RSA Archer GRC Platform 5.3 SP1
Strengths: Scalability, enterprise-focused, and content rich.
Weaknesses: None technically; cost is something to consider; the real cool stuff requires multiple modules.
Verdict: Strong product in the GRC space. Does risk well when combined with the company’s full offering.
RSA Archer's Risk Manager is part of an enterprise GRC product portfolio sold and licensed as modules: audit, policy, risk, compliance, enterprise, incident, vendor, threat and business continuity management.
It is composed of three logical tiers -interface, application and database - that are deployed on two physical tiers. The platform itself is deployed on two physical tiers that can be hosted on one physical server or deployed across multiple servers. This includes the web tier and the database tier. In a single host configuration, the platform requires an OS with Windows 2003 Server with SP1 or later, Windows Server 2008 or Windows Server 2008 R2 Standard, Enterprise, or Datacenter editions. SQL Server 2005 SP3 or later, SQL Server 2008, or SQL Server 2008 R2. X64 editions of SQL Server are recommended. The product is scalable for large, enterprise-class deployments.
The risk module can be used standalone, but, in reality, users will want to deploy it in conjunction with the enterprise management (asset tool), incident management and threat management modules for a complete view of risk. We reviewed the policy, risk and threat management modules.
The policy module comes out of the box with a wealth of content supporting popular regulatory and standards, as well as content for best practice controls. Assessment questions are either based on industry-defined compliance questionnaires, such as fraud (Red Flags), standard information gathering (SIG)
PCI DSS, or tailored to specific authoritative sources, such as COBIT. These questions can streamline the process for defining appropriate compliance content, and they are easily tied back to one's internal standards. New in this version is the ability to add cost measurements to individual controls, so that users can now map individual control costs to the risk exposure. RSA Archer Risk Management Module enables users to proactively address risks to reputation, finances, operations and IT infrastructure as part of a governance, risk management and compliance program. Archer takes both a qualitative and quantitative approach to risk.
The risk module is assessment driven. Assets can be imported from integrations with supported vulnerability, configuration management database (CMDB) or data leakage prevention (DLP) vendors, or from third-party sources via an API-like data feed manager. The Threat Management Module is updated in this release and has a built-in threat methodology to deliver threat assessments built on ISO and NIST. Vulnerability data comes in from industry sources and correlates to assessment data to deliver remediation recommendations.
The report-building interface is solid and provides users with configurable dashboards. The product employs a common data module across all its modules, so reporting, workflow and alerting for all functions work the same. We were shown one screen that had a clean, roll-up view of every module summary, i.e., compliance, incident management, vendor risk, risk, threat and status overviews.
Basic support is included with the product purchase and provides eight-hours-a-day/five-days-a-week access. Enhanced assistance is available for a 25 percent fee based on the license price and provides 24/7 access and priority response. - ML