RSA Archer GRC Platform 5.3
Strengths: Scalability; enterprise-focused and content rich
Weaknesses: Nothing technically; cost is something to consider; the real cool stuff requires multiple modules
Verdict: Strong product in the GRC space. Does risk well when combined with RSA’s full offering
RSA Archer's Risk Manager is part of an enterprise GRC product portfolio sold and licensed as modules for audit, policy, risk, compliance, enterprise, incident, vendor, threat and business continuity management.
It is composed of three logical tiers - interface, application and database - that are deployed on two physical tiers. The platform itself is deployed on two physical tiers that can be hosted on one physical server or deployed across multiple servers, including a web tier and a database tier. In a single host configuration, the platform requires an OS with Windows 2003 Server with SP1 or later, Windows Server 2008 or Windows Server 2008 R2 Standard, Enterprise, or Datacenter editions. SQL Server 2005 SP3 or later, SQL Server 2008, or SQL Server 2008 R2 x64 editions are recommended. The product is scalable for large, enterprise-class deployments.
The risk module can be used standalone but, in reality, users will want to deploy it in conjunction with the enterprise (asset tool), incident and threat management modules for a complete view of risk. We reviewed the policy, risk and threat management modules.
The policy module comes out of the box with a wealth of content supporting popular regulatory standards, as well as content for best practice controls. Assessment questions are either based on industry-defined compliance questionnaires, such as fraud (Red Flags), standard information gathering (SIG) PCI DSS, or tailored to specific authoritative sources, such as Cobit. These questions can streamline the process for defining appropriate compliance content, and they are easily tied back to one's internal standards. New in this version is the ability to add cost measurements to individual controls, so that users can now map individual control costs to the risk exposure.
RSA Archer Risk Management Module enables users to proactively address risks to reputation, finances, operations and IT infrastructure as part of a GRC program. Archer takes both a qualitative and quantitative approach to risk.
The risk module is predominately assessment driven. Assets can be imported from integrations with supported vulnerability, configuration management database or data leakage prevention vendors, or from third-party sources via an API-like data feed manager.
The Threat Management Module is updated in this release and has a built-in threat methodology to deliver threat assessments built on ISO and NIST. Vulnerability data comes in from numerous industry sources and correlates to assessment data to deliver remediation recommendations.
The report-building interface is solid and provides users with configurable dashboards. The platform employs a common data module across all its modules, so reporting, workflow and alerting for all functions work the same. We were shown one screen that had a clean, roll-up view of every module summary.
Basic support is included and provides eight-hours-a-day/five-days-a-week access. Enhanced assistance is available for 25 per cent of the purchase price and provides 24/7 access and priority response.