RSA Archer Reviews

We use this product for operational risk management in our bank. It is a multinational U.S. bank, and we use this platform for enterprise risk management. 

We are slowly moving away from RSA Archer to another platform.

It is enterprise-wide accessible. So, it is very helpful for all the employees in our bank. They can log in and do their risk management activities. It has a few inbuilt modules that are helpful for doing risk management activities, such as issue management, risk identification, risk assessment, and policy exception management. It also has some inbuilt workflows inside these modules. They are also helpful.

Its user interface is pretty good. It is pretty self-explanatory and intuitive, which is again helpful. It is also customizable to some extent. We can customize some of the functionalities and enhance some of the features to meet the user requirements for our bank.

The integration of data with application servers and databases is also helpful. We can also use API calls. For some of the functionalities, we can integrate API calls with RSA Archer to meet some of the user requirements.

Many a time, data feeds create problems. We keep seeing that the feeds have not run on schedule or have failed, and that's why the reports were not processed or created. It probably also has something to do with the strength of our server. For example, in our production environment, the servers are more powerful. We have more memory space, so we don't see this issue very often, but in the test environments, where there are constraints in terms of server and memory space, we keep seeing this issue.

There is no inbuilt alert in Archer to let us know that a data feed has failed or did not run for different reasons. So, we don't even get to know that a feed has not run until somebody reports it to us. This has been a problem all the time. Data feeds have always been a big headache for us because there is no feature to let us know if a feed has not run or has failed. If Archer had a feature to send us an email notification when a feed has failed, it would've been very helpful. This is the reason why our users are slowly moving away to another platform. Some of the modules that I have been managing are being moved to ServiceNow. Next year, a lot of our modules will be moved from RSA Archer to ServiceNow, and the data feed issue has been one of the main reasons.

We have also had issues with API calls. API calls have always been a problem. Policy exception management is one of the modules that I was managing, and in this module, we had built a few API calls. We had a few API call issues where the API call had failed and records did not get created. Sometimes, records even got deleted. We had numerous calls with RSA Archer, and they always said that unless we reproduce the issue in a lower environment, they cannot help us, but the issue only happens in production, and it happens intermittently. It happens maybe once every two months or three months. We don't know why the API call is failing and the records are not getting created, deleted, or de-linked from the associated parent records. They couldn't provide us with any reason. If their issue resolution team was more proactive, it would have been helpful. This has been a major issue, and this is the reason that this function has been moved to a different platform earlier this year. 

I have been working with this solution for the last five and a half years. I started working with it in June 2016.

Its stability is medium. It has been really good during the first few years, but after we upgraded in 2018 or 2019, we started experiencing issues. We didn't have the issues with the API calls in the first version that we installed, but after we upgraded in 2018 or 2019, we started having a lot of issues with the API calls, which could not be resolved. They couldn't give us a reason for these issues. The reason has still not been found.

Data feeds had a slowness issue, but it was probably happening because of the memory space issue on the server. This issue is more related to our bank's side because we don't have adequate infrastructure. It is not really an RSA Archer issue. When we initially deployed it, we deployed it with the expected performance or expected number of records or users who will be using the system. Over the years, the number of users or records or the amount of data that we have in the system has increased a lot. Its performance has deteriorated a lot, and in the last few years, it is not able to handle the amount of data that we have. That's why we are seeing intermittent slowness. Sometimes, our users are not able to log in, which has had a big impact.

Its scalability is of medium complexity. It is not very easy to scale, but it is also not too difficult.

We have been using it very extensively. We have 300,000 employees, and everyone has access to the Archer platform. Some of the modules are open to everyone by default. For example, policy exception management is open to all, and everybody can request an exception to a company policy. Some of the modules are more restrictive, and access to them is given based on the user roles.

Many of our functions are dependent on the RSA platform, but people are slowly moving to other platforms. In the next two or three years, I don't know how extensively it'll be used, but over the last five years, it has been used a lot.

They are responsive, but they are not very helpful. They probably have limitations from their side. When we have any issue, they always want us to recreate it in a lower environment. We have to provide the details and steps to recreate it, and if we cannot do that, they cannot help or provide any root cause or resolution of the issue, which doesn't help, but they are always reachable. We have a couple of contact points in case we have any issues, and we can always email them. We have a weekly call with them where we can discuss any open items.

I was not really involved in the initial setup, but based on what I heard from others who were working on the backend tasks, it was fairly complex. It was not very simple.

It was mostly done by our team, but there was some collaboration with the vendor.

In terms of maintenance, we are responsible for doing the upgrades. In the last five years, I have seen two upgrades. We had two or three patches this year, and every two or three years, we have an upgrade. The last upgrade was probably two years ago, and we are scheduled for an upgrade next year.

It is a very useful tool. It has a lot of good features, but because of a couple of major drawbacks or issues, people are showing some resistance to Archer. If they can solve those issues, it will be a very good product that can be sold to more companies. 

I would rate it an eight out of 10.

We use the product for policy management, vulnerabilities and risk management. We also use it for business continuity.

It is a good tool to use. The product is very flexible. It can easily connect to other tools like ServiceNow and Nexus. The workflow feature is very interesting. We can automate a lot of stuff using the workflow. The product makes it very easy to publish dashboards.

We are implementing COBIT 2019. It is in English. It would be useful for customers if COBIT 2019 could be translated into different languages.

The product’s scalability is pretty good.

The initial setup is not complex, but you need some knowledge of the methodologies in the market to implement the product. These methodologies are in English. We have to translate the methodologies to use in Brazil. It would be better if it were available in different languages.

Overall, I rate the solution an eight out of ten.

We use RSA Archer in my organization for assessments (ISO, GDPR, PCIDSS, etc.) or to raise dispensation for any application, security-related controls.

If we want to perform the application assessment or any ISMS assessment, earlier, we had to do it manually. The RSA Archer tool gives us the output in an automated manner, it is beautiful and has helped our organization.

RSA Archer is the most usable GRC tool and leading tool and I have found performing the application, ISMS, and TPRM assessments beneficial.

In a future release, there should be an option to upload the main data.

I used RSA Archer within the last 12 months.

Early on we faced lots of issues because the communicating with the RSA Archer, the database was not synced properly. Two times when we installed RSA Archer in an environment a few settings and configuration was not correct, this caused the passwords not to match.

The stability could improve.

The scalability is easy to achieve.

Most of our clients are large businesses. I have plans to continue the usage of RSA Archer.

The technical support is good, but they respond a little late, sometimes it can be a few days to have a response.

Positive

The initial setup is a bit complex. The whole process can take approximately three hours with one or two people.

We have faced challenges. For example, the database is not synced with the RSA Archer. A few services were not running if the RSA Archer was logged in through local admin or the specific user, we have received few errors. 

Archer is responsible for the maintenance of the solution.

The ROI depends on the company's needs as RSA has 7 solutions, the company can pay based on the subscription. 

The solution's price should be reduced. You only have to pay the license and there are no additional fees.

I did not previously evaluate any other solutions.

They have to use RSA Archer if they use the automated tools, their data will be safe.

Though there are some issues with the technicality of the solution, such as errors. The solution provides great features, such as customization, we can customize it as per our requirements.

I rate RSA Archer a ten out of ten.

RSA Archer's best features are advanced workflow, reports, dashboards, and notifications.

There is some lag and instability with the platform when using the cloud version. I would also like the look and feel of the layout to be updated and made more customizable. 

I've been using RSA Archer for eight to nine years.

RSA Archer is scalable.

RSA Archer's technical support is a little disappointing because the first level is always manned by junior members who don't have much technical expertise.

Neutral

The initial setup was straightforward.

I would give RSA Archer a rating of eight out of ten.

RSA Archer is a governance tool, used especially for bank applications. At the same time, there is the NetWitness tool, a SIEM solution that was created by the RSA division. They have integrated the incident management, along with RSA Archer. Whenever the SIEM solution creates alerts, Archer can be triggered, and you can elect notifications to your mailbox. 

If you click on the link, it'll link to you the actual incident, what happened in cybersecurity. You can do a number of things, like a workflow and approval from the manager level.

The features help save a lot of time in the organization.

The most valuable features of RSA Archer are the asset management, risk management, and vendor management. It's a very simple tool that you can learn within a short period of time.

If I use an AGP, for the onboarding process, for example, I'll create a workflow. An item will go to my manager, the manager approves, and I'll automatically get an alert notification sent to me saying that you are being onboarded. 

You can also put a lot of limitations, like permissions and values, in the AGP. As a security person, that is important to me. You can use any number of groups and permission levels. Now I created vendor management and many people have different kinds of applications in the AGP. Many people are users, but that doesn't mean each particular person can access all the applications in the AGP; it'll be limited. At the same time, I also can give edit permissions at the system level.

One area that could be improved is the solution needs to go further with most of the APIs. They need to create multiple APIs and integrations, in my opinion. A few things can't be done from the RSA level and it's not user-friendly when you're working with the other tools. With the RSA products, it's very easy, because it's an inbuilt application. If you need to integrate the RSA products with another SIEM solution, then it doesn't work properly. You have to create a new API for that integration of Archer.

Beyond that, additional features would make the solution too complex. If additional features were added, the solution would need better sustainability and marketing. RSA would also need better online support. The solution would be more attractive with improvement to these items.

I've been working with RSA since 2013.

The stability and performance of the solution is good.

The solution is easy and simple to scale.

The initial setup is not complex; anyone can do it. Deployment should not take more than two people. The time it takes depends upon the cluster environment. If it's a single instance, you have only one database server, it shouldn't take more than four to five hours for the deployment. If it is a cluster with a lot of employees and a big organization, they'll have disaster recovery and more involved. In that case, it'll require at least two days or so.

We are involved in the integration of everything.

The license is costly for the solution, but the remaining setup and maintenance is a lot cheaper.

The RSA Archer tool is useful for governance listing, workflow, risk management, incident management, and auditing. It's a very easy methodology for senior management. In Archer, even though it's confidential data, you can store it in the proper way, and there were a lot of APIs which can integrate with Archer. For senior management, it'll trigger an alert and you'll see a project automatically to approve. You can do wonders with this tool, but you have to be very specific in your utilization.

If you only use two to three products in RSA, you're wasting a lot of money and people resources. You have to bring awareness; what is this tool? Show users the solutions that can be implemented.  

I would rate the solution an eight out of ten.

Archer is a repository tool that is leveraged by all the security teams across the firm. The analysts and architects use it to store their data and store the vulnerabilities, which are coming from other applications while scanning the devices and everything. 

My job is to integrate the other applications with this application and try to bring all the data from those applications in here and create a workflow, environment, and framework for the different teams to use those records or vulnerabilities to  make a decision on what they should do. It just makes their life easier.

We are using the solution on-premises, but we are going on the cloud next year.

The last project was for an investment group that was using Excel. Shifting their records from one position to another took approximately 15 minutes. In Archer, we created a workflow for them to leverage it, and they could send the single record with one click to one person within seconds. The whole process went from 15 minutes to two minutes to get the approval for the records. The main purpose of Archer is to just make it easy.

It is really valuable to me because there are a lot of things which I can do and learn from, especially different programming languages. It's not just built on one thing. There are multiple languages which I need to learn in order to run this. One is JavaScript. On the back end, it's C#.NET. On the server type, it's Java. Trying to figure out every single thing makes my knowledge grow more and more every day.

There is a platform called Archer Community where we can post our concerns and any areas that need to be improved, and they will reach out. Recently, we made a suggestion for cross references, like for one application to another. There were limitations there, so we're hoping that will be included in the next upgrade.

Whenever there's an upgrade, they'll just make changes to the application. RSA is a Dell company. Dell is the parent company, and RSA is under that.

There are performance issues and bugs here and there, but it hasn't been a real concern. Sometimes it's slow, but mostly it's on our computers and processors. We just need to delete some stuff there and put them back on the server.

It is very easy to scale. Right now, we have three teams using the solution. It's about 15 to 20 people.

We are responsible for maintenance. There's a team of 20 to 25 people dedicated to Archer. Once it goes to the cloud, then we won't be responsible for maintenance.

We have plans to increase usage in the future. We are talking to the different departments of the company. Archer is not like a business. It doesn't go outside the business because it's really a security tool, and it's just used by the security departments and different departments who are involved with security. It just involves the company. We're trying to leverage it to different departments and we'll see what happens.

They are good. They don't need any improvement, but sometimes they need some guidance. We have our documentation, so they can just refer to that.

Previously, they were purely on Excel files and getting data from the applications inside Excel or Word format. I think this is the first solution they went to, and this is the best tool for GRC, governance, risk, and compliance. There are other tools but they would be confusing for the business, so Archer is the best right now.

The setup process was really easy. You just have to package and install it. There were two or three people involved in the deployment. It took about a day.

I would rate this solution 8 out of 10. My advice is don't just stick to Archer. Learn different tools because it's just a tool in the end. It will be fully configured, and you won't have anything else to do. Go into the business side and try to learn the business.

We use Archer as a risk management portal. We've customized Archer to follow the Sherwood Applied Business Security methodology for governance and risk assessment. We don't use the compliance module much.

The main benefit is that we can automate risk management. The whole purpose of having Archer is to automate governance, risk, and compliance. Previously, we used to do everything in Excel sheets and Notepad. It was mostly manual. We'd send emails to people and collect information. Once you have Archer, you can automate all these processes.

I like how Archer requires very little programming ability. A person with minimum coding experience can configure the necessary fields in Archer. It's more of a drag-and-drop solution. 

When we have to do formulas or some other type of calculation in Archer, it sometimes doesn't work correctly. The fields don't display right, and we have to contact RSA Archer support to fix things. I think the calculation components are a bit complicated.

I've been using RSA Archer every day for the past six years.

RSA Archer's overall performance is good. It slows down at times whenever a script or some process is running in the backend. Sometimes our users have complained about the speed.

Scaling up RSA Archer is a straightforward process. You just need to upgrade your hardware and software. We have about 80 end-users working on Archer now. 

We've opened several tickets with RSA, and they're settled pretty quickly. The experience has always been good. 

When we started working with Archer, it was more or less the only product in the field that could do GRC automation. A few have been launched since then, but we've only ever worked with Archer.

Deploying RSA Archer is effortless. You just need to make a database backup of Archer and keep it somewhere. Then you can install Archer on any server and load the backup. Everything from A to Z comes back. It's restored, and you don't have to do anything. It's a straightforward process. The initial installation takes three hours, and two technicians can handle the job. 

After installation, it doesn't need much maintenance. We periodically deploy some security patches on the operating system, make backups, and cross-verify if the backup is working correctly or not. 

The initial purchase is cheap. You pay a nominal price to start then renew the license annually. You also must buy a license for each module. I'm not too fond of that aspect of the licensing model. You buy the elephant and then spend more money to feed the elephant.

I rate RSA Archer seven out of 10. To anyone thinking about deploying Archer, I would suggest exploring other products in the market as well. Archer is a bit costly compared to its competitors. 

We are using RSA Archer to provide GRC services to our client. GRC means, governance, risk and compliance. In Archer we implement business continuity management, policy management, risk management solutions, audit management solutions, and third party governance solutions. We even utilize a privacy governance model of RSA Archer, as well.

Currently, we are analyzing and evaluating software as a service option for one client to reduce effort and time on infra related activities.

Our clients are using RSA Archer to automate their manual processes and activies to avoid manual intervention and have a clear visibility to leadership. This increased the client's process efficiency, they are more compliant and reduces the risk and overall governance structure improved. Also, it adds some value added features on the reporting and gives clear visibility of the entire business unit or   divisions of the company. Suppose the CEO of company want to see their high risk BUs , he or she can easily see the count and detail. Automated timely email trigger and integration with other tools/application helps client to assess their processes and BUs to find out risks and remediate risk on time.

There are lots of features which motivate our client to use RSA Archer. First of all, its access control feature which provides access at application level, access at record level and  at page level. It helps client to avoid any unauthorised access.

Also, there is a strong integration between the RSA Archer modules and also option to integrate with other application/ process help client to increase confidence on data integrity.

Suppose if anyone is using RSA Archer audit management or any out of the box use cases, it also provides some of the inbuilt capability of the assessment, like some of the questionnaires and some of the controls that are available in RSA Archer.

 Capability of sending automated email triggers to the stakeholder on a fix frequency.

Workflow feature, reports and dashboard capability etc. lucrate client towards Archer.

 UI/UX can be improved and a feature to allow end user to update assessment question and add or remove recipients from a notification will help client to minimize their dependecy on Archer developer.RSA Archer somehow lag behind in the user interface.

Additionally, the reporting capability of Archer should be improved. Because generally what clients do is analyze processes, their records, their status. They integrate it with either Tableau or Power BI just to customize their reports and see more user friendly reports. So I would suggest to improve reporting capabilities as well.

In terms of stability and performance, Archer is good.

RSA Archer is easy to scale, it's not complex.

It is a requirement to maintain RSA Archer. Our team even provides the managed services to the client, as well.

Some of my clients are moving their GRC solution from other platforms to RSA Archer because of scalability.

Support is good, but sometimes I feel there are some queries or issues, where I or our client need a resolution quickly, but sometimes it gets delayed from the customer support side.

Generally client without GRC framework move to Archer to automate their processes.

Generally we deploy the RSA Archer on client's infrastructure. It is not complex, even for the first time user, process to setup Archer is easy if they refer manuals or guide.

Generally, one person can easily install if it is a small or medium and not a complex deployment. But if it is a large scale deployment I think there will be more requirement of other team involvement as well.

Yes, we do evaluate other options/framework available in market e.g. ServiceNow GRC, OneTrust etc.

But we suggest best option basis the client requirement and which suites most in terms of cost and effort.

My advice to anyone considering RSA Archer would be to use it for their GRC capability and automate their manual tasks. If they are doing any manual task, they can simply automate through RSA Archer. It will increase efficiency, minimize their risk and will make them more compliant.

On a scale of one to ten, I would give RSA Archer an 8 out of 10