsers automatically send information which is used to identify a user session. Suppose site is a site hosting a web application, and the user victim has just authenticated himself to site. In response, site sends victim a cookie which identifies requests sent by victim as belonging to victim’s authenticated session. Basically, once the browser receives the cookie set by site, it will automatically send it along with any further requests directed to site.

 

Point 2)

If the application does not make use of session-related information in URLs, then it means that the application URLs, their parameters, and legitimate values may be identified (either by code analysis or by accessing the application and taking note of forms and URLs embedded in the HTML/JavaScript).

 

Point 3) ”Known by the browser” refers to information such as cookies, or http-based authentication information (such as Basic Authentication; and not form-based authentication), which are stored by the browser and subsequently resent at each request directed towards an application area requesting that authentication.

 

 

The vulnerabilities discussed next apply to applications which rely entirely on this kind of information to identify a user session.

Suppose, for simplicity’s sake, to refer to GET-accessible URLs (though the discussion applies as well to POST requests). If victim has already authenticated himself, submitting another request causes the cookie to be automatically sent with it (see picture, where the user accesses an application on www.example.com).

The GET request could be originated in several different ways:

  • by the user, who is using the actual web application;
  • by the user, who types the URL directly in the browser;
  • by the user, who follows a link (external to the application)pointing to the URL.

 

These invocations are indistinguishable by the application. In particular, the third may be quite dangerous. There are a number of techniques (and of vulnerabilities) which can disguise the real properties of a link. The link can be embedded in an email message, or appear in a malicious web site where the user is lured, i.e., the link appears in content hosted elsewhere (another web site, an HTML email message, etc.) and points to a resource of the application.

 

If the user clicks on the link, since it was already authenticated by the web application on site, the browser will issue a GET request to the web application, accompanied by authentication information (the session id cookie). This results in a valid operation performed on the web application and probably not what the user expects to happen. Think of a malicious link causing a fund transfer on a web banking application to appreciate the implications.

 

By using a tag such as img, as specified in point 4 above, it is not even necessary that the user follows a particular link.

 

 

Suppose the attacker sends the user an email inducing him to visit an URL referring to a page containing the following (oversimplified) HTML:

 

 

What the browser will do when it displays this page is that it will try to display the specified zero-width (i.e., invisible) image as well.

This results in a request being automatically sent to the web application hosted on site. It is not important that the image URL does not refer to a proper image, its presence will trigger the request specified in the src field anyway. This happens provided that image download is not disabled in the browsers, which is a typical

configuration since disabling images would cripple most web applications beyond usability.

 

The problem here is a consequence of the following facts:

  • there are HTML tags whose appearance in a page result in automatic http request execution (img being one of those);
  • the browser has no way to tell that the resource referenced by img is not actually an image and is in fact not legitimate;
  • image loading happens regardless of the location of the alleged image, i.e., the form and the image itself need not be located in the same host, not even in the same domain. While this is a very handy feature, it makes difficult to compartmentalize applications.

 

It is the fact that HTML content unrelated to the web application may refer components in the application, and the fact that the browser automatically composes a valid request towards the application, that allows such kind of attacks. As no standards are defined right now, there is no way to prohibit this behavior unless it is made impossible for the attacker to specify valid application URLs. This means that valid URLs must contain information related to the user session, which is supposedly not known to the attacker and therefore make the identification of such URLs impossible.

 

The problem might be even worse, since in integrated mail/browser environments simply displaying an email message containing the image would result in the execution of the request to the web application with the associated browser cookie.

 

Things may be obfuscated further, by referencing seemingly valid image URLs such as

where [attacker] is a site controlled by the attacker, and by utilizing a redirect mechanism on

 

Cookies are not the only example involved in this kind of vulnerability. Web applications whose session information is entirely supplied by the browser are vulnerable too. This includes applications relying on HTTP authentication mechanisms alone, since the authentication information is known by the browser and is sent

automatically upon each request. This DOES NOT include form based authentication, which occurs just once and generates some form of session-related information (of course, in this case, such information is expressed simply as a cookie and can we fall back to one of the previous cases).

 

 

Sample scenario

Let’s suppose that the victim is logged on to a firewall web managementapplication. To log in, a user has to authenticate himself and session information is stored in a cookie.

Let’s suppose the firewall web management application has a function that allows an authenticated user to delete a rule specified by its positional number, or all the rules of the configuration if the user enters ‘*’ (quite a dangerous feature, but it will make the example more interesting). The delete page is shown next. Let’s

suppose that the form – for the sake of simplicity – issues a GET request, which will be of the form (to delete rule number one)(to delete all rules).

The example is purposely quite naive, but shows in a simple way the dangers of CSRF.

 

 

Now, this is not the only possible scenario. The user might have accomplished the same results by manually submitting the URL or by following a link pointing, directly or via a redirection, to the above URL. Or, again, by accessing an HTML page with an embedded img tag pointing to the same URL.

 

In all of these cases, if the user is currently logged in the firewall management application, the request will succeed and will modify the configuration of the firewall. One can imagine attacks targeting sensitive applications and making automatic auction bids, money transfers, orders, changing the configuration of critical

software components, etc.

 

An interesting thing is that these vulnerabilities may be exercisedbehind a firewall; i.e., it is sufficient that the link being attacked be reachable by the victim (not directly by the attacker). In particular, it can be any Intranet web server; for example, the firewall management station mentioned before, which is unlikely to be exposed to the Internet.

 

Self-vulnerable applications, i.e., applications that are used both as attack vector and target (such as web mail applications), make things worse.

If such an application is vulnerable, the user is obviously logged in when he reads a message containing a CSRF attack, that can target the web mail application and have it perform actions such as deleting messages, sending messages appearing as sent by the user, etc.

 

 

 

How to Test:

Black Box Testing

For a black box test the tester must know URLs in the restricted

(authenticated) area. If they possess valid credentials, they

can assume both roles – the attacker and the victim. In this case,

testers know the URLs to be tested just by browsing around the

application.

Otherwise, if testers don’t have valid credentials available, they

have to organize a real attack, and so induce a legitimate, logged

in user into following an appropriate link. This may involve a substantial

level of social engineering.

Either way, a test case can be constructed as follows:

  • let u the URL being tested; for example, u =

http://www.example.com/action

  • build an html page containing the http request referencing URL

u (specifying all relevant parameters; in the case of http GET this

is straightforward, while to a POST request you need to resort to

some Javascript);

  • make sure that the valid user is logged on the application;
  • induce him into following the link pointing to the URL to be

tested (social engineering involved if you cannot impersonate

the user yourself);

  • observe the result, i.e. check if the web server executed the

request.

 

 

Gray Box Testing

Audit the application to ascertain if its session management is

vulnerable. If session management relies only on client side values

(information available to the browser), then the application is

vulnerable. “Client side values” mean cookies and HTTP authentication

credentials (Basic Authentication and other forms of HTTP

authentication; not form-based authentication, which is an application-

level authentication). For an application to not be vulnerable,

it must include session-related information in the URL, in a

form of unidentifiable or unpredictable by the user ([3] uses the

term secret to refer to this piece of information).

Resources accessible via HTTP GET requests are easily vulnerable,

though POST requests can be automated via Javascript and are

vulnerable as well; therefore, the use of POST alone is not enough

to correct the occurrence of CSRF vulnerabilities.

 

 

Tools

Category:OWASP_WebScarab_Project

Category:OWASP_CSRFTester_Project

site_request_forgery.php (via img)

site_framing.php (via iframe)

Remediation

 

 

 

 

The following countermeasures are divided among recommendations to users and to developers.

 

Users

Since CSRF vulnerabilities are reportedly widespread, it is recommended

to follow best practices to mitigate risk. Some mitigating

actions are:

  • Logoff immediately after using a web application
  • Do not allow the browser to save username/passwords, and do

not allow sites to “remember” the log in details.

  • Do not use the same browser to access sensitive applications

and to surf freely the Internet; if it is necessary to do both things

at the same machine, do them with separate browsers.

Integrated HTML-enabled mail/browser, newsreader/browser

environments pose additional risks since simply viewing a mail

message or a news message might lead to the execution of an

attack.

 

 

Developers

Add session-related information to the URL. What makes the

attack possible is the fact that the session is uniquely identified

by the cookie, which is automatically sent by the browser. Having

other session-specific information being generated at the URL

level makes it difficult to the attacker to know the structure of

URLs to attack.

Other countermeasures, while they do not resolve the issue, contribute

to make it harder to exploit:

  • Use POST instead of GET. While POST requests may be simulated

by means of JavaScript, they make it more complex to mount an

attack.

  • The same is true with intermediate confirmation pages (such as:

“Are you sure you really want to do this?” type of pages).

They can be bypassed by an attacker, although they will make

their work a bit more complex. Therefore, do not rely solely on

these measures to protect your application.

  • Automatic log out mechanisms somewhat mitigate the

exposure to these vulnerabilities, though it ultimately depends

on the context (a user who works all day long on a vulnerable

web banking application is obviously more at risk than a user

who uses the same application occasionally).

 

 

 

Description of CSRF Vulnerabilities -

See the OWASP article on CSRF Vulnerabilities.

How to Avoid CSRF Vulnerabilities -

See the OWASP Development Guide article on how to Avoid

CSRF Vulnerabilities.

How to Review Code for CSRF Vulnerabilities -

See the OWASP Code Review Guide article on how to Review

Code for CSRF Vulnerabilities.

How to Prevent CSRF Vulnerabilites -

See the OWASP CSRF Prevention Cheat Sheet for prevention

measures.

 

 

 

 

 

 

In this example we will be using Burp’s CSRF PoC generator to help us hijack a user's account by changing their details (the email address associated with the account) on an old, vulnerable version of “GETBOO”.

The version of “GETBOO” we are using is taken from OWASP’s Broken Web Application Project. Find out how to download, install and use this project.

 

 

 

Burp Scanner is able to locate potential CSRF issues.

The Scanner identifies a number of conditions, including when an application relies solely on HTTP cookies to identify the user, that result in a request being vulnerable to CSRF.

 

 

To manually test for CSRF vulnerabilities, first, ensure that Burp is correctly configured with your browser.

 

In the Burp Proxy "Intercept" tab, ensure "Intercept is off".

Visit the web application you are testing in your browser.

 

Ensure you are authenticated to the web application you are testing.

 

In this example by logging in to the application.

You can log in using the credentials user:user.

 

Access the page you are testing.

Alter the value in the field/s you wish to change, in this case “Email”.

 

In this example we will add a number to the email.

 

Return to Burp.

 

In the Proxy "Intercept" tab, ensure "Intercept is on".

Submit the request so that it is captured by Burp.

 

In the "Proxy" tab, right click on the raw request to bring up the context menu.

 

Go to the “Engagement tools” options and click “Generate CSRF PoC”.

 

Note: You can also generate CSRF PoC's via the context menu in any location where HTTP requests are shown, such as the site map or Proxy history.

 

 

In the "CSRF PoC generator" window you should alter the value of the user supplied input.

 

In this example we will change to "newemail@malicious.com".

 

In the same window, click “Copy HTML”.

 

Open a text editor and paste the copied HTML.

 

Save the file as a HTML file.

 

In the Proxy "Intercept" tab, ensure "Intercept is off".

 

If necessary, log back in to the application.

 

Initially we will test the attack on the same account.

 

Open the HTML file in the same browser.

 

Dependent on the CSRF PoC options you may need to submit the request or it may be submitted automatically.

 

 

In this case we are submitting the request manually.

 

If the attack has been successful and the account information has been successfully changed, this serves as an initial check to verify whether the attack is plausible.

Now login to the application using a different account (in this example the admin account for the application).

 

Once you are logged in, perform the attack again by opening the file in the same browser.

The attack is successful if the account information in the web application has been altered.

 

A successful attack shows that the web application is vulnerable to CSRF.

For the attack to fire in a real world environment, the victim needs to access a page under the attacker's control while authenticated.

 

In our example web application, a new password can be set for the account using the email address. In this way an attacker could gain full ownership 

 

 

 

 

Generate CSRF PoC:

This function can be used to generate a proof-of-concept (PoC) cross-site request forgery (CSRF) attack for a given request.

To access this function, select a URL or HTTP request anywhere within Burp, and choose "Generate CSRF PoC" within "Engagement tools" in the context menu.

When you execute this function, Burp shows the full request you selected in the top panel, and the generated CSRF HTML in the lower panel. The HTML uses a form and/or JavaScript to generate the required request in the browser.

You can edit the request manually, and click the "Regenerate" button to regenerate the CSRF HTML based on the updated request.

You can test the effectiveness of the generated PoC in your browser, using the "Test in browser" button. When you select this option, Burp gives you a unique URL that you can paste into your browser (configured to use the current instance of Burp as its proxy). The resulting browser request is served by Burp with the currently displayed HTML, and you can then determine whether the PoC is effective by monitoring the resulting request(s) that are made through the Proxy.

Some points should be noted regarding CSRF techniques:

  • The cross-domain XmlHttpRequest (XHR) technique only works on modern HTML5-capable browsers that support cross-origin resource sharing (CORS). The technique has been tested on current versions of Firefox, Internet Explorer and Chrome. The browser must have JavaScript enabled. Note that with this technique, the application's response is not processed by the browser in the normal way, so it is not suitable for making cross-domain requests to deliver reflected cross-site scripting (XSS) attacks. Cross-domain XHR is subject to various restrictions which may prevent it from working with some request features. Burp will display a warning in the CSRF PoC generator if this is liable to occur.
  • Some requests have bodies (e.g. XML or JSON) that can only be generated using either a form with plain text encoding, or a cross-domain XHR. In the former case, the resulting request will include the header "Content-Type: text/plain". In the latter case, the request can include any Content-Type header, but will only qualify as a "simple" cross-domain request (and so avoid the need for a pre-flight request which typically breaks the attack) if the Content-Type header has one of the standard values that may be specified for normal HTML forms. In some cases, although the message body exactly matches that required for the attack request, the application may reject the request due to an unexpected Content-Type header. Such CSRF-like conditions might not be practically exploitable. Burp will display a warning in the CSRF PoC generator if this is liable to occur.
  • If you manually select a CSRF technique that cannot be used to produce the required request, Burp will generate a best effort at a PoC and will display a warning.
  • If the CSRF PoC generator is using plain text encoding, then the request body must contain an equals character in order for Burp to generate an HTML form which results in that exact body. If the original request does not contain an equals character, then you may be able to introduce one into a suitable position in the request, without affecting the server's processing of it.

CSRF PoC options

The following options are available:

  • CSRF technique - This option lets you specify the type of CSRF technique to use in the HTML that generates the CSRF request. The "Auto" option is generally preferred, and causes Burp to select the most appropriate technique capable of generating the required request.
  • Include auto-submit script - Using this option causes Burp to include a script in the HTML that causes a JavaScript-enabled browser to automatically issue the CSRF request when the page is loaded.

 

From <https://portswigger.net/burp/documentation/desktop/functions/generate-csrf-poc>

Recent high profile cyber attacks demonstrate that cyber incidents can significantly affect capital and earnings. Cyber incidents can have financial, operational, legal, and reputational impact. Costs may include forensic investigations, public relations campaigns, legal fees, consumer credit monitoring, and technology changes. As such, cybersecurity needs to be integrated as part of enterprise-wide governance processes.

 

With the increasing volume and sophistication of cyber threats and incidents, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help financial institutions identify their cyber risks and determine their level of cybersecurity preparedness. This assessment tool incorporates cybersecurity-related principles from the FFIEC's Information Technology Examination Handbook and maps back to the National Institute of Standards and Technology (NIST) Cybersecurity Framework.  The FFIEC developed this framework to help identify factors that contribute to your organization's cyber risks.  By understanding the factors that play into your organization's cyber risk, you can assess your level of preparedness and determine what risk management practices and controls are needed to mitigate and minimize your cyber risks.

 

The RSA Archer FFIEC-Aligned Cybersecurity Framework app-pack aligns with the FFIEC and NIST standards to provide a consistent and repeatable process for determining your organization's inherent risk levels and evaluating your cybersecurity maturity level. Using RSA Archer FFIEC-Aligned Cybersecurity Framework, action plans can be created and tracked to minimize inherent risk levels or achieve a desired cybersecurity maturity level.

 

With the RSA Archer FFIEC-Aligned Cybersecurity Framework offering, financial institutions can assess and measure their cybersecurity posture, address gaps, and report on cybersecurity posture in a meaningful way that is understood by all stakeholders.  

 

RSA Archer FFIEC-Aligned Cybersecurity Framework allows you to:

  • Offer a common language to communicate requirements and progress among stakeholders (internal, partners, contractors, suppliers)
  • Provide a method to understand larger cybersecurity ecosystem
  • Apply FFIEC best practices of risk management to improve cybersecurity and resiliency of critical infrastructure

 

Interested in learning more about the RSA Archer FFIEC-Aligned Cybersecurity Framework app-pack? Join us for a Free Friday Tech Huddle on Friday, March 8 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Key Indicator Management so important?

The use of key indicators of performance, risk, and control are considered one of several best practices of a sound Operational Risk Management program.  In many risk management programs, the use of key indicators is implemented sporadically at the discretion of individual business units and division managers. Key indicator metrics may not be properly designed to accurately measure the intended activity, and the collection of indicator data may be accomplished in an unnecessarily costly and inefficient manner using spreadsheets and email. With missing or inefficient key indicator reporting, the organization is unable to accurately gauge or compare performance in terms of meeting strategic and operational goals, or understand drivers of risk and control. It also limits the organization’s ability to respond to emerging problems as quickly as possible.

 

RSA Archer Key Indicator Management

RSA Archer Key Indicator Management provides a means for organizations to establish and monitor metrics related to each business unit and activity within the organization.  Key indicators are also typically associated with other elements of your governance program, including risks, controls, strategies and objectives, products and services, and business processes to monitor quality assurance and performance.

 

Key features include:

  • Holistic key indicator management program
  • Association of key indicators with business units and named individuals, and establishment of key indicators of performance, risk, control, corporate objectives, business processes, and products and services, depending on your program implementation
  • Utilization of key indicator libraries to ensure consistency and quick deployment throughout the organization
  • Governance to ensure timely collection of indicator data
  • Stakeholder notification when indicators exceed acceptable boundaries
  • Consistent approach to calculating indicator boundaries and limits
  • Consolidated list of indicators that are operating outside boundaries, and associated stakeholder escalation and remediation plans
  • Accountability and management processes around remediation plans and action to bring key indicators back within acceptable boundaries
  • Visibility to key risk indicator metrics and remediation plans via predefined reports, dashboards, workflow, and communication channels.

 

Today, organizations are faced with complex and fast moving operational risk challenges.  To effectively manage risk, it’s not enough to know your organization’s strategies, objectives, risks and controls.  You need a way to understand if your strategies and objectives are being met; if your risk drivers are increasing or decreasing; and whether your controls are operating as designed or are under stress leading to failure. Tracking your key indicators, the Performance, Risk, and Control indicators associated with each of these elements is crucial in successful organizations today.  In addition, indicators associated with changing business activities are a good early warning of changing risk and performance profile. 

 

RSA Archer Key Indicator Management is an essential element of an effective Operational and Integrated Risk Management program to understand the organization’s risk and performance profile and operation of the existing internal control framework.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically), including these key indicators. This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions, as quickly as possible, about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively deploying and utilizing Key Indicator management is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage key indicators on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

 

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, error, fraud, and non-compliance.

 

Why is Loss Event Management so important?

Loss events negatively impact an organization’s income statement.  Under certain circumstances they can be large enough to wipe out current period profitability, erode an organization’s capital cushion, or even force it into bankruptcy.  Consequently, it is critically important for organizations to understand the kinds of losses it could incur, the near-miss losses it avoided, and the losses it actually incurred.  This means understanding how and why a loss arose, what policies were not followed, what controls failed, where the loss is or should be recovered under insurance, and what should be done to reduce the likelihood and impact of similar losses occurring in the future.

 

Understanding and managing loss events is essential to an effective operational risk management program. Many organizations today have impaired visibility into the frequency, amount, type and source of loss events. This is frequently due to lack of complete or comprehensive lists of loss events, lack of accountability for management of loss events, and inadequate root cause analysis. These organizations are not fully aware of their actual losses, nor are they aware of near misses or losses being incurred by others in their industry that may warn of the organization’s own future losses. Lack of accountability promotes a less effective risk management culture, and these organizations typically suffer from a higher frequency and amount of loss events due to poor loss event analysis and remediation.

 

RSA Archer Loss Event Management

RSA Archer® Loss Event Management allows organizations to capture and inventory actual loss events and near misses, as well as relevant external industry-related loss events. Loss event root cause analysis can be performed to understand why the loss occurred and to take appropriate actions to reduce the likelihood and impact of similar losses occurring in the future. Loss events can be evaluated as part of top-down risk assessments and risk self-assessments, if those are utilized, and loss events can be exported to perform Monte Carlo simulations of operational risk using external Monte Carlo engines, such as Palisade @Risk.  Recoverable losses can be monitored and managed until they are reimbursed through insurance or restitution agreements.

 

Key features include:

  • Consolidated loss event catalog including actual losses, near misses, and calibrated external loss events
  • Assignment of loss events by business unit and named individuals
  • Root cause analysis
  • Review and approval of loss events by key stakeholders within their levels of authority
  • Visibility into aggregate losses by type, source, and area of ownership
  • Ability to drill into specific loss events for greater detail
  • Consolidated list of remediation plans to reduce likelihood and impact of similar future loss events
  • Correlation of loss events to applicable risk, policy, and control procedures, as well as correlation to insurance policies.

 

RSA Archer Loss Event Management provides:

  • Consolidated view of loss events by frequency amount, type, source, and owner
  • Clear understanding of the cause of loss events and the actions being taken to remediate problems that led to the loss event, including whether remediation plans are being executed on time, as planned
  • Greater engagement of business unit managers in the management of losses
  • Evidence of the design and effectiveness of an organization’s loss event program within a broader operational risk management program.

 

Today, organizations are faced with complex and fast moving operational risk challenges.  RSA Archer Loss Event Management is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively managing loss events is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage loss events on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Operational Risk?

The Risk Management Association defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” Examples of operational risk include natural and man-made disasters, cyber-attacks, errors, fraud, and regulatory or contractual non-compliance.

 

Why is Top-Down Risk Assessment so important?

Organizations today face a wide range of risks originating in different areas of their business, related to strategy, credit, corporate and regulatory compliance, interest rates, liquidity, market prices, operations (errors, fraud, and external events), and reputation, among others. While risks are spread out across an organization and often interrelate, it is difficult to get a holistic view of risk necessary to manage it efficiently and effectively.

 

The problem is further compounded with the introduction of new products and services, mergers and acquisitions, business process changes, and new and intensifying sources of fraud. In many organizations, risks are documented haphazardly in spreadsheets and documents without consistent use of a common approach, methodology, or rating scale. In addition, accountability for risk is tenuous because risks are not assigned to named managers and business units. This undermines accountability and increases the likelihood that a significant risk event will occur.

 

In addition, non-standardized risk management terminology, inconsistent risk assessment methodology and inconsistent risk rating scales mean there is no comprehensive visibility to or accountability in addressing known risks. With everyone speaking differently about risk, incomplete risk registers and inconsistent risk assessments can lead to bad risk management decisions, illogical resource allocation, potential violations of regulatory mandates and an overall poor risk management program.

 

Consistently documenting risks and controls and performing reliable risk assessments is essential to establishing an effective risk management program.

 

RSA Archer Top-Down Risk Assessment

RSA Archer Top-Down Risk Assessment enables practitioners to document risks and controls throughout the organization. Risks can be assessed on an inherent and residual basis, both qualitatively and across multiple risk categories using monetary values. Controls can be linked to the risks they treat for consideration as a part of a residual risk assessment. Risks and controls can be assigned to named individuals and organizational structure to establish appropriate accountability and to provide relevant reporting.

 

Key features include:

  • Catalog a consolidated view of risks and internal controls within the organization
  • Map risks to business processes, controls, higher-level risk statements and scenarios
  • Establish a library of agreed-upon scenarios and perform assessments on selected scenarios
  • Perform qualitative and monetary assessments of inherent and residual risk
  • Monitor risks against established tolerances and risk appetite
  • Enforce consistent terminology, risk assessment methodology and rating scales
  • Organized, managed process to escalate issues to ensure proper signoff/ approval of issues
  • Operationalize accountability for risks, controls, business processes, scenarios, risk assessments and outstanding issues
  • Establish delegated authorities for approving risk and enforce those authorities by automatically routing risk decisions to the authorized individuals
  • Visibility into risk and control inventory and assessment progress via predefined reports and risk dashboards

 

Today, organizations are faced with complex and fast moving risk challenges.  RSA Archer Top-Down Risk Assessment is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Effectively performing Top-Down risk assessments is one ingredient to demonstrating real progress and improvement in decreasing business risk.  RSA Archer can help your organization better understand and manage risk assessments on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

Today, we’re pleased to announce availability of RSA Exchange Release R7, which introduces 10 new and two updated offerings, as well as new and updated content. We're thrilled that our RSA Exchange Technology Partners continue to develop and deliver innovation for RSA Archer customers via the RSA Exchange, and look forward to much more in future releases.

 

  • App-Packs – pre-built applications addressing adjacent or supporting Integrated Risk Management processes (e.g. niche, industry, geo-specific)
    • Aujas Duplicate Findings Prevention avoids duplicate open findings for periodic assessments, reducing stakeholder overhead in managing duplicate findings
    • RSA Archer Due Diligence Management provides consistent due diligence scoping process, checklist, and recommendations that address multiple due diligence business processes such as mergers and acquisitions
    • RSA Archer FFIEC-Aligned Cybersecurity Framework offers the ability to apply the best practice principles from FFIEC to prioritize and scope business objectives and priorities, create risk profiles, risk assess the environment, analyze the results to identify gaps, and implement an action plan
    • RSA Archer Speak Up, introduced in November 2018, has been updated to enable anonymous whistleblower submissions.

 

 

 

 

For additional documentation, downloads, and alisting of all RSA Exchange offerings, check out theRSA Exchange for RSA Archer on RSA Link. Stay tuned for more new RSA Exchange offerings next quarter!

What is Third Party Governance?

RSA Archer Third Party Governance provides organizations the capability to monitor and manage the performance of the third parties with whom they do business.

 Why is the proper management of Third Party performance so important?

Organizations are increasingly using third parties to support their operations and to deliver products and services to their clients. Every organization entering into a third party relationship has expectations regarding how the third party’s product and services should perform.  It is particularly critical that third parties provide satisfactory performance wherever they are supporting customer-facing activities or contribute to the organization achieving its key objectives. Often performance expectations are formalized via contract by way of agreed-upon service level metrics unique to the product or service being delivered by the third party.   While contractually establishing service level metrics is a best practice, it is only the first step.  Organization’s need to monitor performance metrics throughout the life of each third party relationship and manage deteriorating third party relationships at the earliest possible time.  While an organization may have created some contractual recourse should a third party fail to perform, litigation and financial compensation do not solve the problems posed by underperforming third parties.  The best outcome is represented by third parties that live up to or exceed performance expectations.

 

RSA Archer Third Party Governance

RSA Archer Third Party Governance provides the capability to track the performance of individual third party engagements and to measure the performance of third parties across all of the engagements they are delivering to your organization. Third Party Governance provides the ability to document and track service level agreement metrics, and utilize a metrics library to promote consistency in assigning service level metrics to similar engagements.  Once performance metrics are established, actual performance data can be collected from named individuals or automatically via systems of record.  Stakeholders can be automatically notified if a third party’s performance begins to fall outside acceptable boundaries so that third party performance can be coached back to acceptable levels or remediation and contingency plans created and executed should the third party’s performance become irreparable.

 

Key features include:

  • Define and document performance metrics for third parties
  • Track all contractual service level agreement (SLA) metrics
  • Uncover deteriorating third party performance
  • Capture and monitor remediation plans until performance problems are resolved
  • Create performance metrics and associate them with individual product and service engagements
  • Capture performance metric data on an ongoing basis and score performance based on data collected
  • Report on performance of individual product and service engagements
  • Roll up engagement level performance to obtain overall third party performance profile

 

RSA Archer Third Party Governance enables organizations to:

  • Create and capture performance metrics and associate them with individual product and service engagements on an ongoing basis
  • Report on performance of individual product and service engagements and roll up engagement level performance to obtain an overall third party performance profile
  • Uncover deteriorating vendor performance and quickly resolve third party performance problems
  • More frequently exercise contract remedies due to poor performance
  • Avoid third party-related surprises and losses, and spend less time and money on third party performance remediation
  • Demonstrate the effectiveness of third party performance management programs to executive management and regulators

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  RSA Archer Third Governance is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leaders with the most holistic understanding of risk facing their organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization while maximizing the likelihood of achieving the organization’s objectives.

 

As your organization drives business growth through an extended ecosystem strategy, your third party risk and performance management program must evolve and manage risk more holistically, with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

 

What is Third Party Engagement?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships may also be known as vendors or suppliers.  An Engagement refers to the actual product or service being received by way of a contract with a third party. 

 

RSA Archer Third Party Engagement provides organizations the capability to inventory all of the product and service engagements they are receiving from third parties.  Engagements can be mapped to the third parties supplying the product or service, and to the organization’s business units and business processes they support. Third party contacts can be documented and accountability for third party engagements can be established by named individual and by the business units that own the relationship. If you are utilizing the RSA Archer Third Party Engagement, Risk Management, and Governance use cases then the risk and performance of individual engagements can be established and risk and performance information can be rolled-up across all products and services delivered by a third party; and depicting it in aggregate at the appropriate third party organizational level.

 

Why is the proper management of Third Party Engagements so important?

Third parties may relate, to some degree, with every aspect of an organization.  They may impact your organization’s objectives and they support, in one way or another, the products and services your organization delivers.  They support business processes, introduce risk and affect and supplement the extended internal control environment of your organization.  They may provide assets and inputs to the organization such as hardware, software, physical space, and product inputs.  Acting as an agent of your extended organization, they are subject to your regulatory obligations and policies, and they may directly supplement your human resources through consultants and temporary labor, or extend your human resources by the nature of the services that they are providing.  You may have third parties that touch on every one of these elements of your business. 

There are numerous reasons organizations choose to engage third parties.  These include competing better; benefiting from a vendor’s expertise that you don’t have in-house; optimizing resources, acquiring resources (often more cheaply), transferring risk such as under insurance, and expanding market share by capitalizing on the third party’s presence in a market where you don’t currently have a presence, or by offering a more attractive product or service because of the third party’s expertise and capabilities.

Third parties are an extension of your business and, in the end, third parties introduce the same risk to your organization as if you internalized the activities.  In most cases, it is impossible to eliminate the risk altogether.  The best you can do is understand the risk and manage it within acceptable levels.

 

RSA Archer Third Party Engagement

RSA Archer offers the Third Party Engagement use case to consolidate the list of third party products and services your organization uses.

 

Key features include:

  • Catalog third parties, their business hierarchy, and the product and services engagements they deliver to your organization
  • Map third party products and services to the business processes they support
  • Roll up engagement risk assessments to obtain an overall third party risk profile
  • Catalog contracts and master services agreements associated with engagements
  • Execute contract risk assessments utilizing standardized questionnaires focused on minimum required contract language to mitigate and transfer risk
  • Capture the third party’s proof of insurance and evaluate the adequacy of the insurance relative to all of the engagements being delivered
  • Integrate the results of your business process impact analysis into your assessment of the inherent resiliency risk of each third party
  • Establish accountability for each third party engagement
  • Document and monitor remediation plans to bring risk within acceptable tolerance
  • Track exceptions related to third party engagements

 

With RSA Archer Third Party Engagement, you can:

  • Establish efficient management of your third party relationships
  • Know where, how, and why third parties are being used throughout your organization, and who is responsible
  • Identify inherently high risk third party products, services, and relationships
  • Better understand the adequacy of each third party’s proof of insurance,
  • Have fewer third party-related audit and regulatory findings
  • Establish the basis for an effective third party risk management program and allocation of scarce resources based on the most significant priorities
  • Provide transparency into third party relationships using robust notifications and reporting
  • Provide positive assurance to senior management, the Board, and regulators regarding the adequacy of the organization’s third party governance program

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  The RSA Archer Third Party Engagement is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce the most effective return to the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

It's official - time to get your creative juices flowing as the RSA Charge 2019 'Call for Speakers' (C4S) is now open and awaiting your submissions!

 

As you are aware, the RSA Charge events represent all RSA products and an increasing number of customers across solutions attend this one-of-a-kind event each year. The RSA 2019 Charge promises to be the biggest event in our history of RSA Charge and Summit conferences. 

 

The RSA Charge event is successful in no small part because of the stellar customer submissions we receive each year. We invite you to submit your presentation brief(s) for consideration.(That'sright, you may submit more than one submission brief!)

 

This year for the first time the '8' Tracksfor RSA Charge 2019 are identical across all products and represent all RSA solutions. We are pleased to present the them to you:

 

Transforming Your Cyber Risk Strategy- Cyber-attacks are at the top of the list of risks for many companies today.  Tell us how you are approaching reducing this risk utilizing RSA products.

 

Beyond the Checkbox: Modernizing Your Compliance Program - The regulatory landscape is always shifting.  How are you keeping up and what steps are you taking towards a sustainable, agile compliance program?

 

Aligning Third Party Risk for the Digital Transformation - Inherited risk from your business partners is a top of mind issue.  Third party risk must be attacked from multiple angles.  Share your strategy.

 

Managing Operational Risk for Impact-  Enterprise risk, operational risk, all things risk management.  Share your experience and strategy on how you identify, assess and treat risk across your business operations.

 

View from Above: Securing the Cloud - From security visibility to managing organizational mandates, what is your risk and security strategy to answer the "go to cloud" call.

 

Under the RSA Hood: Managing Risk in the Dynamic Workforce - The workforce has become a dynamic variable for many organizations - from remote users to BYOD to contractors and seasonal workers.  How are you addressing this shift?

 

Business Resiliency for the 'Always On' Enterprise - The world expects connectivity.  When the lights are off, the business suffers.  Tell us how you are ensuring your business is 'always on' - business continuity, recovery, crisis management and the resilient infrastructure.

 

Performance Optimization: RSA Product Learning Lab - Share your technical insights of how you use RSA products to meet your business objectives.  Extra points for cool 'insider' tips and tricks.

 

We know you have great stories to share with your peers, best practices, teachings, and how-to's. We hope you consider submitting a brief and thank you in advance for your consideration. More information can be found on the RSA Charge 2019 website (scroll to bottom of page) including the RSA Charge 2019 Call for Speakers Submission Form. Submission should be sent to: rsa.events@rsa.com.

 

Call for Speakers 'closes' April 26. 

What would you do if you heard an advertisement on the radio misrepresenting a product your company offered?  I'd like to share a true story and how RSA Archer helped this organization's first line of defense own risk.

 

Sally was listening to the radio on her drive to work when she heard an advertisement about her company but the information was incorrect and misleading.  When she got to work, she didn't know who to report the information to but knew that if she didn't report it, it could cause huge impacts to their organization.  After approaching several people, she decided to call the IT help desk.  While the IT help desk typically "helps" many, they are typically a little further downstream from the risk evaluation process. After some digging, the IT help desk sent the request to the Risk Management team, who then connected Sally with the third party risk team to address the issue with the third party. 

 

When our customer approached RSA, we decided to provide a method via RSA Archer that not only addresses the problem but enables your organization to own risk.  But we took it a bit further than just a risk reporting tool. There are often brilliant ideas that could positively impact your organization. There may also be specific issues or incidents that conflict with your organization's corporate policies and procedures and someone within your organization has the knowledge needed to help avert or mitigate those issues early on. 

 

The RSA Archer Speak Up app-pack provides a mechanism within RSA Archer for the first line of defense to communicate information to your management or risk management team while leveraging workflow to review and approve the information and get it to the right team to take action.

 

RSA Archer Speak Up allows you to:

  • Submit ideas to improve the business;
  • Report issues to responsible authorities or management team within the organization; and
  • Document concerns regarding potential ethics violations, incidents, breaches, issues with third parties, and more.

 

With the RSA Archer Speak Up app-pack, your employees are empowered to speak up and own risk.  And, your management team is empowered with accountability and a consistent governance process for addressing risks.

 

RSA Archer Speak Up Business User Dashboard

Interested in learning more about the RSA Archer Speak Up app-pack? Join us for a Free Friday Tech Huddle on Friday, February 8 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

What is Third Party Risk Management?

A third party is any entity with which your organization has an actual or implied contractual relationship for the receipt of goods and services.  Besides being called a third party, these relationships may also be known as vendors or suppliers.  An Engagement refers to the actual product or service being received by way of a contract with a third party. 

 

RSA Archer Third Party Risk Management provides organizations the capability to assess and manage the risks associated with their third party engagements.

 

Why is the proper management of Third Party Risk so important?

Organizations are increasingly using third parties to support their operations and deliver products and services to their clients. While it is possible to outsource many business activities to third parties, organizations retain the risks associated with their third party relationships. Many of these risks can be significant including regulatory compliance violations, customer and shareholder litigation, information security breaches, financial losses from errors, fraud and business interruption, reputation damage, and impediment to strategic objectives. Organizations need to understand the risks third party relationships pose to their organization and the adequacy of controls that their third party providers have in place to manage risk within acceptable boundaries.

 

RSA Archer Third Party Risk Management

RSA Archer Third Party Risk Management employs a series of risk assessment questionnaires to be completed by a third party to assess the third party’s internal control environment and collect relevant supporting documentation for further analysis. The results of these questionnaires are factored into a determination of the residual risk of each third party engagement across several risk categories (compliance/litigation, financial, information security, reputation, resiliency, strategic, sustainability, and fourth party risk).  Risk results are depicted for each engagement and are rolled up to the third party to depict their overall risk across all of the engagements they deliver to the organization. Risk assessment findings can be automatically captured and managed as exceptions and remediation plans can be established, assigned to accountable individuals, and monitored to resolution.

 

Key features include:

  • Consistent risk assessment and evaluation of third party controls
  • Capture and store supplemental documents such as SSAE-16s, financial statements, and PCI assessments, and monitor when refreshed documents are due
  • Capture declared critical fourth party relationships and understand the quality of governance your third party applies to their own third party relationships
  • Depiction of risk of overall third party relationship, across all engagements being delivered to your organization
  • Consolidated view into known issues
  • Organized, managed process to escalate issues
  • Visibility into known risks and efforts to close/address risks
  • Efficient program management and understanding of program status

 

RSA Archer Third Party Risk Management provides:

  • Methodical and standardized approach to risk assessment
  • Management and mitigation of identified issues and reduced time to resolution
  • Stronger, quicker response to emerging risks
  • Fewer third party related incidents and losses
  • Reduced program administration costs
  • Reduction of overall third party risk
  • Reduced repeat audit and regulatory findings
  • Better understanding of how third parties are used throughout the organization and the risks they pose

 

Today, organizations are faced with complex and fast moving challenges exacerbated by the very nature of rapidly expanding third party relationships.  RSA Archer Third Party Risk Management is one element of an effective Integrated Risk Management program.  Stressing the agility and flexibility needed by today’s modern organizations, integrated risk management brings together the various domains of risk across business activities (horizontally), connecting the activities to the strategies and objectives of the organization on an aggregated basis (vertically). This approach to risk management provides leadership with the most holistic understanding of risk facing the organization so they can make truly informed decisions about where to deploy limited capital and human resources to produce optimized returns for the organization.

 

As your company drives business growth through an extended business ecosystem strategy, your risk management program must evolve and manage risk more holistically, with more agility and integration than before. Managing third party risk and performance is one ingredient to showing real progress and improvement and decreasing business risk.  RSA Archer can help your organization better understand and manage its third party relationships on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

 

For more information, visit RSA.com or read the Datasheet.

What do we mean by controls monitoring?

In today's complex regulatory environment, organizations face a daunting task in maintaining compliance amidst constantly shifting obligations and requirements. As organizations attempt to keep pace and adapt control activities (controls) to changes in compliance requirements and operational risk scenarios, often times they are hamstrung by ad-hoc, disconnected compliance efforts that are implemented reactively across separate areas of the business. This severely limits the ability to maintain a real-time, aggregated view of risk and compliance impacts. Efficiency and scale also suffer as the volume of manual systems and processes overload the organization's limited resources.

 

Implementing a program that includes a centralized inventory of assets, requirements, risks, and controls, coupled with a standardized approach to measuring control efficacy, is the key to ensuring diligence and completeness. This also provides the solid foundation necessary for enabling automation and improving the ability to continuously monitor key risk and control performance metrics as the organization adapts to changes in the business climate.

 

Why is a program approach to monitoring control activities so important?

Consolidating organizational compliance projects into a single platform offers business owners a unique level of visibility into critical risk and compliance information, enabling them to make fully informed risk based business decisions in support of organizational priorities. A single control universe can further align with extended corporate stewardship and responsibility goals and other strategic objectives.

 

RSA Archer Controls Monitoring Program Management

RSA Archer Controls Monitoring Program extends the foundation established with RSA Archer Controls Assurance Program Management, with a modernized approach to defining and managing separate compliance projects simultaneously. This includes tools to assess and report on the performance of controls across all enterprise asset levels and the ability to automate control assessments and continuously monitor ongoing compliance efforts. Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all aspects of Integrated Risk Management in their unique environments.

 

Businesses that operate with disconnected, ad-hoc programs typically find themselves diverting more and more time and resources to compliance, only to see their overall risk levels continue to increase. Whereas organizations with optimized compliance programs are able to reverse that trend and return more resources to the business which can then be used to invest in future growth initiatives. An optimized program also serves to reduce overall operational risk and provide decision makers with a reliable means for exploring the opportunity landscape by enabling them to identify with confidence the business risks that are worth taking.

 

For more information, please visit RSA.com and review the Datasheet.

Mason Karrer

RSA Archer PCI Management

Posted by Mason Karrer Employee Jan 16, 2019

What are the basics of PCI-DSS Compliance?

The Payment Card Industry Data Security Standard (PCI-DSS) defines a consolidated set of security best practices endorsed by major card brands, which are designed to reduce fraud risk associated with credit card processing. Organizations that fail to comply may lose their ability to accept credit card payments, which could greatly impact their ability to conduct business. However, with the continually increasing velocity and sophistication of new threats, maintaining an effective PCI- DSS compliance program has become an increasingly costly business requirement as well - and those costs can be substantial.

 

The PCI-DSS is considered one of the more prescriptive and technical compliance mandates that companies must typically deal with. This can be both good and bad. In contrast, many higher level government mandates like federal regulations are often written in broader terms that can be difficult to interpret into actionable specifics like precise internal control definitions. The more a company has to guess at what’s expected, the greater the chance of guessing wrong and either undercompensating (raising the inherent risk of running afoul of the regulation); or overcompensating, which can increase the internal costs and burden of compliance unnecessarily.

 

The benefit of PCI’s more prescriptive language is better clarity in terms of understanding what’s expected, how it will be audited, and specific reporting requirements. However, the other side of the coin with PCI is the extensive technical breadth and depth of its coverage. Encryption, network segmentation, multi-factor authentication, and external vulnerability scanning are a few areas where companies often struggle, either because of technical limitations or significant additional technology investments needed.

 

Why is a program approach to PCI Compliance so important?

Companies able to gain efficiencies by optimizing their operational compliance efforts will be more successful at reducing compliance costs and gaps. Consolidating organizational compliance initiatives into a single comprehensive view is the most effective way to identify and eliminate duplicate efforts and reduce overall compliance risk. The technical nature of PCI can often force companies to undertake process improvements, technical infrastructure overhauls, and even facility construction projects simultaneously. A streamlined program approach helps to keep things organized and drive consistent, successful outcomes.

 

RSA Archer PCI Management

RSA Archer Controls Assurance Program and RSA Archer Controls Monitoring Program provide a solid foundation for managing any organizational compliance initiative. However, PCI’s unique characteristics and pervasive global reach offer an opportunity to take things several steps further. RSA Archer PCI Management is designed to do just that, by enabling organizations to streamline the compliance process, simplify stakeholder participation, and reduce overall compliance effort and cost.

 

RSA Archer PCI Management guides merchants through identifying and defining cardholder data flows and environments, engaging the proper stakeholders, completing self-assessment questionnaires (SAQs), testing and gathering evidence for all required controls, and managing the gap remediation process.

 

Key features include:

  • Easy-to-use project workflows to manage CDE (cardholder data environment) scoping and multiple, ongoing compliance assessment projects.
  • Structured content libraries linking each discreet control requirement in the PCI-DSS to an extensive control testing repository ensuring full coverage across internal and external assessment activities.
  • Persona-driven dashboards and questionnaires that simplify the attestation and evidence gathering process and provide clear insight into compliance activity status.
  • Aggregated issues management functionality for tracking findings and gaps and managing the remediation process.
  • One-click reporting templates to assemble all required deliverables into a properly formatted Report on Compliance (ROC) for easy review and submission.

 

Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all aspects of Integrated Risk Management in their unique environments. Organizational leaders with optimized programs in place have a distinct advantage for exploring the opportunity landscape, by enabling them to identify with confidence the business risks that are worth taking.

 

For more information, please visit RSA.com and review the Datasheet.

In their ongoing effort to clarify the concepts of integrated risk management (IRM) and digital risk management (DRM), Gartner has begun to discuss the interconnection of IRM and DRM with enterprise risk management (ERM).

 

 

Source: https://blogs.gartner.com/john-wheeler/irm-is-essential-for-digital-transformation-success/

 

I certainly agree with Gartner’s statement in their recent blog: “To keep pace with the increasing risk associated with digital transformation, organizations require an integrated approach to risk management. Not only is it essential to invest in integrated risk management (IRM) technology to enable this approach, it is also imperative to focus on the convergence of technology and operational risk. This convergence represents a key IRM use case called ‘digital risk management.’ Digital risk management (DRM) technology integrates the management of risks of digital business components — such as cloud, mobile, social and big data — and third-party technologies, such as artificial intelligence and machine learning, operational technology (OT), and the Internet of Things (IoT). DRM helps bridge the gap between the Chief Risk Officer (CRO), the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO).”

 

ENTERPRISE RISK MANAGEMENT IS THE FOCUS

While Gartner introduced IRM and DRM concepts some time ago as part of operational risk management, what appears new in Gartner’s most recent IRM discussion is the explicit connection to ERM.  The ascendency of ERM as a business focus is not new.  In 2014, I reported on RIMS declaration that the practice of ERM had reached critical mass. This is borne out by our customers in the financial services industry, of whom 81% stated in a survey conducted last year that they were already using the RSA Archer Suite to support their ERM program!  That’s right, 81% of financial services customers surveyed are already integrating cyber risks with other kinds of operational risks, with their organization’s financial risks and risks to their strategies and objectives.  As RIMS stated in 2013 of ERM, “value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return, goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.”

 

THE FUTURE OF ERM?

I think it’s safe to assume, as with most things risk management-related, organizations vary in their approach to ERM.  We know that approaches to risk identification, risk assessment, risk evaluation and treatment, and monitoring all vary, as does the scope and granularity around the use of performance, risk, and control indicators.  And that’s fine. Everyone executes to their own unique risk management roadmap given the objectives of their management team, board of directors, and available human and capital resources.

Yet, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (remember this is the group that drove the Sarbanes-Oxley Act?) has laid out their goal and roadmap for ERM, as well.  In their 2016 update to the COSO ERM framework, they represented the complex interrelationship between risk profile, performance, and risk appetite in this one graphic:

 

                                          Source: Figure 4.2, COSO ERM Public Exposure Draft, June 2016

 

I’ll leave a discussion of the relationship of each of these variables and how an organization might go about generating this kind of understanding for themselves in one graphical representation for another time. For now, I think it is enough to consider some of the questions that must be answered to achieve the goal laid out by COSO ERM 2016:

  • How do I come up with a risk appetite statement that consistently encompasses all types of risk?
  • If risk capacity is that level of risk that would put my organization out of business, which risks are those and how do I assess them in a way to compare them to my risk capacity?
  • How do I aggregate all of my risks to generate a risk profile?
  • How do I measure target performance?
  • How do I correlate risk profile to performance, let alone visually depict the relationship?

 

Please add a comment.  I would love to hear from you and how you think these questions can be answered.

Managing Third Party contracts can be a daunting task, let alone tracking changes and approval during the negotiation process.  Between your legal department and the third party's legal department, the changes and approvals are horrendous to track and inefficient for all parties involved.  What if you had standardized contract language that was pre-approved by your legal organization?  What if you could use RSA Archer to track the clause changes and the change approvals? 

 

RSA Archer Contract Clause Management is the solution for you.  We've developed a solution to address small to mid-sized companies who do not need an entire contract management suite to assemble contracts and manage their clauses while tracking changes and approvals.  This app-pack can help you establish standard clauses to utilize in contracts.  It also tracks and manages the development, changes, and approvals of the contract clauses used in your contracts. 

RSA Archer Contract Clause Management Clause Owner Dashboard

 

With the RSA Archer Contract Clause Management App-Pack, you will have a central repository for storing standard contract clauses and contract clauses that are used in agreements with third parties, have a consistent process for creating and approving the clauses while providing visibility into changes within contracts and clauses.

 

Interested in learning more about the RSA Archer Contract Clause Management app-pack? Join us for a Free Friday Tech Huddle on Friday, January 11 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at www.rsa.com.

Filter Blog

By date: By tag: