Skip navigation
All Places > Products > RSA Archer Suite > Blog
1 2 3 4 5 Previous Next

RSA Archer Suite

413 posts

What is a cyber incident / breach response program?

Cyber and security breaches continue dominating front page headlines all over the world. It’s not enough to hope it doesn’t happen to you or assume you’ll be able to respond effectively if it does. Companies need a proactive, program-level approach to IT & security risk management based on sound methods for prioritizing actionable security events combined with consistent operational response procedures. Poor handoffs between security functions and IT teams leave limited visibility into remediation efforts to close declared cyber incidents, and can weaken the overall process to the point where it breaks down when needed most, namely during a breach.


Why are cyber incident & breach response capabilities so important?

The identification of potential security issues and the process of responding to a possible cyber incident are the first lines of defense against a significant business event. Many organizations have deployed security information and event management (SIEM) technology and log collection tools in their infrastructures to track events and provide alerts. These systems produce an overwhelming amount of data for the security team to review. Uncoordinated security response processes managed in spreadsheets, email, and through other ad-hoc mechanisms further raises the overall risk that the organization will not be able to respond in time and effectively.


RSA Archer Cyber Incident & Breach Response Program Management

RSA Archer Cyber Incident and Breach Response enables customers to centrally catalog organizational and IT assets, establishing insightful business context to drive incident prioritization and implement processes designed to escalate, investigate and resolve declared incidents effectively. This use case is designed for teams to work effectively through their defined incident response and triage procedures and prepare for data breaches. Built-in workflows and reporting allow security managers to streamline processes while staying on top of the most pressing concerns. Issues related to a declared incident investigation can be tracked and managed in a centralized portal, enabling full visibility, stakeholder accountability and reporting. If an incident escalates into a data breach, prebuilt workflows and assessments are designed to help the broader business team work with your security team to respond appropriately.


With RSA Archer Cyber Incident and Breach Response, declared cyber and security events are escalated quickly and consistently, a crucial aspect of robust Integrated Risk Management programs. Advanced workflows and insights allow more efficient utilization of security team resources, resulting in faster response, analysis, and closure rates for critical security incidents. With improved processes and capabilities, the security team can more effectively leverage existing infrastructure, such as SIEMs, log and packet capture tools, and endpoint security technologies, to focus on the most impactful incidents. These capabilities improve the security team’s preparedness for serious incidents involving potential data breaches, while increasing the return on infrastructure investments and lowering overall security risk.


For more information, please visit and review the Datasheet.

What is Business Continuity & IT Disaster Recovery Planning?

Business continuity (BC) and IT disaster recovery (DR) planning is defined as the development of strategies, plans and actions which provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise.


Why is Business Continuity & IT Disaster Recovery Planning important?

In today’s world, 24/7 service delivery requirements are putting greater pressure on business and IT resource availability, making it even more important to have effective recovery plans. Interruptions ranging from isolated infrastructure failures to natural disasters have the potential to cause serious harm to the organization’s finances and reputation. Unfortunately, recovery efforts are often chaotic, ad hoc and uncoordinated due to little or non-existent planning efforts and business recovery and IT disaster recovery teams working in silos.

Your continuity and recovery teams live in a world of regulatory saturation, with dozens of regulations, methodologies, maturity models, guidelines and laws. These authoritative sources affect how you implement and manage your business continuity programs. The demands from regulators for strengthened programs have increased, while the number and type of catastrophic man-made and natural disasters are on the rise, resulting in regulatory fines and penalties due to the inability to comply during a disruption.


Another challenge affecting the ability of companies to recover after a disruption are recovery plans kept in multiple, inadequate tools that don’t allow management visibility to quickly answer questions, like which business processes or IT infrastructure are missing recovery plans or which plans have not been tested. Further, many IT disaster recovery teams are working with an understanding of what is critical or most important to recover that is different than that of business continuity teams. This results in an inability to align on and recover critical business and supporting IT infrastructure to deliver products and services according to recovery objectives.


RSA Archer Business Continuity & IT Disaster Recovery Planning

The RSA Archer Business Continuity & IT Disaster Recovery Planning use case addresses the problems outlined above through key features that include:

  • Centralized location, templates, workflow, review and approval processes for developing standardized business continuity and IT disaster recovery plans that are built around best practices and industry standards
  • Project management capabilities to help drive the entire lifecycle of continuity planning, from plan development, to testing, to continuous improvement
  • Dashboards and reports that provide visibility into the current state of the organization’s plans status, review dates, test results and remediation status
  • Workflows and reporting that enables coordination between business continuity, IT DR, and crisis teams

With RSA Archer Business Continuity & IT Disaster Recovery Planning, you will be able to:

  • Improve your response to disruptions, which can reduce the impact on revenue, brand and customer loyalty and availability of products and services for customers, employees and third parties
  • Implement a consistent and coordinated planning process and methodology for business and IT supported through one central tool
  • Increase trust by senior management, the board, regulators and employees with higher-quality, tested recovery plans
  • Ensure plans are aligned with the organization’s priorities and include the most critical processes and company assets
  • Coordinate information, priorities and objectives among business continuity, IT disaster recovery and crisis teams, and responders, enabling better focus on the right priorities in the event of a disaster


RSA Archer Business Continuity & IT Disaster Recovery Planning is one element of Integrated Risk Management. This use case provides a coordinated, consistent and automated approach to business continuity and IT disaster recovery planning and execution, allowing you to respond swiftly in crisis situations to protect your ongoing operations. As your company drives business growth with new initiatives, technology adoption or market expansion, your program must evolve and manage risk with more agility and integration than before.  Managing recovery planning is one ingredient to building resiliency across the organization and reducing risk.


RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.


For more information, visit or read the Datasheet.

According to Oxford Metrica, during the next five years, over 80% of companies will face a crisis that negatively impacts their share price by 20% to 30%. Business disruptions from events such as cyber threats, natural disasters or third-party interruptions have the potential to cause serious harm to the organization’s operations, finances and reputation.  In today’s increasingly digital world, 24/7 service delivery requirements are putting greater pressure on business and IT resource availability, making it even more important to have effective continuity plans.


Business continuity, IT disaster recovery and crisis management teams are facing surmounting challenges. From trying to build resilience in increasingly complex businesses, to dealing with more diverse and frequent disruptions, to living in a world with a growing number of regulations, methodologies, maturity models, guidelines and laws that affect their resiliency program requirements. Driving recovery and resiliency in today's organizations isn't getting easier.  


Too often, approaches to continuity and recovery in today's organizations are overly complex and not built on a solid foundation. Manual processes, information silos, separate teams with conflicting priorities, and lack or ownership just complicates things even more.


Join me on November 15 for a webinar to discuss these and other challenges, as well as focus on the basic building blocks of a solid business continuity program. 


You can register here Event Registration and take the first step to ignite your business resiliency program!

What is Business Impact Analysis?

The Business Impact Analysis (BIA) is a very well-known step in the Business Continuity Management (BCM) lifecycle used to identify and evaluate the criticality of the organization’s business processes and supporting IT infrastructure. This criticality in turn drives such areas as recovery planning and strategies, incident prioritization, and plans and resources to develop better resiliency across the organization.


The Business Impact Analysis process can also provide valuable information for other risk and compliance processes.   While the focus of the BIA is typically to determine availability requirements,  business process owners and those inputting into the BIA can also identify compliance, risk, security or other requirements.  These additional perspectives can be valuable input to prioritize issues, determine compliance or control requirements or assess business risk. 


Why is assessing business impact important?

Investors, customers, regulators and boards of directors are becoming more interested in management’s capability to not only recovery quickly, but continue operations through any disruption. However, organizations that fail do so because they have not adequately assessed the criticality of their business processes and planned accordingly.

One major challenge to management is keeping track of the constantly changing landscape of business processes and their supporting infrastructure, such as their connection to IT systems, third parties, locations and critical information.


Another challenge is making sure current BIAs have been performed for all business processes so that management can understand their criticality to the business. The issues for most companies today is:

  • BIAs are not completed often enough or consistently
  • BIAs are completed in separate systems and spreadsheets
  • BIAs are performed differently throughout the organization
  • IT and the business complete separate BIAs

Now more than ever, business process managers and BCM teams must work together to perform BIAs to understand the strategic, financial, reputation and other key impacts of a disruption.


RSA Archer Business Impact Analysis

The RSA Archer BIA use case addresses the problems outlined above through key features that include:

  • A Business Process catalog that tracks processes and their relationship to supporting infrastructure, such as IT systems, third parties, locations and critical information
  • A pre-configured BIA that follows standards and best practices and includes workflow, notifications and reference data that BCM teams can use to determine the criticality of all business processes
  • Dashboards and reports that enable each user to see and respond to the information they rely on

With RSA Archer BIA use case, you will be able to:

  • Maintain one consolidated system of record for all BIAs
  • Implement a single, best practice and standards-driven approach to completing BIAs with workflow, notifications, review and approval processes
  • Quickly access reporting that shows key metrics and reports so BCM teams, Business Unit managers and business process managers can manage their BIAs


The RSA Archer Business Impact Analysis use case is a critical element of Integrated Risk Management. As your company drives business growth with new initiatives, technology adoption or market expansion, your BCM program must evolve and manage risk with more agility and integration than before.  Managing the recovery and resiliency of what is most important within the organization is one required ingredient to effective integrated risk management. The BIA helps establish the business context and prioritization which are fundamental elements of managing risk.


RSA Archer can help your organization manage multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.

For more information, visit or read the Datasheet.

What is issues management?

Issues Management is the process an organization follows to treat issues, gaps or findings, as well as related remediation plans or exception requests that are generated by multiple groups, such as audit, risk and compliance.  Issues Management is one of the most fundamental processes for Integrated Risk Management.  Control gaps, findings from risk assessments, testing failures from compliance, security, and other types of audits or any issue identified within the business that could lead to an operational error or failure are indicators of risk.  Issues Management is the process by which those items are cataloged, reported and tracked from identification to resolution or acceptance by the business as a known risk or gap.


Why is the proper management of issues and remediation plans so important?

Organizations of all size and scope have issues that are generated from internal or external audits, regulatory reviews, vendor assessments or other sources. These issues usually have related remediation plans that the owners have committed to. However, in our experience neither issues nor remediation plans are managed as well as they should be. They’re usually tracked in scattered documents or siloed systems, there’s no effective way to follow up with the owners, and no consolidated reporting or visibility for executives into overall status. Sometimes, management needs to push back on these issues and there is typically no exception request process to do so. Finally, some issues are symptoms of bigger problems, and without a way to look at them through a more strategic lens, the bigger problem might not ever be properly addressed.

This causes three major concerns. First, there is additional cost and effort that comes from this duplicative and inefficient way of handling issues. This ties up multiple teams with tracking, following up, consolidating the issues and reporting. However, secondly, and more importantly, is the fact that most of these issues don’t get properly addressed because the remediation plans aren’t tracked or implemented on time, if ever. This is a major reason auditors identify repeat findings. What’s even more concerning is some of these repeat findings are very critical, and result in financial losses, regulatory fines or sanctions, fraud, reputation impairment or other risks that could have been avoided. Finally, in this day of risk management, most organizations have no way to relate issues to their measurement of risk, and determine whether their remediation plans reduce risk.

RSA Archer Issues Management

RSA Archer offers the Issues Management use case which addresses the heart of the problems outlined above. The key features include:

  • Pre-defined workflows, reporting, user roles and notifications, which enable immediate best practices in managing the entire lifecycle of your issues, remediation plan and exception requests
  • A repository to establish your corporate hierarchy (business unit, division) and business and related IT infrastructure (contacts, business process, IT applications, locations, information assets), with connections between issues and your risk register
  • A consolidated and coordinated repository of issues and remediation plans from all sources, including risk, compliance, audits and management assessments

 With RSA Archer Issues Management, you can:

  • Immediately implement best practices in managing the entire lifecycle of your issues, remediation plan and exception requests, including measuring real reductions to risk
  • Establish your business context and relate findings, remediation plans and exception requests to the right targets and owners.  This is fundamental and sets the foundation for your governance, risk and compliance (GRC) program and establishes ownership over issues and remediation plans
  • Consolidate and coordinate issues and related remediation plans or exception requests from all sources and identify redundancies, reducing time, frustration and expense
  • Reduce repeat findings, time to resolve issues and implement remediation plans and reduce overall risk

As long as audits, regulatory reviews, self-assessments by business areas or assessments by others are done, management, GRC teams and internal auditors will continue to create issues and require remediation plans. However, the days of managing them ineffectively or in siloes must be put in the past as business growth is dependent on better and more integrated ways of handling issues and related risk.  


RSA Archer Issues Management is one element of Integrated Risk Management. As your company drives business growth with new initiatives, technology adoption or market expansion, your risk management program must evolve and manage risk with more agility and integration than before. Managing issues and remediation plans effectively is one ingredient to showing real progress and improvement and decreasing business risk. The use case is also integrated with other RSA Archer risk and compliance use cases enabling your organization to move toward Integrated Risk Management (IRM).


RSA Archer can help your organization manage your issues, remediation plans, exception requests and multiple dimensions of risk on one configurable, integrated software platform. With RSA Archer solutions, organizations can efficiently implement risk management processes using industry standards and best practices and significantly improve their business risk management maturity.


For more information, visit or read the Datasheet.

It seems like yesterday that I announced the release of RSA Archer 6.4 SP1 with updates to several key use cases and some exciting platform enhancements but here we are again with more exciting news.  I am happy to announce general availability of RSA Archer Release 6.5.  This release focused mainly on enhancing several areas of the RSA Archer platform with updates in user interface, performance, workflow and reporting.   Additionally, we continue to see risk programs maturing and have developed a Scenario Analysis and Delegated Authorities approach for the RSA Archer Top Down Risk Assessment use case.  

Use Case Updates

As companies continue to mature their programs and target integrated risk management capabilities, we focused on a key element of our Enterprise and Operational Risk Management solution - RSA Archer Top-Down Risk Assessment.  This use case is designed to help your organization implement a standardized approach to building and maintaining a risk register and supports multiple types of assessment approaches.  We have added a new Scenario application enabling risk teams to create “what if” scenarios, adjust the granularity level of the assessment and tie them to risk register records providing more precise analysis as risk owners assess risk.   These scenarios can be built into a new Scenario Library application. Risk teams can create and manage a set of scenario templates that can be used to easily create new scenario records.  Additionally, new functionality adds the ability to manage Delegated authorities on risks.   This concept is critical in risk management processes allowing risk teams to to route risks for acceptance to users that have been assigned to a defined acceptance level for each business unit.  With Delegated Authorities, risk assessment processes can more quickly and efficiently route risks for review at the appropriate functional level of approval.


Updates to the record permission structure have been made to RSA Archer Crisis Management and RSA Archer Business Continuity & IT Disaster Recovery Planning use cases to prepare for some exciting upcoming integrations.  Keep an eye out for those in the near future.

Platform Updates

RSA Archer Release 6.5 delivers a number of enhancements and new functionality to the RSA Archer Platform. These include performance improvements for faster ingestion and more efficient management of data at scale, new Advanced Workflow functionality for greater ease of use, new export and reporting capabilities, and a variety of usability, accessibility, and User Interface improvements.   These are only some of the highlights so make sure you read the Product Advisory for more details.


Several of the new features focus on Usability, accessibility, and UI enhancements including Field-level encryption for Attachments and Images and Inline edit for Calculated Cross-Reference and Related Record fields.  Our User interface improvements continue with visual adjustments on Record and Questionnaire pages.  Additionally, since RSA Archer is used as a key reporting source for business and executive users, we have added several data export and reporting enhancements.  An updated Content API offers the ability to save content, fetch tasks and retrieve related records improving the ability to integrate into external systems such as business intelligence tools.  We have also made visual improvements for default chart settings and updated the Microsoft Excel-based export functionality allows users to export up to a million records in a single file.  Finally, a new dashboard export to Microsoft PowerPoint format not only streamlines output from RSA Archer for presentations, it also provides users the ability to include data and edit the PowerPoint before sharing RSA Archer dashboards. 


An Advanced Workflow enhancement includes new functionality that allows system administrators to make bulk changes to their advanced workflow business process and move enrolled records to the new workflow version.  UI improvements also have been added to provide a new full-screen option for Advanced Workflow Designer making it easier to view and edit large or complex workflows.


Finally, as usual, we continue to make Performance enhancements.

  • Support for SQL 2016 SP1 and SQL 2017 enables future Platform features and brings several Enterprise Edition capabilities to the Standard Edition, which many customers run to power their RSA Archer implementations.
  • Our new Data Gateway allows customers with large data sets in external system to connect to RSA Archer and continues to expand with the ability to notify RSA Archer of changes in the external subsystem and allows RSA Archer to trigger calculations.
  • Our added support for independent licensing of Elasticsearch for Keyword and GlobalSearch allows for faster and more efficient indexing of content for search purposes, performing "at scale" when large record volumes are present.
  • Bulk Actions Dynamic Field Population enables users to dynamically populate a text field in content created during a Bulk Actions creation activity. This enables text fields to be built from multiple attributes to give fields like Title and Description more context during the bulk creation process.
  • Job Engine improvements help reduce overhead and total runtime and provide additional measures for administrators to control how the Job Engine operates.


For more information, please read the Product Advisory.

Privacy Discussion Begins

I had the distinct pleasure Tuesday to sit in on a livestream of NIST Privacy Framework: Workshop #1.   Hosted by the National Institute of Science and Technology (NIST), Workshop #1 was the kick off of an initiative NIST is leading to develop a voluntary privacy framework.  Although the NIST Cyber Security Framework has been hugely popular across industries, NIST feels that it does not adequately address Privacy.  NIST’s objective is to establish “a voluntary Enterprise Risk Management tool that organizations can pick up and use to manage privacy risk.”  They have lofty goals that include producing a tool that can be used long into the future; encompasses emerging and unknown future technologies and uses of information; is as useful as NIST CSF; and to make the framework broad enough to be consistent with existing privacy and risk management standards, where practical! 


NIST recorded the three hour workshop and is going to make the recording available to anyone that wants to watch it.  I encourage you to do so as a lot of REALLY interesting concepts were discussed by some seriously qualified thought leaders in this space.  I’m super “geeked out” about this material and excited to share with you what I found most interesting.  None of this is final in any way but represents some of the conversations I found most compelling.

  • Privacy is defined by the harm, if any, inflicted upon an individual by the way their information is handled.
  • Harm is defined by each individual and may change over time.
  • One individual’s harm may be different than another individual’s harm and is almost certainly different from the harm to the business that was the source of the privacy-related harm to the individual.

I personally think it is brilliant to be defining privacy in terms of the harm that it presents to an individual.  However, it has significant risk management ramifications that will need to be worked out in the privacy framework.


Risk Management Ramifications of the NIST Privacy Framework 

Identification of Privacy Risk

Organizations will need to know everywhere they have information about individuals.  The use of scanning tools will increase in order to find information across the enterprise.  But the information you are looking for may not be the obvious: name, address, account number, account balance, health information, etc., The question may be: what information do we have about an individual that could be used in a way that could bring about harm to an individual? You also have to ask, if we give any individual’s information to a third party, what could the third party intentionally or unintentionally do with the information that could harm an individual?  Will third party assessments begin to include questions to find out what other information third parties might have that can be combined with the information you are sharing with them, that could cause harm to an individual?


Inherent Risk Assessments

Defining privacy in terms of harm to an individual will make inherent risk assessments more challenging and scenario-based.  You will most certainly need to think outside the box to consider all the different ways information you collect and handle could harm an individual. How will you determine whether your information collection, information handling and sharing with third parties, potential breaches and incident response will harm any individual and by how much?  Will you need to start asking individuals how they would feel if their information was breached or used in an unintended manner?  Will your organization need to periodically refresh its understanding of individual harm, particularly as new technologies and uses of information emerge?


You will need to stay abreast of every new and changed way information is collected, managed, shared with a third party, destroyed, etc. In each of these cases you will no doubt need to document what and why information is being collected, the information lifecycle from collection to destruction, the intended use of the information, and the numerous possible uses of the information that could cause harm to an individual, including through your extended third party ecosystem. 

If you do conclude that information you handle could cause harm to individuals, how will you rate the risk?  What is the measure of harm – anything from financial loss, embarrassment, harassment, loss of time from unwanted marketing, black mail, psycho-social manipulation, even physical harm and death? Many of these kinds of harms do not readily translate in financial terms.


Residual Risk Assessments

With cyber security risk you apply appropriate organizational and technical measures to reduce the likelihood and / or impact of unauthorized access, alteration, or destruction of the information.  Defining privacy risk as harm to an individual(s), you aren’t solely concerned with unauthorized access, alteration, and destruction.  Your intended and unintended use of the information could cause harm. At a minimum, organizational controls will take on a relatively greater importance to ensure you are effectively capturing and controlling residual risk.


Risk Evaluation

Let’s say that you do find a way to rate residual risk in terms of harm to individual(s).  Mature organizations that manage risk against risk appetites and tolerances will have to go back and look at those values and somehow incorporate harm to individuals.  How much harm and what type(s) of harm to individuals will organizations be comfortable with?


NIST is just beginning the process to come up with a Privacy Framework and nothing is set in stone yet.  The privacy conversation is just beginning but it benefits each of us and our organizations to try and shape the conversation so any privacy framework published by NIST provides meaningful value without undue complexity and implementation heart burn. 

What is controls assurance?

Controls assurance addresses the ongoing practice of measuring control performance against expected outcomes and addressing gaps discovered along the way.  These controls are essential in reducing inherent risk - defined as risk that exists natively (for a process, system, asset, etc.) in the absence of controls. Controls describe mechanisms that are (or should be) implemented to reduce inherent risk, including process refinements, allocation of resources and technology, etc. Operational risk and control requirements often increase in number and complexity as an organization changes. Successful compliance depends upon the consistent performance of carefully controlled activities. 


Why is the concept of controls assurance so important?

In many organizations compliance and reporting activities consist of manually gathering information from various people and systems scattered in different locations. This manual headwind leads to chasing one compliance emergency after another reactively, with the business always a step behind the regulatory change curve. The result for organizations lacking a robust corporate compliance program is often increased audit findings, penalties, and greater potential for brand and reputational damage.


RSA Archer Controls Assurance Program Management

RSA Archer Controls Assurance Program Management provides a structured framework and taxonomy for systematically documenting the organizational control universe, continuously assessing performance of controls at all levels of the business hierarchy, and reporting aggregated results in a variety of concise formats that are approachable for all audiences. Automated testing for a wide range of process and technical controls as well as integrations with leading testing technologies are easily managed. Another critical function of Integrated Risk Management is handling issues that arise. RSA Archer’s built-in Issues Management functionality helps centralize accountability to ensure gaps are identified and remediated efficiently.


With RSA Archer Controls Assurance Program Management organizations can apply clear, accurate controls guidance in support of any compliance objective. By improving the linkage between compliance requirements and internal controls, the business can streamline communication and collaboration and improve reporting on compliance obligations using a standard taxonomy and common risk language throughout the organization. With RSA Archer’s agile and flexible platform and complimentary frameworks, the first and second lines of defense can proactively manage key risk and compliance indicators as the business and its obligations change, reducing time spent researching and linking external requirements to internal controls, and improving overall accuracy and completeness of ongoing control testing activities.


For more information, please visit and review the Datasheet.

The following is a guest blog from industry writer, David Strom. More on him below.


One of the best takeaways I got from attending the RSA® Archer Summit 2018 was the opportunity to listen to customers tell their deployment stories. I have put together a series of tips based on advice from several speakers who have been using the product for many years. 


One speaker, a director of risk operations for a large retailer and a long-time user of RSA Archer, talked about the challenges of their initial deployment.  Things didn't start out very well initially - their first deployment was less than successful.  They originally were running three different instances of RSA Archer. It broke easily and was implemented so poorly that it was hard to make changes, they told conference attendees. Plus the data quality was poor and none of these instances used a common data repository. As a result, it had a bad rap with the Information Security department. They had to reset and evaluate their environment.  But now, their RSA Archer deployment is a different story, as you will see below.


Here are my top ten tips to ensure that your RSA Archer deployment won’t die on the vine.


1) First, know your stakeholders. When this large retailer began its project, they spent a lot of time analyzing who was eventually going to use RSA Archer. They researched and found their key influencers who had been passionate (both positive and negative) about the platform and what their initial impressions were about using the product.  Then, they created a scale that went from defy to neutral to advocating for the platform.  Next, they looked at what it would take to move each influencer in a more positive direction. Part of this stakeholder analysis included various business unit owners that would eventually benefit from using RSA Archer.


2) Make sure you look for influencers in non-obvious departments, too. The retailer wanted to woo their Chief Legal officer, even though they knew it would be a hard sell. This was because they face many regular legal situations, such as slip and fall accidents, or having to find someone who is fired so they can get their last paycheck.  Sometimes, it would take weeks to track down this ex-employee. The IT Manager for the retail though showed how RSA Archer could speed things up and got their legal department on board.


Matt Hancock went into more detail in another session at the conference. He is the principal advisor for risk at Rio Tinto, an Australia mining company with more than 47,000 global employees. They matched their existing risk register with their organizational structure, to ensure that they were going after the right targets. Matthew Hancock of Rio Tinto talks about the company's risk management journey with RSA Archer.

Matt Hancock of Rio Tinto, presenting at RSA Archer Summit 2018


3) Do a demo. Demos can help bring people together to understand how the product can be used, according to a security engineering manager at a consultant for a large DC-area government agency.  Given their size, it is no surprise that data was kept in numerous silos and had no standard schemas whatsoever. RSA Archer can help to get everyone on the same page.


4) Understand your requirements and try to avoid creeping expansion. “Everyone had different requirements when we started with our RSA Archer project,” said the risk manager at the retailer. “As soon as people realized how quickly they could configure RSA Archer, that is when our requirements exploded,” said the government consultant. The trick was managing these expectations.


5) Centralize your RSA Archer governance team. Several IT managers mentioned this suggestion at different conference sessions, but I liked what the manager from Rio Tinto said in his session. Their governance committee is drawn from various organizations and complemented with additional teams to handle the delivery of RSA Archer applications. This team includes an architect, DevOps, reporting and data lead staffers. You might want to map out this structure too before deployment.


6) Build trust, listen to your users’ point of view and keep them frequently informed. This shouldn’t come as a surprise, but is still worth mentioning.


7) Use RSA Archer as a unifying force. “Before we started using RSA Archer, there wasn’t a lot of interaction between our risk assessment and audit teams. It has really brought us together,” said the government consultant. “Consistency is key. Just because your dashboard shows something is red is meaningless if you also show other shades of red. All alarms and exceptions should be treated the same,” said Hancock of Rio Tinto.


8 Understand your processes up front and get this right before you deploy. Part of this effort should create a taxonomy and strategy plan that will work corporate-wide. The retailer spent six months refining their processes before they ever touched any RSA Archer code. While that sounds like a lot of time, it eventually saved them a lot of grief down the road and avoided reworking their assumptions and wasted effort. Indeed, one person did nothing but process mapping with various stakeholders, according to their risk manager. Other presenters mentioned similar pre-planning time periods. “Integrated risk is all about people, processes and systems, and they all have to work together. We have to get our culture right before we can build good systems,” said Hancock.


9) Explain how RSA Archer is going to help your various stakeholders in their daily work life. The retailer presented how RSA Archer would produce certifications and compliance reports with a lot less work than they were doing previously. The other presenters had similar stories about how they sold the benefits of the platform to their users.


10)  Finally, simple is usually better. Streamline everything. Consolidate your risk technologies. Aim for more holistic reporting and better transparency.


In another session, Mat Bonderud who is the IT Risk Manager for FedEx, said, “Quantifying risk is a journey, not a destination. There are certain steps along the way. The important thing to remember is that you need actionable data-driven reporting that can stand up to criticism. If you produce a report that says it is raining on your house, you need to know how many raindrops are actually getting through your roof -- that is the actionable number.”


Good luck on your journey towards more risk-based decision making.



David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.

I recently attended the Disaster Recovery Journal (DRJ) Fall World 2018 conference in Phoenix, Arizona.  The conference was chock full of helpful discussions about business continuity management (BCM), but another consistent theme this year was risk management.  RSA is the market leader in risk management solutions and we had a strong presence with dozens of interested visitors at our booth. I was also interviewed (listen to the full interview at the bottom of this blog) at the conference and asked by the host about what RSA does. I explained our mission and emphasized we try to help our customers understand two very important concepts as they implement and mature their resiliency and risk capabilities - Business Driven Security and Integrated Risk Management (IRM).


First, I explained that Business Driven Security is so critical because cyber risks and threats are no longer only an IT problem.  They are a business problem and a challenge to building a resilient business.  However, a "gap of grief", or lack of mutual understanding between IT and the business, gets in the way of the business' ability to prioritize risks and threats and take appropriate actions.  In fact, this gap can exist within IT as well, as IT risk, recovery and security groups may not be working well together either.


Next, I explained that IRM is the integration, operationally and strategically, between risk, compliance, BCM, audit and other groups striving to manage risks and compliance.  These groups are often siloed, use different tools and approaches, and because of the separation cannot combine or communicate risk and compliance status holistically enough for executives to understand or make decisions with.


These two themes resonate with our customers and give them guiding principles upon which to build their risk programs.  However, the principles are not just important to risk management.  They are also fundamental to developing resilient organizations that can stand up to the increasing onslaught of disruptions impacting today's enterprises.  These principles help resiliency programs with similar challenges of bridging business and IT recovery, better managing risks, and communicating the right priorities up the chain.  Resiliency activities and goals are a critical part of IRM and can become a competitive advantage for organizations that strive to mature. 


What do we mean by IT security vulnerabilities?

IT security vulnerabilities can arise for a variety of reasons, the most common being systems deployed in the environment with misconfigurations, critical patches missing, inadequate information classification and network segmentation, etc. It doesn’t take much for a sharp increase in overall security risk to occur that is often disproportionate.


In other words, a small number of vulnerable systems can easily put the entire environment at risk; something that is increasingly alarming on a global scale. For example, according to RSA’s Cybersecurity Poverty Index survey, 75% of organizations said they have significant cyber risk exposure but only 5% felt they were positioned in an “advantaged state” to detect and manage security exposures effectively.


Why is a program approach to managing IT security vulnerabilities so important?

The identification and remediation of security vulnerabilities is an absolute necessity in managing the constant threat of data breaches and system compromises. Attempting to stay ahead of threats, organizations may deploy one or even multiple scanners to identify vulnerabilities, only to produce too much information to be helpful in managing security risk. This deluge of data leads to a poor handoff to IT operations in addressing tactical security vulnerabilities, as well as limited or no visibility into ongoing remediation efforts to close those gaps.


Organizations that have implemented vulnerability scanning solely for compliance purposes also receive limited added value for the effort. Ultimately, attempting to manage the large volume of vulnerability data without a sound process to prioritize security issues drastically reduces the effectiveness of this fundamental control.


RSA Archer IT Security Vulnerability Program

RSA Archer IT Security Vulnerabilities Program (ITSVP) offers a data-centric approach to identifying and prioritizing high-risk threats. This use case is designed to enable operational teams to proactively manage IT security risks by combining asset business context, actionable threat intelligence, vulnerability assessment results and comprehensive workflows in one place.


IT assets can be cataloged with a full business context overlay providing better prioritization of scanning and assessment activities. Security analysts can implement alerts, explore vulnerability scan results, and address issues as they arise, all of which serves to boost the closure rate for critical gaps. The ability to research known vulnerabilities helps to guide the prioritized efforts of IT operations, resulting in lower costs, less time and effort, and better visibility into dangerous vulnerabilities on critical assets. A powerful and flexible rules engine highlights new threats, overdue issues, and changing business conditions. A consolidated management module integrates powerful analytics with reporting, workflows, and a risk management framework to enable company leaders to confidently execute data-driven security decisions.


With RSA Archer IT Security Vulnerabilities Program organizations can effectively manage the entire vulnerability lifecycle from detection and remediation to verification and reporting. Customers can also enjoy seamless integration with other RSA Archer use cases designed to tackle all the aspects of Integrated Risk Management in their unique environments.


For more information, please visit and review the Datasheet.

Eighteen months have already passed since the redesigned RSA Archer Navigator tool was launched on RSA Link.  This tool introduced the ability to browse for RSA Archer content throughout RSA Link (e.g. documentation, downloads, advisories, knowledge base articles, training materials, videos and more) using a series of filters to locate exactly what you need.


With the RSA Archer Navigator tool, users can apply filters for RoleExpertise, Focus, Cost, Product, Version and Content Type, which will then display a list of content from across the entire website which can then be filtered even further as necessary to make it very easy to find relevant materials.



After the tool was so well-received by RSA Archer customers, the RSA NetWitness Platform, RSA Identity Governance & Lifecycle and RSA SecurID Access products followed suit and released Navigator tools for their content as well.  Users of these four products can easily access the associated Navigator tool by clicking on the link below the search bar on the primary product community pages.



In order to make it even easier for users to locate the content they need, the RSA Link team is proud to announce that the RSA Navigator tools are now fully functional on your mobile devices.  This means that even on mobile phones that view the website in portrait (i.e. vertical) mode, the tool will work the same way. (Previously the RSA Navigator tools only worked in landscape mode on mobile phones.)


You can locate the RSA Archer Navigator tool on your mobile device by going to the RSA Archer Suite page, expanding the Product Resources section and then clicking on the RSA Archer Navigator link.  Alternatively, you can simply click on the magnifying glass icon and search for "Archer Navigator" and it will appear in the results.



Similar to the desktop version of the tool, you can then select the filter(s) you wish to apply and then click the View Results button to view the content that match the criteria.



We hope that this new improvement will assist RSA customers and partners with having an even better experience on RSA Link and that they will be able to quickly and easily find what they need regardless of how and from where they're connecting.


More information about the RSA Archer Navigator tool can be found in the video and blog posts below.


With the increase in Cybersecurity threats in today’s world, organizations that are considered a part of our national critical infrastructure pose a much greater risk of being attacked which can place national security, the economy, and public safety at risk.  The National Institute of Standards and Technology (NIST) created the Cybersecurity Framework (CSF) as a standard and best practices in which government agencies and private sector organizations can utilize to manage their cybersecurity risks.  NIST CSF has become even more widely adopted by all types of organizations across the U.S. and worldwide.


The RSA Archer Cybersecurity Framework Management app-pack, released in August 2017, provides organizations with the methodology to assess and measure their cybersecurity posture, address gaps and report on cybersecurity.  The app-pack enables profile owners to catalog the current state, prioritize and core profile elements, and define their desired or targeted state outcomes for the organization’s cybersecurity program.  Assessors can then evaluate these profiles against the NIST CSF categories.  Previous assessments can be archived for comparison with a Current Profile and measure progress.  Reports and dashboards provide clear insight into the cybersecurity current state and progress being made toward the desired cybersecurity state. 

 RSA Archer CybersecurityFramework  Profile Owner Dashboard

Based on customer feedback, the RSA Archer Cybersecurity Framework Management app-pack has been enhanced and incorporates the newest version of the NIST Cybersecurity Framework that was released in April 2018.  With the updated version, customers can now automate the scope for their cybersecurity assessments based on the selected business process and analyze the Current Profile against the Target Profile not just by the NIST functions but by the NIST category or business processes.  The RSA Archer Cybersecurity Framework Management app-pack will now track the NIST Cybersecurity Framework versions for cybersecurity assessments and related authoritative sources.  In addition, Cybersecurity Profiles can now be approved using electronic signature capabilities.


Interested in learning more about the RSA Archer Cybersecurity Framework Management app-pack? Join us for a Free Friday Tech Huddle on Friday, September 21 for a live demo. Free Friday Tech Huddles are only available to RSA Archer customers. If you are not yet a customer but you are interested in learning more, please contact your local representative or authorized reseller—or visit us at

Global businesses with an online presence know that customers from any part of the world can opt in for their services and provide their personal information. As good for business and innocuous as this may seem, it opens up these businesses to regulation – the most visible right now being the General Data Protection Regulation (GDPR) which went into effect on May 25, 2018. GDPR will impact any business, whether based in the European Union (EU) or not, that processes the personal data of EU residents.  While GDPR may seem like "old news", the regulation provides a opening to talk about how your company's resiliency efforts are affected by privacy requirements.


To comply with GDPR, organizations will have to review their approach to data and privacy management to evaluate how they control data as part of their business continuity (BC), IT disaster recovery (ITDR), crisis management and resilience planning systems and processes. Because GDPR rules are applicable to backup and DR systems and practices as well as production systems, these key requirements include:


  • the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.


Recovery planning has long been subject to Data Protection legislation, but the wider remit within GDPR is something organizations will need to look at to ensure they can comply with the new rules. The following are a few areas and examples:


  • Data privacy has often been the responsibility of the Compliance or Legal group, however, where a Data Protection Officer (DPO) is appointed, there must be proper alignment between the DPO and BC/DR programs to ensure they look at GDPR compliance holistically and coordinate their efforts accordingly
  • Recovery Time Objective (RTO) and Recovery Point Objective (RPO) take on greater importance and have to very closely align internally (between business process and IT system recovery)
  • If your DR provider is non-compliant with GDPR it could render you non-compliant, so RTO and RPO between your organization and the DR provider also have to be aligned. Questions need to include: where is the customer data held? Will customer data be accessible and available according to RTOs? Does your DR provider perform regular testing and evaluation to ensure they can achieve the RTOs and RPOs?
  • Breaches that are deemed to be high risk have to be reported by a data controller within 72 hours of becoming aware of such breach and may also require crisis management response. Therefore, IT risk and security processes must align with crisis response and management.


In summary, the disparate parts of the organization that manage data privacy management and business resiliency, internally and externally, must better coordinate their efforts to enable compliance with GDPR.

Greetings RSA Archer Community!


On behalf of the entire RSA Archer Team, I’d like to once again thank everyone for attending the 2018 RSA Archer Summit in Nashville recently.  I’m always amazed at the camaraderie the attendees exhibit at this event – something that began 15 years ago at the first Summit in Phoenix is not only still alive and well, but stronger than ever.


This year we were excited to not only set record attendance for a Summit event, but also receive more award nominations than we have ever recieved!  While we’d love to be able to give an award to everyone who submitted their success story, we ultimately issued twelve awards and another twelve honorable mentions.  We encourage everyone to take a few minutes to review the fantastic stories these winners had to share this year, and encourage you to join us in congratulating them for such an outstanding honor.


RSA Archer Community Advocate Award:

Karl Bender:  Vice President and Program Manager, Citizens Bank

Karl has been an RSA Archer user for nearly 10 years, serving in a variety of roles – from practitioner to business analyst to technical SME to the risk management program director.  Karl is an inaugural member of the RSA Archer Champions Network and an active participant in user groups and working groups. He led the effort to highlight their RSA Archer initiatives within their corporate annual report.  Congratulations Karl!

Karl Bender


RSA Archer Global Alliance Partner of the Year Award:


EY has been a strategic partner with RSA for more than 10 years, delivering RSA Archer solutions globally to many of our largest joint customers.  This past year was significant for the partnership, as EY developed new solutions on the RSA Archer platform like NERC CIP compliance for Power & Utilities, GDPR and hosted/managed RSA Archer delivery to Public Sector clients.  As a strategic alliance partner, RSA and EY team up to jointly provide the best solutions around Digital Risk Management and Risk Transformation to meet the needs of our clients.  Congratulations EY Team!




RSA Archer Excellence Awards:

Discover Financial Services

Discover utilizes RSA Archer for business resiliency, enterprise and operational risk, regulatory and corporate compliance management, and third party risk management. With RSA Archer, they have created business unit specific dashboards that make everything a one-stop-shop for all critical users. End users love the experience and all 3 lines of defense have clear accountability.  Congratulations Discover Financial Services Team!



Highmark Health:

Highmark Health utilizes RSA Archer for audit, business resiliency, enterprise and operational risk, IT and security risk management, regulatory and corporate compliance and third party risk management. With RSA Archer, they have centralized their risk and compliance functions across the entire organization. Within 2 years, Highmark has saved $350,000 + in ancillary tools and licensing costs alone.  Congratulations Highmark Health Team!




Mitre utilizes RSA Archer for regulatory compliance, policy management, and third party risk management. With RSA Archer, Mitre has quickly and effectively managed compliance against DFARS and NIST with more compliance programs underway. RSA Archer has saved Mitre an estimated 2.5 FTEs and $375,000.  Congratulations Mitre Team!




Voya utilizes RSA Archer for business resiliency, enterprise and operational risk, IT and security risk management, regulatory and corporate compliance and third party risk management. With RSA Archer, Voya has implemented a creative approach to address phishing using on-demand applications that allow any employee to view their own phishing test results.  Congratulations VOYA Team!




Microsoft utilizes RSA Archer for audit, business resiliency, enterprise and operational risk, IT and security risk management, regulatory and corporate compliance and third party risk management. Microsoft’s digital security and risk engineering teams put together a vision to build out a comprehensive risk management solution for the entire organization. They realized success by building a solution that was generic enough to meet everyone’s needs. Microsoft has achieved an overall 40% efficiency improvement by employing this central risk management solution.  Congratulations Microsoft Team!



Marathon Petroleum Corporation:

Marathon utilizes RSA Archer for audit, business resiliency, enterprise and operational risk, IT and security risk management, and regulatory and corporate compliance. Marathon has built a comprehensive SOX and audit program with RSA Archer.  The speed in which they could deploy their program has allowed Marathon to implement 11 use cases in 9 months.   Congratulations Marathon Team!




NASA utilizes RSA Archer for IT and security risk management using the RSA Archer Assessment and Authorization use case. NASA has standardized and coordinated their entire A&A process using RSA Archer, allowing the leadership tier to see all security plans and make sound risk-based decisions via an automated process. The project has also allowed NASA to work closely with the Department of Homeland Security to improve reporting for FISMA.  Congratulations NASATeam!



HSBC Europe:

HSBC Europe uses RSA Archer for third party management. HSBC Europe has established a global third-party program to provide support, process and monitor the full contract lifecycle.  Congratulations HSBC Team!



Rio Tinto:

Rio Tinto utilizes RSA Archer for enterprise and operational risk management, IT and security risk management, and regulatory and corporate compliance. Rio Tinto began their RSA Archer journey with a long-term roadmap effort to establish and improve the risk management framework and process.  They have moved all business, functional and major project risk information from legacy systems into RSA Archer. User adoption, especially at the management level, has doubled and continued to grow due to the great data quality and reporting.  Congratulations Rio Tinto Team!

Rio Tinto 


RSA Archer Excellence Award Honorable Mentions:

  • Citizens Bank
  • CVS
  • Delhaize
  • The Hartford
  • Equifax
  • State of Indiana
  • Northrup Grumman
  • Sony
  • Vanguard
  • US Bank
  • BASF
  • Raiffeisen Bank


RSA Archer Best in Show Award:

Mathew Hancock, Rio Tinto:

Every year, based on input from attendees, we present an award for “Best in Show” for this year’s most impactful presentation. The sessions this year were full of great insights and experiences from across the RSA archer community - making this award highly competitive.  This year, Mathew Hancock from Rio Tinto is this year’s award winner.  Mathew presented on Rio Tinto’s approach to integrated risk management across their enterprise, providing valuable advice from their journey.  The feedback from his session was overwhelmingly positive, and we’d like to thank Mathew for doing such a great job presenting on a critical topic.  Congratulations Mathewon this great honor!

Rio Tinto 


Again, thanks to everyone for attending this year’s Summit and making it such a great experience.  See you next September at RSA Charge 2019!



Garrett Miller

Filter Blog

By date: By tag: