Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 4 5 Previous Next

RSA Archer Suite

402 posts

Eighteen months have already passed since the redesigned RSA Archer Navigator tool was launched on RSA Link.  This tool introduced the ability to browse for RSA Archer content throughout RSA Link (e.g. documentation, downloads, advisories, knowledge base articles, training materials, videos and more) using a series of filters to locate exactly what you need.


With the RSA Archer Navigator tool, users can apply filters for RoleExpertise, Focus, Cost, Product, Version and Content Type, which will then display a list of content from across the entire website which can then be filtered even further as necessary to make it very easy to find relevant materials.



After the tool was so well-received by RSA Archer customers, the RSA NetWitness Platform, RSA Identity Governance & Lifecycle and RSA SecurID Access products followed suit and released Navigator tools for their content as well.  Users of these four products can easily access the associated Navigator tool by clicking on the link below the search bar on the primary product community pages.



In order to make it even easier for users to locate the content they need, the RSA Link team is proud to announce that the RSA Navigator tools are now fully functional on your mobile devices.  This means that even on mobile phones that view the website in portrait (i.e. vertical) mode, the tool will work the same way. (Previously the RSA Navigator tools only worked in landscape mode on mobile phones.)


You can locate the RSA Archer Navigator tool on your mobile device by going to the RSA Archer Suite page, expanding the Product Resources section and then clicking on the RSA Archer Navigator link.  Alternatively, you can simply click on the magnifying glass icon and search for "Archer Navigator" and it will appear in the results.



Similar to the desktop version of the tool, you can then select the filter(s) you wish to apply and then click the View Results button to view the content that match the criteria.



We hope that this new improvement will assist RSA customers and partners with having an even better experience on RSA Link and that they will be able to quickly and easily find what they need regardless of how and from where they're connecting.


More information about the RSA Archer Navigator tool can be found in the video and blog posts below.


With the increase in Cybersecurity threats in today’s world, organizations that are considered a part of our national critical infrastructure pose a much greater risk of being attacked which can place national security, the economy, and public safety at risk.  The National Institute of Standards and Technology (NIST) created the Cybersecurity Framework (CSF) as a standard and best practices in which government agencies and private sector organizations can utilize to manage their cybersecurity risks.  NIST CSF has become even more widely adopted by all types of organizations across the U.S. and worldwide.


The RSA Archer Cybersecurity Framework Management app-pack, released in August 2017, provides organizations with the methodology to assess and measure their cybersecurity posture, address gaps and report on cybersecurity.  The app-pack enables profile owners to catalog the current state, prioritize and core profile elements, and define their desired or targeted state outcomes for the organization’s cybersecurity program.  Assessors can then evaluate these profiles against the NIST CSF categories.  Previous assessments can be archived for comparison with a Current Profile and measure progress.  Reports and dashboards provide clear insight into the cybersecurity current state and progress being made toward the desired cybersecurity state. 

 RSA Archer CybersecurityFramework  Profile Owner Dashboard

Based on customer feedback, the RSA Archer Cybersecurity Framework Management app-pack has been enhanced and incorporates the newest version of the NIST Cybersecurity Framework that was released in April 2018.  With the updated version, customers can now automate the scope for their cybersecurity assessments based on the selected business process and analyze the Current Profile against the Target Profile not just by the NIST functions but by the NIST category or business processes.  The RSA Archer Cybersecurity Framework Management app-pack will now track the NIST Cybersecurity Framework versions for cybersecurity assessments and related authoritative sources.  In addition, Cybersecurity Profiles can now be approved using electronic signature capabilities.


Interested in learning more about the RSA Archer Cybersecurity Framework Management app-pack? Join us for a Free Friday Tech Huddle on Friday, September 21 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at

Global businesses with an online presence know that customers from any part of the world can opt in for their services and provide their personal information. As good for business and innocuous as this may seem, it opens up these businesses to regulation – the most visible right now being the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. GDPR will impact any business, whether based in the European Union (EU) or not, that processes the personal data of EU residents.  While GDPR may seem like "old news", the regulation provides a opening to talk about how your company's resiliency efforts are affected by privacy requirements.


To comply with GDPR, organizations will have to review their approach to data and privacy management to evaluate how they control data as part of their business continuity (BC), IT disaster recovery (ITDR), crisis management and resilience planning systems and processes. Because GDPR rules are applicable to backup and DR systems and practices as well as production systems, these key requirements include:


  • the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.


