RSA Archer Reviews

Archer is a repository tool that is leveraged by all the security teams across the firm. The analysts and architects use it to store their data and store the vulnerabilities, which are coming from other applications while scanning the devices and everything. 

My job is to integrate the other applications with this application and try to bring all the data from those applications in here and create a workflow, environment, and framework for the different teams to use those records or vulnerabilities to  make a decision on what they should do. It just makes their life easier.

We are using the solution on-premises, but we are going on the cloud next year.

The last project was for an investment group that was using Excel. Shifting their records from one position to another took approximately 15 minutes. In Archer, we created a workflow for them to leverage it, and they could send the single record with one click to one person within seconds. The whole process went from 15 minutes to two minutes to get the approval for the records. The main purpose of Archer is to just make it easy.

It is really valuable to me because there are a lot of things which I can do and learn from, especially different programming languages. It's not just built on one thing. There are multiple languages which I need to learn in order to run this. One is JavaScript. On the back end, it's C#.NET. On the server type, it's Java. Trying to figure out every single thing makes my knowledge grow more and more every day.

There is a platform called Archer Community where we can post our concerns and any areas that need to be improved, and they will reach out. Recently, we made a suggestion for cross references, like for one application to another. There were limitations there, so we're hoping that will be included in the next upgrade.

Whenever there's an upgrade, they'll just make changes to the application. RSA is a Dell company. Dell is the parent company, and RSA is under that.

There are performance issues and bugs here and there, but it hasn't been a real concern. Sometimes it's slow, but mostly it's on our computers and processors. We just need to delete some stuff there and put them back on the server.

It is very easy to scale. Right now, we have three teams using the solution. It's about 15 to 20 people.

We are responsible for maintenance. There's a team of 20 to 25 people dedicated to Archer. Once it goes to the cloud, then we won't be responsible for maintenance.

We have plans to increase usage in the future. We are talking to the different departments of the company. Archer is not like a business. It doesn't go outside the business because it's really a security tool, and it's just used by the security departments and different departments who are involved with security. It just involves the company. We're trying to leverage it to different departments and we'll see what happens.

They are good. They don't need any improvement, but sometimes they need some guidance. We have our documentation, so they can just refer to that.

Previously, they were purely on Excel files and getting data from the applications inside Excel or Word format. I think this is the first solution they went to, and this is the best tool for GRC, governance, risk, and compliance. There are other tools but they would be confusing for the business, so Archer is the best right now.

The setup process was really easy. You just have to package and install it. There were two or three people involved in the deployment. It took about a day.

I would rate this solution 8 out of 10. My advice is don't just stick to Archer. Learn different tools because it's just a tool in the end. It will be fully configured, and you won't have anything else to do. Go into the business side and try to learn the business.

We are using RSA Archer to provide GRC services to our client. GRC means, governance, risk and compliance. In Archer we implement business continuity management, policy management, risk management solutions, audit management solutions, and third party governance solutions. We even utilize a privacy governance model of RSA Archer, as well.

Currently, we are analyzing and evaluating software as a service option for one client to reduce effort and time on infra related activities.

Our clients are using RSA Archer to automate their manual processes and activies to avoid manual intervention and have a clear visibility to leadership. This increased the client's process efficiency, they are more compliant and reduces the risk and overall governance structure improved. Also, it adds some value added features on the reporting and gives clear visibility of the entire business unit or   divisions of the company. Suppose the CEO of company want to see their high risk BUs , he or she can easily see the count and detail. Automated timely email trigger and integration with other tools/application helps client to assess their processes and BUs to find out risks and remediate risk on time.

There are lots of features which motivate our client to use RSA Archer. First of all, its access control feature which provides access at application level, access at record level and  at page level. It helps client to avoid any unauthorised access.

Also, there is a strong integration between the RSA Archer modules and also option to integrate with other application/ process help client to increase confidence on data integrity.

Suppose if anyone is using RSA Archer audit management or any out of the box use cases, it also provides some of the inbuilt capability of the assessment, like some of the questionnaires and some of the controls that are available in RSA Archer.

 Capability of sending automated email triggers to the stakeholder on a fix frequency.

Workflow feature, reports and dashboard capability etc. lucrate client towards Archer.

 UI/UX can be improved and a feature to allow end user to update assessment question and add or remove recipients from a notification will help client to minimize their dependecy on Archer developer.RSA Archer somehow lag behind in the user interface.

Additionally, the reporting capability of Archer should be improved. Because generally what clients do is analyze processes, their records, their status. They integrate it with either Tableau or Power BI just to customize their reports and see more user friendly reports. So I would suggest to improve reporting capabilities as well.

In terms of stability and performance, Archer is good.

RSA Archer is easy to scale, it's not complex.

It is a requirement to maintain RSA Archer. Our team even provides the managed services to the client, as well.

Some of my clients are moving their GRC solution from other platforms to RSA Archer because of scalability.

Support is good, but sometimes I feel there are some queries or issues, where I or our client need a resolution quickly, but sometimes it gets delayed from the customer support side.

Generally client without GRC framework move to Archer to automate their processes.

Generally we deploy the RSA Archer on client's infrastructure. It is not complex, even for the first time user, process to setup Archer is easy if they refer manuals or guide.

Generally, one person can easily install if it is a small or medium and not a complex deployment. But if it is a large scale deployment I think there will be more requirement of other team involvement as well.

Yes, we do evaluate other options/framework available in market e.g. ServiceNow GRC, OneTrust etc.

But we suggest best option basis the client requirement and which suites most in terms of cost and effort.

My advice to anyone considering RSA Archer would be to use it for their GRC capability and automate their manual tasks. If they are doing any manual task, they can simply automate through RSA Archer. It will increase efficiency, minimize their risk and will make them more compliant.

On a scale of one to ten, I would give RSA Archer an 8 out of 10

We primarily use the system control module and specific IT control models for ongoing risk assessment activities. We use it on a day-to-day basis. 

It has various valuable features. For example, showing us if a control aligns with specific standards or frameworks helps us understand it better and verify its compliance.

The user interface needs work. There are many small text boxes, like credit card size's boxes, where we need to input a lot of text. You can't see what you're typing beyond the tiny window, so you have to scroll or type elsewhere and copy-paste it. It's very inconvenient.

So, improving the user interface would be beneficial.

I have been using this solution for two years. 

I would rate the stability a seven out of ten. It's stable, but most of the time it takes a long time to load, even with good internet. Maybe it's on our end or because it's on-premises.

So it could be faster to load. I would like to see improvement in the stability of the solution.

There are around 300 end users using this solution in our company. We all access it to manage compliance through the system.

I would rate my experience with the initial setup an eight out of ten, where one is difficult, and ten is easy. 

From my perspective, it's a useful tool with all the essential modules and features for governance, risk management, and compliance activities. The reference information linked to controls and risks is also beneficial and provides flexibility. Overall, I would recommend RSA Archer.

Moreover, I would rate the solution an eight out of ten. 

The most valuable features of this solution are the Data integration, the different kinds of Data import, Data feeds, and the API. 

One of the useful features is the ability to connect to various systems in order to accommodate data.

Otherwise, all of our administrative functions, business apps, and application development are available, but this is the most important. 

It can integrate with other systems to get that data, as well as get data out of Archer and into other legacy systems.

Reporting is very good. You can have reports and IUs on your dashboard, as well as different types of IUs. 

Reporting is excellent for all types of aggregators, as well as for different types of integrators. That is one of the positive aspects.

I am not at the level to show someone how to improve whatever features they have. They are good if they work.

They are better now than previous versions. I am working on version 5, and they are now on version 6.9. They have made significant progress.

There should be an in-built feature that allows live data from vulnerabilities and threats from reliable sources to be streamed directly through their data field.

RSA can provide that kind of service, providing real-time data, vulnerability, and threats, without any local, asking for a contribution from someone else.

I would like to see real-time data, from vulnerabilities, and threats.

I have been working with RSA Archer for 12 years.

RSA Archer is very stable.

The current versions are very stable.

Nothing is perfect, I would not give a rating of ten, but in terms of stability, I would rate it an eight out of ten.

RSA Archer is scalable. The scalability is on various parameters. For user accounts, it is quite scalable.

I work with a large organization. We have 50,000 accounts.

I have 12 years of experience in technical support. My job entails providing technical support for legacy systems as well as current systems. Archer, I work on both technical and functional support. In my case, I'm a CSA, CS, and Archer CISO candidate for all business applications.

Their technical support is good, they are very prompt.

I have only ever worked with RSA Archer. I have not worked with other GRC systems, but I have seen other companies switch from other platforms to RSA Archer because it better met their needs.

RSA Archer has been deployed both on-premises and in the cloud.

The cloud-based version is less painful for us.

The initial setup is straightforward. There are good manuals available. It is not that difficult. The configuration requires a person who has sufficient knowledge or experience.

Someone else should always have some experience on how to install it. The installation is simple, but the configuring is for the business requirements.

I am not sure about other companies, but it's quite expensive.

I would rate RSA Archer an eight out of ten.

RSA Archer is a governance tool, used especially for bank applications. At the same time, there is the NetWitness tool, a SIEM solution that was created by the RSA division. They have integrated the incident management, along with RSA Archer. Whenever the SIEM solution creates alerts, Archer can be triggered, and you can elect notifications to your mailbox. 

If you click on the link, it'll link to you the actual incident, what happened in cybersecurity. You can do a number of things, like a workflow and approval from the manager level.

The features help save a lot of time in the organization.

The most valuable features of RSA Archer are the asset management, risk management, and vendor management. It's a very simple tool that you can learn within a short period of time.

If I use an AGP, for the onboarding process, for example, I'll create a workflow. An item will go to my manager, the manager approves, and I'll automatically get an alert notification sent to me saying that you are being onboarded. 

You can also put a lot of limitations, like permissions and values, in the AGP. As a security person, that is important to me. You can use any number of groups and permission levels. Now I created vendor management and many people have different kinds of applications in the AGP. Many people are users, but that doesn't mean each particular person can access all the applications in the AGP; it'll be limited. At the same time, I also can give edit permissions at the system level.

One area that could be improved is the solution needs to go further with most of the APIs. They need to create multiple APIs and integrations, in my opinion. A few things can't be done from the RSA level and it's not user-friendly when you're working with the other tools. With the RSA products, it's very easy, because it's an inbuilt application. If you need to integrate the RSA products with another SIEM solution, then it doesn't work properly. You have to create a new API for that integration of Archer.

Beyond that, additional features would make the solution too complex. If additional features were added, the solution would need better sustainability and marketing. RSA would also need better online support. The solution would be more attractive with improvement to these items.

I've been working with RSA since 2013.

The stability and performance of the solution is good.

The solution is easy and simple to scale.

The initial setup is not complex; anyone can do it. Deployment should not take more than two people. The time it takes depends upon the cluster environment. If it's a single instance, you have only one database server, it shouldn't take more than four to five hours for the deployment. If it is a cluster with a lot of employees and a big organization, they'll have disaster recovery and more involved. In that case, it'll require at least two days or so.

We are involved in the integration of everything.

The license is costly for the solution, but the remaining setup and maintenance is a lot cheaper.

The RSA Archer tool is useful for governance listing, workflow, risk management, incident management, and auditing. It's a very easy methodology for senior management. In Archer, even though it's confidential data, you can store it in the proper way, and there were a lot of APIs which can integrate with Archer. For senior management, it'll trigger an alert and you'll see a project automatically to approve. You can do wonders with this tool, but you have to be very specific in your utilization.

If you only use two to three products in RSA, you're wasting a lot of money and people resources. You have to bring awareness; what is this tool? Show users the solutions that can be implemented.  

I would rate the solution an eight out of ten.

I am using RSA Archer for internal audit management. It is used for the entire life cycle for audit, which includes engagement planning, reporting, action management, and so on. It is also used for internal resource management. The timesheet management, resource management, and training are being managed through the same system. 

It has been deployed on-premises. My organization has 16 groups. It is installed and managed centrally by the headquarters, and we are using the application.

We got rid of a lot of paperwork. As an internal auditor, we have to comply with IIA guidelines. There are standards that we need to follow while completing an engagement. A lot of requirements have been automated through the system, such as quality assurance, engagement review, audit follow-ups, and so on. It has supported the organization as a whole.

It is highly customized for our organization. It is primarily for GRC, but we are using it for audit management, resource management, timesheet management, and so on. These were add-ons features that were customized and developed by the vendor.

Its user interface is pretty neat, and there is flexibility in generating the data. You can customize reports at any level. You can directly get reports in Tableau format. If you want to generate statistical data, you can create reports with graphs. There is an adequate amount of flexibility for changing the format, the type of graphs, etc. 

The dashboard that is a part of the RSA Archer could be more aesthetic. 

There should be a way to export and get data from the system in PDF or PowerPoint presentation format. This would be a great addition.

It has been almost two years since we have been using the product. We have been using it almost on a daily basis.

We have been using the web application, and sometimes, there are issues related to the network availability, etc. Other than that, we have not seen any issues in terms of performance and input and output controls. We never had any reports that were not correct. So, more or less, it is fine.

Scalability-wise, we already have a proven case. Deploying a solution in one company with a fixed, organized structure is one thing, but deploying at a mass level in multiple companies and bringing them all together in one single platform is a completely different thing. It proves the scalability of the solution. There is no doubt that it can be scaled to multiple organizations in one go.

We have more than 200 users. They are internal auditors, but if we also count the auditees who use the same system, the number would be much higher.

Our version of RSA Archer is heavily customized. Therefore, at the initial stage of the deployment, there were a few issues for which we needed support. We had a few workflow issues or anomalies in the reporting. 

At the organization level, we have a uniform IT management system for IT tickets. We have an IT support team at the group level, and then we have a support team in headquarters. It is being managed just like any other solution in the organization. We are satisfied with the support.

I have seen the deployment of the SAP-based audit management system in 2013 or 2014, which might have changed a lot over these years. From a user's point of view, RSA Archer has a better user interface. It is easier to use. SAP had a typical structure and user interface. It might not have been user-friendly for everyone. RSA Archer is more user-friendly. Its acceptability is much higher when you are deploying it in an organization.

It followed the usual SDLC life cycle. They came and understood the processes. They understood the way the audit was being managed in our organization. It was a joint effort between our organization and the vendor. There were a lot of sessions to understand how we conduct our processes and what are the challenges that we face. Bringing almost 16 to 17 companies in one single platform was a challenge in itself. Even though we had the same policy procedure, there were some differences in the way things were being done, the formats of the files that we were using, and the way people were doing the audits.

It took a lot of time to have a good base of the design itself, but it was worth it. The deployment was done phase-wise. It was not a single-phase deployment; it was a multi-phase deployment. Initially, we just implemented the basic audit management in which we were able to create engagements and add the findings. Later on, more complexities were added related to quality management, timesheet management, detailed reporting, and so on.

It required a lot of interaction with the group companies and the development team in the HQ. There was one whole team in the HQ that had 15 to 20 people. From each company, there were about two to three people. It was a big team. My estimate is that we had at least 20 to 30 people.

The initial deployment probably happened in a span of six months. Every quarter or every six months, they take feedback from different companies, and they ask for whatever modification is required from our side, and they keep on releasing the updates, small modifications, and so on. It is a continuous process, and we are still fine-tuning the system.

I'm not an administrator, so I don't have information about the maintenance it requires in the backend. Because it is heavily customized, whatever development happens, it happens only internally. The production and the development environments are optimized. Apart from that, the routine activities that we require are related to any data modification with reference to the audit parameters of the attributes. We usually request to change or modify them. There is also an approval process. These are the kinds of interactions that we have as users.

There is absolutely no doubt that it is a very good tool for audit management as a whole. If you are deploying RSA Archer, the most important thing is that you need to be very clear of your requirements and the processes for audit management. It can maintain the organization hierarchy, business hierarchy, processes, projects, and assets. It can maintain a lot of repositories and attributes related to an organization for mapping individual audits. It is a wonderful tool, but if you are not clear about how you want to deploy it, it could be a mess. This is applicable to any enterprise-level tool. 

The reason I'm certifying with RSA Archer is that when you are using it for audit, there is a particular strategy and the way to do it, which may vary from organization to organization. So, you have to be very particular about what you want from the tool before deploying it. You should not deploy it and then define your processes. 

I would rate RSA Archer a nine out of 10.

Our use cases for Archer include third-party management, enterprise risk management, and compliance management. We have a partnership with RSA Archer and I'm a manager in risk advisory.

Among the most valuable features of this solution is the easy implementation and the degree of automation that it offers. This product is very compatible with our business processes and the dashboarding features are creative. This is an easy tool to learn and to work on. They have a great community where you can ask any question and be sure to get some responses. 

Archer has evolved significantly over the last five to eight years, but there are still some areas that could be improved. We've noticed recently with the advanced workflow jobs that we're receiving some errors. It's a showstopper for us and it's clear that some kind of development support is needed. If there were an improvement in the design and the advanced workflow, jobs would run more smoothly, and a lot of value would be added to the business. Another aspect that could be improved is the UI which has a very old generation feel. For additional features, I'd very much like to see tools added in the next release. This could include a live connection that could be built in order to bring all the client data from the legacy system directly into Archer. Right now it's a data feed. There are currently some ActiveX options for live collections, but not for all the products. 

I've been using this solution for five years. 

The solution is stable, it's a very mature product and if anything goes wrong we can provide the answers or the Archer community has the answers. We are currently having some problems with performance and our clients are complaining. The issues are with calculations and advanced workflows and it's creating a slow down in the system. We probably have around 5,000 users through our client companies.

The solution is very scalable. The design approaches Archer provides are very easy to change and scale. In an agile project, it's very easy to handle or develop with most of the configurations based on drag and drop as per the document framework.

Most of the issues we've had to escalate to RSA support belong to the advanced workflow section. These problems cannot be solved by Archer's UI and require back-end support or technical support from RSA. We're satisfied to a degree, it can take a few days to get a response. 

The initial setup is straightforward, the complexity lies in the operations. The entire configuration project requires minimal manpower. Archer has a built-in wizard where you can either create a package and send it to the higher environment or just install the package. It doesn't take more than half a day. In the latest versions, we've seen that some of the features are not automatically deployed and manual checks are required. We're expecting to see that rectified in future versions. 

The licensing is more expensive than other similar products and it often makes our clients step back and go for cheaper options. That said, the company is very clean and transparent in terms of pricing. There are no additional costs.

I have experience working with other GSU products and as a competitive analysis, I'd rate RSA's capability above that of other products. RSA Archer is more mature in terms of providing solutions. It's only when you compare the UI between solutions that Archer's competitors have an advantage. 

This is an easy solution and it's very good for agile projects when requirements can change abruptly. The only concern we have is with the advanced workflow which should be simplified so that if any errors come up, it's easier to change or modify. I recommend checking the target environment for all the configuration areas, making sure that it has been properly deployed, and checking whether it needs some post-deployment checks.

I would rate the solution very high but because of the error messages we've been receiving which require technical support and cannot be fixed by the Archer UI or the Archer configuration interface, I have to bring the rating down. If they improve the UI, I'd rate them more highly. 

For now, I rate this solution eight out of 10. 

We use the product for policy management, vulnerabilities and risk management. We also use it for business continuity.

It is a good tool to use. The product is very flexible. It can easily connect to other tools like ServiceNow and Nexus. The workflow feature is very interesting. We can automate a lot of stuff using the workflow. The product makes it very easy to publish dashboards.

We are implementing COBIT 2019. It is in English. It would be useful for customers if COBIT 2019 could be translated into different languages.

The product’s scalability is pretty good.

The initial setup is not complex, but you need some knowledge of the methodologies in the market to implement the product. These methodologies are in English. We have to translate the methodologies to use in Brazil. It would be better if it were available in different languages.

Overall, I rate the solution an eight out of ten.