Recovery planning has long been subject to Data Protection legislation, but the wider remit within GDPR is something organizations will need to look at to ensure they can comply with the new rules. The following are a few areas and examples:


  • Data privacy has often been the responsibility of the Compliance or Legal group, however, where a Data Protection Officer (DPO) is appointed, there must be proper alignment between the DPO and BC/DR programs to ensure they look at GDPR compliance holistically and coordinate their efforts accordingly
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) take on greater importance and have to very closely align internally (between business process and IT system recovery)
  • If your DR provider is non-compliant with GDPR it could render you non-compliant, so RTO and RPO between your organization and the DR provider also have to be aligned. Questions need to include: where is the customer data held? Will customer data be accessible and available according to RTOs? Does your DR provider perform regular testing and evaluation to ensure they can achieve the RTOs and RPOs?
  • Breaches that are deemed to be high risk have to be reported by a data controller within 72 hours of becoming aware of such breach and may also require crisis management response. Therefore, IT risk and security processes must align with crisis response and management.


In summary, the disparate parts of the organization that manage data privacy management and business resiliency, internally and externally, must better coordinate their efforts to enable compliance with GDPR.

Greetings RSA Archer Community!


On behalf of the entire RSA Archer Team, I’d like to once again thank everyone for attending the 2018 RSA Archer Summit in Nashville recently.  I’m always amazed at the camaraderie the attendees exhibit at this event – something that began 15 years ago at the first Summit in Phoenix is not only still alive and well, but stronger than ever.


This year we were excited to not only set record attendance for a Summit event, but also receive more award nominations than we have ever recieved!  While we’d love to be able to give an award to everyone who submitted their success story, we ultimately issued twelve awards and another twelve honorable mentions.  We encourage everyone to take a few minutes to review the fantastic stories these winners had to share this year, and encourage you to join us in congratulating them for such an outstanding honor.


RSA Archer Community Advocate Award:

Karl Bender:  Vice President and Program Manager, Citizens Bank

Karl has been an RSA Archer user for nearly 10 years, serving in a variety of roles – from practitioner to business analyst to technical SME to the risk management program director.  Karl is an inaugural member of the RSA Archer Champions Network and an active participant in user groups and working groups. He led the effort to highlight their RSA Archer initiatives within their corporate annual report.  Congratulations Karl!

Karl Bender


RSA Archer Global Alliance Partner of the Year Award:


EY has been a strategic partner with RSA for more than 10 years, delivering RSA Archer solutions globally to many of our largest joint customers.  This past year was significant for the partnership, as EY developed new solutions on the RSA Archer platform like NERC CIP compliance for Power & Utilities, GDPR and hosted/managed RSA Archer delivery to Public Sector clients.  As a strategic alliance partner, RSA and EY team up to jointly provide the best solutions around Digital Risk Management and Risk Transformation to meet the needs of our clients.  Congratulations EY Team!




RSA Archer Excellence Awards:

Discover Financial Services

Discover utilizes RSA Archer for business resiliency, enterprise and operational risk, regulatory and corporate compliance management, and third party risk management. With RSA Archer, they have created business unit specific dashboards that make everything a one-stop-shop for all critical users. End users love the experience and all 3 lines of defense have clear accountability.  Congratulations Discover Financial Services Team!



Highmark Health:

Highmark Health utilizes RSA Archer for audit, business resiliency, enterprise and operational risk, IT and security risk management, regulatory and corporate compliance and third party risk management. With RSA Archer, they have centralized their risk and compliance functions across the entire organization. Within 2 years, Highmark has saved $350,000 + in ancillary tools and licensing costs alone.  Congratulations Highmark Health Team!




Mitre utilizes RSA Archer for regulatory compliance, policy management, and third party risk management. With RSA Archer, Mitre has quickly and effectively managed compliance against DFARS and NIST with more compliance programs underway. RSA Archer has saved Mitre an estimated 2.5 FTEs and $375,000.  Congratulations Mitre Team!




Voya utilizes RSA Archer for business resiliency, enterprise and operational risk, IT and security risk management, regulatory and corporate compliance and third party risk management. With RSA Archer, Voya has implemented a creative approach to address phishing using on-demand applications that allow any employee to view their own phishing test results.  Congratulations VOYA Team!




Microsoft utilizes RSA Archer for audit, business resiliency, enterprise and operational risk, IT and security risk management, regulatory and corporate compliance and third party risk management. Microsoft’s digital security and risk engineering teams put together a vision to build out a comprehensive risk management solution for the entire organization. They realized success by building a solution that was generic enough to meet everyone’s needs. Microsoft has achieved an overall 40% efficiency improvement by employing this central risk management solution.  Congratulations Microsoft Team!



Marathon Petroleum Corporation:

Marathon utilizes RSA Archer for audit, business resiliency, enterprise and operational risk, IT and security risk management, and regulatory and corporate compliance. Marathon has built a comprehensive SOX and audit program with RSA Archer.  The speed in which they could deploy their program has allowed Marathon to implement 11 use cases in 9 months.   Congratulations Marathon Team!




NASA utilizes RSA Archer for IT and security risk management using the RSA Archer Assessment and Authorization use case. NASA has standardized and coordinated their entire A&A process using RSA Archer, allowing the leadership tier to see all security plans and make sound risk-based decisions via an automated process. The project has also allowed NASA to work closely with the Department of Homeland Security to improve reporting for FISMA.  Congratulations NASATeam!



HSBC Europe:

HSBC Europe uses RSA Archer for third party management. HSBC Europe has established a global third-party program to provide support, process and monitor the full contract lifecycle.  Congratulations HSBC Team!



Rio Tinto:

Rio Tinto utilizes RSA Archer for enterprise and operational risk management, IT and security risk management, and regulatory and corporate compliance. Rio Tinto began their RSA Archer journey with a long-term roadmap effort to establish and improve the risk management framework and process.  They have moved all business, functional and major project risk information from legacy systems into RSA Archer. User adoption, especially at the management level, has doubled and continued to grow due to the great data quality and reporting.  Congratulations Rio Tinto Team!

Rio Tinto 


RSA Archer Excellence Award Honorable Mentions:

  • Citizens Bank
  • CVS
  • Delhaize
  • The Hartford
  • Equifax
  • State of Indiana
  • Northrup Grumman
  • Sony
  • Vanguard
  • US Bank
  • BASF
  • Raiffeisen Bank


RSA Archer Best in Show Award:

Mathew Hancock, Rio Tinto:

Every year, based on input from attendees, we present an award for “Best in Show” for this year’s most impactful presentation. The sessions this year were full of great insights and experiences from across the RSA archer community - making this award highly competitive.  This year, Mathew Hancock from Rio Tinto is this year’s award winner.  Mathew presented on Rio Tinto’s approach to integrated risk management across their enterprise, providing valuable advice from their journey.  The feedback from his session was overwhelmingly positive, and we’d like to thank Mathew for doing such a great job presenting on a critical topic.  Congratulations Mathewon this great honor!

Rio Tinto 


Again, thanks to everyone for attending this year’s Summit and making it such a great experience.  See you next September at RSA Charge 2019!



Garrett Miller

They say ‘It ain’t over, until it’s over’. Even though the RSA Archer Summit 2018 came to a close last Friday, we know the challenges of the risk landscape will remain. Last week, we welcomed over 1200 customers and partners to the country music mecca of Nashville in the 15th anniversary version of the RSA Archer Summit. Over the course of 2 ½ day event, we hosted 6 working groups, a customer advisory board, 5 keynotes, over 55 learning sessions, a ‘Choose your own adventure’ lab and an ‘Ask the Expert’ room that was busy the entire conference, and more networking and community celebratory events than you can shake a banjo at.

Risk Management Perspectives

Seeing so many practitioners present best practices, lessons learned and tips and tricks always provides key insights into the state of the risk management. Some key takeaways I heard:

  • Digital initiatives are impacting security and risk management in many different ways. From addressing expanded privacy concerns related to customer facing digital products and services to adjusting risk and compliance efforts around emerging technology, companies are faced with changing requirements and continue to strive towards integrated strategies that cross functional and operational teams. Watch Grant Geyer, VP of Product at RSA, describe the impact of the digital world on risk management.
  • The evolution of GRC towards Integrated Risk Management continues. Call it what you will – GRC or IRM – the emphasis of connecting risk disciplines and building a collaborative, risk based approach to security, compliance, resiliency, third party governance and audit is top of mind for all practitioners.
  • We heard a wide variety of customer stories highlighting tips for success. Engaging your stakeholders, building a strong foundation of both organizational and technical support and thinking strategically are keys to building a sustainable, high value program.
  • I also had a chance to catch up with Jack Jones from the FAIR institute on the future of risk management in the age of risk economics. It was great to get his perspective – watch the interview here.

The Future of Risk Management

Since this year’s Summit was a special anniversary edition, we celebrated the long history of RSA Archer in the risk management industry. Looking back at 2003, the first year of the Summit, stirred a nostalgic feel as we contemplated the past. In 2003, Sarbanes Oxley was only 1 year old and the Apple ITunes store was tech invention of the year according to Time Magazine.   Those ‘simpler’ times dropped hints at the coming challenges – regulatory mandates and shifting requirements, the importance of corporate governance and compliance, the glowing fuse of the digital explosion…

A highlight for me this year was the keynote address by David Houle that gave us a perspective on the future and the challenges across a wide spectrum of risks facing organizations today. I also wrapped up the event with my own evaluation of what risk management looks like as we face the evolution of our industry. Speed, automation, integrated approaches, the merging security and risk disciplines and preparing for a constant shift in both technology and culture make the future of risk management an exciting, and challenging, industry.


The 2018 RSA Archer Summit was just the kick off of the next chapter. RSA is in a unique position to help organizations bridge the worlds of Security and Risk Management as we span across these critical domains.   The strategic vision and the innovations previewed at the Summit for RSA Archer highlight how the solution is geared to help risk and security teams see around the corner and build that truly integrated approach. Through presentation after presentation, our customers articulated an incredible passion in bringing together functions, driving change and unleashing their organization’s potential.   I am happy to say I don’t think there is a company out there that is better suited than RSA to help them continue on their journey forward to the next 15 years.

Are you an RSA Link member? View the RSA Archer 2018 presentations here.

The following is a guest post from industry writer, David Strom. 


So, the RSA® Archer Summit 2018 is over, and we are all back in our usual digs. I wanted to take some time to reflect on what I saw and where I think the company is going, based on what I heard at the event.


“The world has changed again,” said Rohit Ghai, President of RSA, at the opening keynote. “Data is the fuel of the digital economy and what makes the new value chain.” David Lemon, RSA Archer VP and Global Head of Sales said, “We have to give the business context to the security team and provide an end-to-end context so they can identify biggest priorities.” Here are some megatrends.


Going wide for a larger user base within each customer. At Summit, it was clear that the RSA Archer product line has a very loyal customer base, with people applauding for feature enhancements such as breadcrumbs. But the company has to move to a broader acceptance within the IT establishment, not just cultivate its product champions that may only number a few people within even the largest organizations. Part of the announcements and innovations at the conference were to appeal to a widening customer base and an interpretation of finding and winning over users beyond the risk folks – even within their existing customer base.


The success of RSA Archer will be if it can move beyond selling to the largest of customers too. “Our business opportunity is the less mature and medium-sized enterprise,” said David Walter, VP,  RSA Archer. Thus RSA Archer has to both widen and deepen its customer base. “We have to engage more people in the risk management conversations,” said Walter. One IT manager at the conference said, “Integrated risk is all about people, processes and systems, and they all have to work together. We have to get our culture right if we are going to stay in business.”


David Walter, VP, RSA Archer delivers his keynote at RSA Archer Summit 2018


Trusting more SIs/VARs to sell and spread the word, rather than DIY. Another sign of maturity is how the more significant announcements at Summit were partnerships with Mendix and Konexus, both revolving around new mobile enhancements.  This is a big step forward for RSA Archer too, because it shows that it can’t go it alone anymore and needs to branch out to its partners. While RSA has had partners in place, its partner network is evolving. What I saw at Summit were good first steps.


Data integrations are key. The next sign of change with RSA Archer is how the company has recognized that it needs to be more tightly integrated in as many data streams as possible. Product manager Emily Shipman mentioned at the conference that “Data Gateway is changing the way we interact with external data sources. We have released 40 different integrations with Exchange, and have more planned for the coming year.” Walter said “And it isn’t just about getting the data, but using it and making it meaningful -- what I like to call data stewardship.” If the company makes good on these promises, that will be a significant boon in its business.


Greater number of product releases. With 13 different updates in the recent past, RSA Archer is showing that it can be more agile by adding new features and coming out with new versions at an increasing rate. This is another good sign, as it tries to satisfy demands from its very loyal customer base.


Branching out from the token business. Even though RSA SecurID® tokens is still very much a big business for RSA, the latest announcement at Summit show the company is moving into a new, more forward-looking direction. Certainly, MFA tokens won’t disappear tomorrow, but the indicators mentioned above show that the RSA Archer business a few years from now will be very different from what it was just a few years ago.


Is it all rainbows and unicorns? Certainly, there are challenges ahead. RSA Archer has to broaden its appeal with its ultimate success depending on the kindness of others to continue to partner up and branch out. It certainly is interesting times for risk management professionals.

# # #

David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.

The following is a guest blog from industry writer, David Strom. More on him below.


Today at the 15th RSA Archer Summit 2018 conference in Nashville, company executives announced a series of products and partnerships to extend their risk management platform firmly into the mobile arena. None of these are immediately available, although some will be released by November.


“We needed the ability for crisis managers to be able to kick off a communication protocol and have procedures that would help them respond during the middle of a hurricane even though the system is down,” said David Walter, a VP at RSA Archer, during his keynote at the show.  Walter told me that one of RSA Archer's key roles is supporting key staff that need to be involved with risk management conversations. “That means we have to promote incident awareness to a broader corporate culture, and have to provide enabling technology that can help everyone engage in that conversation. It also means we have to bring our technology to the users where they can access their data. This means offering a mobile-ready solution.” They are doing this in three different and complementary directions.


The first announcement is RSA Archer Mobility, a brand new mobile product will include extensions to the RSA Archer Content API. This API was first seen in Archer v6.4 earlier this year and can be used to write JSON apps that make use of RSA Archer data and constructs. To showcase this integration during the show Archer demonstrated its software working with Slack messaging and Google Home voice commands for handling simple data queries. The mobility product will be available next year.


David Walter, VP, RSA Archer introduces RSA Archer Mobility at RSA Archer Summit 2018


The second mobility announcement was the RSA Ready partnership with Konexus, a leading provider of world-class crisis management and collaboration tools. “We found that we have a lot of mutual customers who wanted to migrate data manually between the two tools,” said Walter. Konexus will have its own mobile apps that accesses data from both RSA Archer and its own systems. The apps can access role-based views and make crisis reporting more efficient with event-based escalation paths.


They demonstrated the app in their booth at the show in Nashville.


Finally, the third announcement was integrating RSA Archer with the low-code mobile app development platform from Mendix, which has become another RSA Ready partner. I got a chance to try out the app that was built in Mendix at the show and was impressed that it was created in less than a day’s worth of coding. RSA will supply the necessary components for its Mendix integration, called widgets, to help its customers develop their own custom apps. RSA Archer v6.4 SP1 is required to support the Mendix integration and potential customers can email inquires here.  The sample app is only available until the end of August. “Not every company is going to want to develop their own mobile app from scratch but would like to have the look and feel and branding and other customizations,” said Walter.


Both the Mendix and Konexus integrations will be included the RSA Exchange release 6 available this November

# # #

David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.

Today is the day… This morning, we kicked off the RSA Archer Summit 2018 - the 15th anniversary edition of this annual event.  Fresh off a fantastic welcome reception last night, the crowd was buzzing with excitement as they gathered for the opening keynotes.  To get the Summit up and running this year, Rohit Ghai, David Lemon and David Walter welcomed over 1200 customers, partners and RSA staff outlining RSA’s vision and the future of RSA Archer.   After celebrating the 15 years of the RSA Archer community, Rohit highlighted RSA’s role in helping our customers navigate through the risky – yet opportunity filled – digital transformation.   His mantra of the forces affecting all companies today – Modernization, Malice and Mandates – emphasized the need for integrated strategies to address risk.  David Lemon then greeted three long time customers for an insightful look into the risk management practitioner world.  Finally David Walter and a host of product managers – Emily Shipman, Susan Read-Miller, Corey Carpenter and Brian Schaefer – walked through RSA Archer’s product vision and roadmap and along the way discussed key innovations that make RSA Archer the industry’s leading risk management platform.


The big surprise came at the end of David’s product keynote when he outlined RSA Archer’s mobility strategy.  RSA Archer mobility strategy aims to bring the power of RSA Archer and its data to the users, where they are and in the form they want. The strategy included several facets including the ability to approve by email, developing digital assistants and providing options for mobile device experience including building a RSA Archer native app.


David also announced two key RSA Ready partnerships.   The first partnership with Konexus provides crisis management capabilities – fitting nicely into the RSA Archer Business Resiliency solution.  The second partnership with Mendix, a leading mobile application development platform, unveiled a prototype of a mobile app built on the Mendix platform.  David invited customers present at the RSA Archer Summit to download the app – a prototype of an Exception Request and Approval application – and provide feedback.  The excitement in the room was palatable as David sketched out the strategy for bringing mobility capabilities to RSA Archer and the Mendix app was a big first step.


Such an exciting start to the event… The remainder of the Summit will be full of customer presentations, learning labs, more keynotes, fantastic networking events and plenty of opportunities to celebrate this 15th anniversary of the RSA Archer Community.  I am looking forward to the rest of this wonderful event.

It seems hard to believe, but it’s been ONE YEAR since we re-launched the RSA Exchange in August 2017!


Over the past 12 months, we’ve completed 5 quarterly releases with 8 app-packs, 6 tools & utilities, 41 integrations, and added the RSA Archer Content Library – WOW! With nearly 120,000 views of RSA Exchange offerings, it’s clear that the RSA Exchange is a big hit with RSA customers like you. And there’s much more to come!


Today, RSA is pleased to announce availability of RSA Exchange Release R5. This release includes a new app-pack, three new tools & utilities, four new integrations, and eight content offerings. Release R5 also includes updates to several existing offerings.


New offerings include: 

  • App-Pack - pre-built applications addressing adjacent or supporting GRC processes (e.g. niche, industry, geo-specific)


  • Tools & Utilities - pre-built functions enabling administrators to more easily manage their RSA Archer implementations




Release R5 also includes updates to existing RSA Exchange offerings and content, including:


  • App-pack: RSA Archer Cybersecurity Framework Management
    • Support for NIST Cybersecurity Framework version 1.1, including informative reference relationships to authoritative sources
    • Track NIST CSF version for cybersecurity assessments
    • Automate cybersecurity assessment scoping based on business process
    • Select multiple functions, categories, or sub-categories for the cybersecurity assessment
    • Analyze capability gaps at the category level
    • Identify business processes with cybersecurity profile gaps
    • Approve cybersecurity profiles user electronic signature capabilities


  • Tool & Utility: Archer Experts Records Retention
    • Export attachments in bulk from applications, questionnaires, and sub-forms
    • Schedule one-time or recurring content exports



Content library packages are available on the RSA Exchange Documentation & Downloads subspace. All offerings are available via the RSA Exchange on RSA Link. We’ve also added a complete list of all RSA Exchange offerings, including implementation guides, demo videos, and installation guides where available.


Be sure to stop by the RSA Exchange demo area at RSA Archer Summit 2018 in Nashville to see the new offerings in action. !f you have ideas for future RSA Exchange offerings, be sure to submit them to RSA Ideas.


See you in Nashville!

Take Control of Your Controls

Managing risk today isn’t easy.  Many times, your success in reducing risk is dependent on the effectiveness of the controls within business operations.  The design and implementation of control activities are key for your organization to reduce the possibility of negative events such as compliance violations, business disruptions, data breaches and a host of other scenarios.


I am happy to announce general availability of RSA Archer Release 6.4 SP1.  This release includes updates to several key use cases that are critical in managing control documentation, testing and reporting.  In other words, this latest RSA Archer platform and use case release focuses on helping customers ‘take control of your controls.’. Following on the heels of RSA Archer Release 6.4 in April , RSA Archer 6.4 SP1 leverages features introduced in RSA Archer Release 6.4 within several use cases and includes additional updates to the RSA Archer Platform.


Use Case Updates

  • RSA Archer IT Security Vulnerabilities Program – One of the most prevalent security controls is the identification and remediation of vulnerabilities on IT systems.  These vulnerabilities are the foothold today’s security threats need to compromise systems, ultimately leading to data breaches.  The process that identifies those vulnerabilities and ensures proper patches are implemented is critical in reducing the ‘attack surface’ of an organization.


The RSA Archer IT Security Vulnerabilities Program use case is designed to offer security teams an integrated approach to identifying and prioritizing high-risk cyber threats, proactively managing IT security risks by understanding the criticality of various assets to business operations, and combining those insights with actionable threat intelligence, vulnerability assessment results and comprehensive workflows.


Updates to this use case in this release improve performance of data feeds, introduce new workflows, update the integration to the National Vulnerability Database (NVD) and add a new Vulnerability Tickets application to track remediation actions needed to address vulnerabilities identified by scanners.


Updates to these use cases within this release streamline the compliance testing and controls management processes with improved planning for Compliance testing and support for multi-phase tests throughout the year.  One of the most exciting additions is the End-to-End Compliance Project Management, allowing compliance teams to scope controls and plan and generate appropriate Control tests as needed.   Additionally, a new Control Procedure Hierarchy provides a method to create a master list of Controls with automated creation of Control Instances via the Control Generator for different business entities and infrastructure. A new Evidence Repository application is now also included providing a single repository for evidence gathered in the Compliance testing process.


Additional updates to the RSA Archer PCI Management,  RSA Archer Assessment & Authorization and RSA Archer Issues Management use cases carry on the theme of streamlined control management.


Platform Updates

This latest RSA Archer release also includes new and updated Platform features.  One of the key new features is the addition of an Electronic Signature using RSA Archer authentication or emailed PIN authorization.  This feature strengthens customers’ ability to log and track user actions and support non-repudiation of attestations.


In addition, other Platform updates in this release include:

  • Data feed performance and scalability improvements when using the Batch Content Save Token
  • Additional filtering capabilities for Calculated Cross-Reference and Report Object hierarchical values lists
  • Dynamic Field Population via Mapping for Bulk Action to populate fields with content assigned from a related field
  • Performance improvements for hierarchical values lists


For more information, see the RSA Archer Release 6.4 SP1 Product Advisory.

2018 Gartner Integrated Risk Management


Gartner has named Dell / RSA Archer a Leader in its inaugural Integrated Risk Management Magic Quadrant published on July 16, 2018. This is just the latest in RSA Archer’s long history of a Leaders quadrant designation in Gartner Magic Quadrant reports, most recently including:


Shifting to Integrated Risk Management

In recent years, particularly among more mature GRC implementations, we believe Gartner had seen organizations were increasingly implementing multiple use cases to establish enterprise-wide risk management programs. In 2017, we observed that Gartner began reframing their assessment of the GRC market and risk and compliance management-related solutions in the context of Integrated Risk Management.


Gartner believes that “integrated risk management enables simplification, automation and integration of strategic, operational and IT risk management processes and data.” We feel Gartner’s depiction of integrated risk management brings together Digital Risk Management (DRM), Vendor Risk Management (VRM), Business Continuity Management (BCM), Audit Management (AM), Corporate Compliance Oversight (CCO), Enterprise Legal Management (ELM), IT Risk Management, and Strategic Risk Management, all around the hub of Operational Risk Management.

 Leaders Quadrant for RSA Archer

One of the greatest strengths of the RSA Archer Suite is enabling a customer to bring together and effectively integrate multiple use cases.  So to us it is no surprise that, among 16 vendors evaluated, Dell Technologies (RSA) was placed in the Leaders quadrant by Gartner. RSA is pleased to be positioned – yet again -- as a Leader in -- yet another – Gartner Magic Quadrant.  We believe this Integrated Risk Management MQ report shows a very positive evaluation of the RSA Archer Suite. 



Thank You to Our Customers!

We know that this Leader position could not have been achieved without the help and support of our customers, acting as critical references  in Gartner’s evaluation of the RSA Archer suite. Our sincerest thanks to all of you that have acted as a reference on our behalf!


The Future of GRC

The term ”governance, risk, and compliance” has been fading in relevance over the past several years as organizations have matured their risk management programs.  Many of our customers have already implemented integrated risk management or enterprise risk management programs.  RSA, too, has embraced integrated risk management as a representation of how organizations should mature their risk management programs. We have long acknowledged that information security professionals cannot be truly effective in their roles without embracing business risk management – and integrated risk management is a further evolution ofthis idea. In the end, GRC is not dying – rather, it is evolving into IRM, a more meaningful approach to bring the whole organization together to consistently and effectively identify, assess, evaluate, treat, and monitor risk.


Magic Quadrant for Integrated Risk Management; Published: 16 July 2018; Analyst(s): John Wheeler, Jie Zhang, Earl Perkins

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from 2018 Gartner Magic Quadrant for Integrated Risk Management Solutions


Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Are you tired of the GDPR discussion yet? I hope not. GDPR represents a tremendous opportunity to discuss risk management in a much wider context. GDPR – being all about personal data – is the opening you need to discuss how data is fueling your organization.

Why is Data Governance so important?

Data is so widely distributed in organizations today and the power of end users is tremendous. Just a simple download of Personal Data from a central, controlled system into a spreadsheet by a marketing person for a one-time use is a risk. So not only do you need to understand where the managed systems are that contain Personal Data, but also the possible outputs from those systems.

Processing activities can be extremely complex. This is where engaging those process owners is so important. First, you need to educate them on the risks and second, get their help in working out the data flows. Third parties are also a major challenge in this area. Many companies are leveraging cloud service providers or external vendors for many types of data processing. You must be able to identify these vendors, and then understand if they access or process personal data.

Shadow IT or functional groups working directly outside the scope of IT with external vendors are a major challenge. Policies, education and better options have to come into play. You may not be able to eliminate all of the instances where a functional group works with an outside firm – but you can certainly ensure policies and training are in place to educate those groups on the potential risks.

While the discussion with your business may start with personal data, it isn’t a long shot to talk about other elements of data, the importance of data governance and the controls needed to secure all types of data. Once you cross that chasm of discussing data, the opportunity to talk about internal and external threats is open.



What to learn more about data governance and GDPR?  Check out our solution brief or take a look at the RSA Archer Data Governance use case.

Remember the hullabaloo around GDPR?  Well, it went into effect a little over a month ago and already there is litigation pending with Supervisory Authorities in 4 EU countries!  The first complaints filed pertaining privacy concerns affected by the EU regulation is aimed at several major companies, all of which are U.S. based.


The First GDPR Complaints

Complaints have been filed against several U.S. based companies.  The suits range in size from one litigant to class actions, representing 9,000 to 10,000 EU data subjects.  As these stories unfold,  no one knows how the lawsuits will progress or whether any of these companies will be fined by an EU Supervisory Authority.   However, GDPR continues to be an initiative affecting many companies. 


What we do know from these early lawsuits are three things:


  • U.S. companies are not going to be immune to GDPR litigation
  • Even if no fines are levied, each of these companies must devote expensive legal resources to defending against these suits.
  • If you are a U.S. based company handling information about EU data subjects, you need to make sure you are ready for GDPR, including being able to demonstrate your compliance should an EU Supervisory Authority make an inquiry.


GDPR Preparation Basics

Every company has to consider the impact of the GDPR on its own business requirements and operations.  There are some basics that stand out as good fundamentals for GDPR efforts and privacy programs, in general.


Security Risk Assessment: Article 32 of the GDPR outlines appropriate elements of a security risk assessment process to ensure controls and risk are appropriately designed and implemented. An effective risk assessment process accelerates the identification of the linkage between risks and internal controls, reducing GDPR compliance gaps and improving risk mitigation strategies.

Breach Response: Article 33 of the GDPR outlines specific requirements for notification of a personal data breach to the supervisory authority. Obviously, the goal of any security team is to prevent these kinds of breaches, but breaches can still occur.  Accomplishing this objective will require a combination of processes and technical capabilities including security incident management, security operations and breach management, as well as tools for deep monitoring and analysis of system related security data, such as system events, coupled with strong forensics capabilities.

Data Governance: The GDPR highlights that data governance is a crucial element of effective data management practices.  Organizations must protect personal data in a number of different ways, and must be able to demonstrate due diligence in keeping accurate records of processing activities.  A basic element of data governance is controlling who has access to personal data within the organization.  These requirements are in keeping with Identity and Access Management (IAM) and Data Governance best practices.

Compliance Program Management:  At the end of the day, GDPR is a regulatory issue.  A compliance program should provide the framework for establishing a scalable and flexible environment to document, manage and test your organization’s policies and procedures to comply with the GDPR.

Organizations with these basics in place can have a stronger foundation to address emerging issues, creating a more proactive and resilient environment while reducing the cost of GDPR compliance.

For more information, check out RSA's resources on GDPR - specifically this paper on GDPR Compliance.  For RSA Archer Community members, we have several Practitioner Tours highlighting the RSA Archer privacy use cases - Data Governance and Privacy Program Management.

GDPR has come – and gone?  Not really.  Despite the deadline passing without the sky falling, GDPR is something that can’t fall off your radar.  If your legal and compliance team raised the GDPR flag as something you need to address, then you should certainly be thinking long term.  GDPR is not just a regulation - it is an opportunity.


New regulatory requirements are a great opening to take a close look at controls in general.  When Sarbanes Oxley hit organizations, they responded by focusing obviously on the financial reporting processes.  But over time, companies realized a strong control strategy has benefits beyond those processes.  It raised the awareness of managing not only compliance – but of managing risks to the business.  GDPR can play that same type of role.  While the immediate focus may be on security of personal data – the changes GDPR can bring in policies, processes and technical controls can benefit areas of your business outside of Personal Data. 


What Comes after GDPR?

If your organization understands how important it is to protect personal data because of regulatory requirements, then the time is ripe to ask the question – what about other data?   GDPR represents a shift in how businesses must address data governance, breach preparedness and risk and compliance management.   Those controls can evolve into a better strategy across the enterprise.  Take the opportunity – have the discussion.



What to learn more?  Check out RSA's perspective on GDPR or read the white paper on how GDPR is affecting your future.

The California Consumer Privacy Act is the latest addition to the privacy regulatory world and it is stirring the conversation about protecting personal data even more.  I’ve been a huge fan of Saturday Night Live since the first time I saw it on TV.  One of its iconic reoccurring skits was “The Californians”, whose primary theme was explaining how to get from one place to another by using different California roads and highways.  As of last week, real Californians have a new topic to discuss that's a lot more serious: Information Privacy!   And the route by which organizations may need to proceed could have as many twists and turns as those classic SNL Californian skits.


What is the California Consumer Privacy Act?

On June 28, “The California Consumer Privacy Act of 2018” was signed into law extending Californian’s right to privacy.  This law strengthens rights of California residents already in place.  In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. According to the California Consumer Privacy Act, “fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.” 


Beginning January 1, 2020, the law provides for:

  • The right of Californians to know what personal information is being collected about them.
  • The right of Californians to know whether their personal information is sold or disclosed and to whom.
  • The right of Californians to say no to the sale of personal information.
  • The right of Californians to access their personal information.
  • The right of Californians to equal service and price, even if they exercise their privacy rights.
  • Businesses that collect consumer personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used and shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice.
  • A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer and the business shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
  • Businesses that suffer a breach of security shall be deemed to have violated the Act and may be held liable if the business has failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.

What does the new California Privacy Law mean to businesses?

The first step, as with all new regulatory changes, is to engage with legal counsel to see how the law may affect your business.  According to the law, businesses that do not comply are subject to litigation and sanctions.  Any consumer whose nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

  • To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
  • Injunctive or declaratory relief.
  • Any other relief the court deems proper.

In assessing damages, the court shall consider any one or more of the relevant circumstances, including, but not limited to, the nature and seriousness of the misconduct; the number of violations; the persistence of the misconduct; the length of time over which the misconduct occurred; the willfulness of the defendant's misconduct; and the defendant's assets, liabilities, and net worth.


In addition, any person, business, or service provider that intentionally violates the Act may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.


While the amounts involved may appear relatively immaterial, they will certainly be impactful in aggregate as the size of a breach grows.  Further, the ill will and reputation risk associated with breaches will be magnified due to press coverage around violating this Act.


Consumer Privacy

The concept that consumers own their information and have the right to control it is the front and center tenant of the California Consumer Privacy Act.  Businesses subject to this regulation have much work to do to ready themselves to accommodate consumer rights to receive notice; to inquire about the information; to refuse sharing; and to delete information.  At the same time, businesses handling consumer information must establish a program designed to ensure that reasonable security procedures and practices are implemented and maintained appropriate to the nature of the information to protect it from unauthorized disclosure.  As with most privacy-related regulations, the California Consumer Privacy Act will prompt businesses to adopt an on-going, risk-based information security program across their extended enterprise.


No, this Act isn’t funny like SNL’s “The Californians” but it is already being touted as groundbreaking, and the most sweeping privacy legislation passed in the U.S. to date.


Check out RSA Archer's use cases that are designed to help organizations with privacy challenges:  Data Governance and Privacy Program Management in the RSA Archer Regulatory and Corporate Compliance solution

Filter Blog

By date: By tag: