RSA Archer Reviews

Our use cases for Archer include third-party management, enterprise risk management, and compliance management. We have a partnership with RSA Archer and I'm a manager in risk advisory.

Among the most valuable features of this solution is the easy implementation and the degree of automation that it offers. This product is very compatible with our business processes and the dashboarding features are creative. This is an easy tool to learn and to work on. They have a great community where you can ask any question and be sure to get some responses. 

Archer has evolved significantly over the last five to eight years, but there are still some areas that could be improved. We've noticed recently with the advanced workflow jobs that we're receiving some errors. It's a showstopper for us and it's clear that some kind of development support is needed. If there were an improvement in the design and the advanced workflow, jobs would run more smoothly, and a lot of value would be added to the business. Another aspect that could be improved is the UI which has a very old generation feel. For additional features, I'd very much like to see tools added in the next release. This could include a live connection that could be built in order to bring all the client data from the legacy system directly into Archer. Right now it's a data feed. There are currently some ActiveX options for live collections, but not for all the products. 

I've been using this solution for five years. 

The solution is stable, it's a very mature product and if anything goes wrong we can provide the answers or the Archer community has the answers. We are currently having some problems with performance and our clients are complaining. The issues are with calculations and advanced workflows and it's creating a slow down in the system. We probably have around 5,000 users through our client companies.

The solution is very scalable. The design approaches Archer provides are very easy to change and scale. In an agile project, it's very easy to handle or develop with most of the configurations based on drag and drop as per the document framework.

Most of the issues we've had to escalate to RSA support belong to the advanced workflow section. These problems cannot be solved by Archer's UI and require back-end support or technical support from RSA. We're satisfied to a degree, it can take a few days to get a response. 

The initial setup is straightforward, the complexity lies in the operations. The entire configuration project requires minimal manpower. Archer has a built-in wizard where you can either create a package and send it to the higher environment or just install the package. It doesn't take more than half a day. In the latest versions, we've seen that some of the features are not automatically deployed and manual checks are required. We're expecting to see that rectified in future versions. 

The licensing is more expensive than other similar products and it often makes our clients step back and go for cheaper options. That said, the company is very clean and transparent in terms of pricing. There are no additional costs.

I have experience working with other GSU products and as a competitive analysis, I'd rate RSA's capability above that of other products. RSA Archer is more mature in terms of providing solutions. It's only when you compare the UI between solutions that Archer's competitors have an advantage. 

This is an easy solution and it's very good for agile projects when requirements can change abruptly. The only concern we have is with the advanced workflow which should be simplified so that if any errors come up, it's easier to change or modify. I recommend checking the target environment for all the configuration areas, making sure that it has been properly deployed, and checking whether it needs some post-deployment checks.

I would rate the solution very high but because of the error messages we've been receiving which require technical support and cannot be fixed by the Archer UI or the Archer configuration interface, I have to bring the rating down. If they improve the UI, I'd rate them more highly. 

For now, I rate this solution eight out of 10. 

There are six to seven use cases currently. Most of the time, clients request a customized application. Right now, we're using RSA Archer for risk and issue management— like building a risk registry. We'll respond to risks using findings in the risk registry. So we'll set policies for risk discrimination and acceptance based on inherent and residual risk. We have all kinds of environments, covering DEV, SIT, and UIT. Currently, we have 6.9 Service Pack 2.

With RSA Archer, an admin can set permissions for a normal user to go directly to the tool they need to input some data. Admins can then go through that and approve some requests. Also, they can log in based on these kinds of permissions, including ticketing, service patches, or upgrades. The manager gets a notification, and they can log into the mobile application using this tool.

It would be nice if RSA Archer featured more customization. When customers are updating, they should be notified whether certain updates are optional. The install screen should not proceed to the next page unless we make some selections about which updates we want to install. That feature should be implemented in Azure so that users are aware. 

There is also an issue with managing records. If we add or remove records, something has to be updated.  Something has to be developed in this subform so that if a developer unexpectedly removes the total recorder linked to the parent record, it doesn't interrupt the connection. They have to come up with a solution for that.

Previously, we used RSA Archer to review data events. For example, we have a feature called Subscription Notification that was called Generate Notification. The letterhead was changed after migration, so we needed to update the letterhead manually. In Service Pack 2 6.9, links were embedded. So if we edited STTP, we had to remove the double slashes at the beginning of the address and update them to use only one slash. However, it is not recommended practice, so currently they're still updating that. We have notified the RSA team, and they are working on that.

I've been working with RSA Archer for seven years. I started my career as an administrator, and after that, I switched to development. Currently, I'm leading the team in an architectural role, like gathering requirements, deployments, and support.

In terms of performance, I would rate RSA Archer seven out of 10.

After deployment, some customers complain that the database must be constantly updated every time they add users, and the update process takes them a long time. For example, one of my clients has 60,000 to 70,000 users in their environment. It takes them three to four days to rebuild the search index on the database side.

We're in touch with RSA Archer's support on a daily basis. We have set up a scrum call every day to check if the clients have any issues identified post-deployment. In addition, we stay in touch with the tech team and provide support after deployment to address minor issues like, for example, if a customer needs to change their configuration. So we are implementing and releasing in two to three days if any minor changes are required. 

I previously worked on ITGC Controls in the IT sector conducting general control audits. I have performed other roles. We used to collect all the systems-related information showing that the server is updated correctly. We used to check database server-related information, so we'd verify that the daily backup is done. All the IT environments should have maintenance on policies ISO 7001, and I performed the general control audits.

I was using a related tool, but at the time, I was interested more in development, so that's why I have switched. Initially, it was a minor project that required significantly less personnel. RSA Archer is growing mature, so I just switched.

When you're first installing RSA Archer, the mobile feature is not available, but users can still manually input the details in the initial phase. And initially, it's like a normal input process. Then, after that, they have to come back and monitor using the PC or the laptop. 

The personnel needed for deployment depends on the solution. If there is one developer, they don't have any direct authority to deploy it. So we have some third-party monitoring at the time of deployment because if they touch any course other than this, the dedicated solution has to monitor it. Generally, one developer is enough for one solution. And after deployment, they have to recheck using that third party because most of them are in the banking sector, so everything should be monitored.

It takes about an hour to install. But, of course, if any jobs are running, it might take longer. So we have to give the system time to install all the code correctly. After installation, we also need to check for upgrades. 

I can say RSA Archer is worth the cost.

The price of RSA Archer is good. The price isn't too high considering it is a leading tool in the market. However, some Level Three companies cannot afford this license because they're charging too much. For example, the price might be reasonable for Level Five companies doing a four-month project, but they have to lower prices to make the product more competitive in the market for companies below Level Three.

I rate RSA Archer nine out of 10. It's an increasingly mature and very secure tool in the market. Every environment should have this kind of tool. It's useful for tracking any security threat.

I am using RSA Archer for internal audit management. It is used for the entire life cycle for audit, which includes engagement planning, reporting, action management, and so on. It is also used for internal resource management. The timesheet management, resource management, and training are being managed through the same system. 

It has been deployed on-premises. My organization has 16 groups. It is installed and managed centrally by the headquarters, and we are using the application.

We got rid of a lot of paperwork. As an internal auditor, we have to comply with IIA guidelines. There are standards that we need to follow while completing an engagement. A lot of requirements have been automated through the system, such as quality assurance, engagement review, audit follow-ups, and so on. It has supported the organization as a whole.

It is highly customized for our organization. It is primarily for GRC, but we are using it for audit management, resource management, timesheet management, and so on. These were add-ons features that were customized and developed by the vendor.

Its user interface is pretty neat, and there is flexibility in generating the data. You can customize reports at any level. You can directly get reports in Tableau format. If you want to generate statistical data, you can create reports with graphs. There is an adequate amount of flexibility for changing the format, the type of graphs, etc. 

The dashboard that is a part of the RSA Archer could be more aesthetic. 

There should be a way to export and get data from the system in PDF or PowerPoint presentation format. This would be a great addition.

It has been almost two years since we have been using the product. We have been using it almost on a daily basis.

We have been using the web application, and sometimes, there are issues related to the network availability, etc. Other than that, we have not seen any issues in terms of performance and input and output controls. We never had any reports that were not correct. So, more or less, it is fine.

Scalability-wise, we already have a proven case. Deploying a solution in one company with a fixed, organized structure is one thing, but deploying at a mass level in multiple companies and bringing them all together in one single platform is a completely different thing. It proves the scalability of the solution. There is no doubt that it can be scaled to multiple organizations in one go.

We have more than 200 users. They are internal auditors, but if we also count the auditees who use the same system, the number would be much higher.

Our version of RSA Archer is heavily customized. Therefore, at the initial stage of the deployment, there were a few issues for which we needed support. We had a few workflow issues or anomalies in the reporting. 

At the organization level, we have a uniform IT management system for IT tickets. We have an IT support team at the group level, and then we have a support team in headquarters. It is being managed just like any other solution in the organization. We are satisfied with the support.

I have seen the deployment of the SAP-based audit management system in 2013 or 2014, which might have changed a lot over these years. From a user's point of view, RSA Archer has a better user interface. It is easier to use. SAP had a typical structure and user interface. It might not have been user-friendly for everyone. RSA Archer is more user-friendly. Its acceptability is much higher when you are deploying it in an organization.

It followed the usual SDLC life cycle. They came and understood the processes. They understood the way the audit was being managed in our organization. It was a joint effort between our organization and the vendor. There were a lot of sessions to understand how we conduct our processes and what are the challenges that we face. Bringing almost 16 to 17 companies in one single platform was a challenge in itself. Even though we had the same policy procedure, there were some differences in the way things were being done, the formats of the files that we were using, and the way people were doing the audits.

It took a lot of time to have a good base of the design itself, but it was worth it. The deployment was done phase-wise. It was not a single-phase deployment; it was a multi-phase deployment. Initially, we just implemented the basic audit management in which we were able to create engagements and add the findings. Later on, more complexities were added related to quality management, timesheet management, detailed reporting, and so on.

It required a lot of interaction with the group companies and the development team in the HQ. There was one whole team in the HQ that had 15 to 20 people. From each company, there were about two to three people. It was a big team. My estimate is that we had at least 20 to 30 people.

The initial deployment probably happened in a span of six months. Every quarter or every six months, they take feedback from different companies, and they ask for whatever modification is required from our side, and they keep on releasing the updates, small modifications, and so on. It is a continuous process, and we are still fine-tuning the system.

I'm not an administrator, so I don't have information about the maintenance it requires in the backend. Because it is heavily customized, whatever development happens, it happens only internally. The production and the development environments are optimized. Apart from that, the routine activities that we require are related to any data modification with reference to the audit parameters of the attributes. We usually request to change or modify them. There is also an approval process. These are the kinds of interactions that we have as users.

There is absolutely no doubt that it is a very good tool for audit management as a whole. If you are deploying RSA Archer, the most important thing is that you need to be very clear of your requirements and the processes for audit management. It can maintain the organization hierarchy, business hierarchy, processes, projects, and assets. It can maintain a lot of repositories and attributes related to an organization for mapping individual audits. It is a wonderful tool, but if you are not clear about how you want to deploy it, it could be a mess. This is applicable to any enterprise-level tool. 

The reason I'm certifying with RSA Archer is that when you are using it for audit, there is a particular strategy and the way to do it, which may vary from organization to organization. So, you have to be very particular about what you want from the tool before deploying it. You should not deploy it and then define your processes. 

I would rate RSA Archer a nine out of 10.

We customize this solution for our clients. We take all their requirements and prepare the design and format by creating fields, notifications, access controls and workflows. We use all the management features that the solution provides to support our clients. We are customers of RSA Archer and I'm a senior consultant. 

The Advanced Workflow feature is one of the most valuable and user-friendly. We used to have to write multiple calculations. With Advanced Workflow, things are much easier for the developer and end user. It's a robust feature that allows users to easily identify what they're doing and where they are. We're able to create multiple layers with a specified functionality that gives an understanding of what is required as well as increased flexibility. Archer provides good security, enabling access where necessary. It's also a useful reporting tool, clearly showing functional data and, when needed, the ability for comparison. The default dashboard shows daily activities that are easily captured allowing for information to be extracted. 

In the current version, RSA is a little slow mainly because of Silverlight which I believe has been removed in the next version. We have some issues using .NET because migrating requires retraining the custom object every time; it's a manual change which is challenging. For that reason, we don't use the custom object. What's needed is a valueless field, where we can drag and drop, add some values and the process is automatic. I'd also like to see an 'approved' button incorporated in the notifications for updates. It would save time and make life easier for the end users.  

I've been using this solution for 11 years. 

This solution is very easy to scale and easy for new users to understand.

Because we use most of the modules we're paying a lot to get good support. We interact with someone from RSA on a weekly basis and deal with any issues on the platform.

The initial setup is straightforward when you understand the system. We put our new users in the sandbox environment and get them to play around with it before setting out our requirements. It can be a bit of a challenge initially but not for long. It's not a common platform and is different from other tools. Once our users are implementing, it's a very smooth process for them. We have a total of seven developers, four are in-house and three are on contract. 

Deployment time depends on the use case; if it's a large implementation, it can take between six and nine months. The solution needs maintenance because of the updates and that often results in patching needs. We're using Archer on a daily basis. 

I'm not sure about the cost of the solution but every year we purchase additional on-demand applications. Archer offers a package that allows the purchase of 10 on-demand applications. You can purchase more than that and the price goes up accordingly. I believe these purchases come with two years of maintenance support. 

This is a good solution compared to others in the market because it is more secure. It's suitable for any size company although smaller companies will only need to use certain modules with larger organizations using multiple modules. This is a one-stop storage device that you can access from anywhere. 

I rate this solution nine out of 10. 

We use the product for policy management, vulnerabilities and risk management. We also use it for business continuity.

It is a good tool to use. The product is very flexible. It can easily connect to other tools like ServiceNow and Nexus. The workflow feature is very interesting. We can automate a lot of stuff using the workflow. The product makes it very easy to publish dashboards.

We are implementing COBIT 2019. It is in English. It would be useful for customers if COBIT 2019 could be translated into different languages.

The product’s scalability is pretty good.

The initial setup is not complex, but you need some knowledge of the methodologies in the market to implement the product. These methodologies are in English. We have to translate the methodologies to use in Brazil. It would be better if it were available in different languages.

Overall, I rate the solution an eight out of ten.

Our primary use case of this solution is for GRC. I work for a bank and we used this tool to audit our information security team and our cybersecurity team. We had our control library, regulatory requirements, and third-party risks on Archer. So basically, I would say audit, regulatory requirements, third-party risk management solutions, and all kinds of controls, including SOX. These are the integrations we had set up. Right now, it's deployed on-prem. 

This solution helped us with the centralization of our governance data, so we could house all of our controls in one place. We could use that central repository of all our controls to build our risk management strategy and our policy and governance. So we could use controls as a central library and build policy, and then build risk management around it. 

One of the most valuable features is the ease of use. The customizable forms and drop-downs are pretty easy to configure. Automated notifications is another feature that is nice. The whole workflow, basically—if you're going through a workflow process, the whole process is automated with notifications. Basically, it's a pretty straightforward, easy-to-understand interface. I've also had the chance to develop some backend configurations, which is straightforward as well, if you want to add a new field or anything. 

Archer could be improved by having more customization. I'm not sure if the backend processes have API calls and those kinds of seamless integrations, but from the front, some of the solutions are very out-of-the-box. It's not customizable, so that could be a little problematic since you have to use their features. In terms of the backend structure, I'm not too sure because I'm not a developer—I was an end user and product owner of Archer—and I don't quite know the backend and developmental features. But since it's an out-of-the-box solution, sometimes customization was challenging and support was a little problematic because we had to reach out to them all the time. 

I have been working with this solution for the past 18 months. 

We did have a few outages, but otherwise, I must say it's fairly reliable. 

For maintenance, there's an admin dashboard. It's a capability that is handed over to our user and admin has super user access. 

This solution is quite scalable. At that point, it really depends on the strategy. Since we had all our controls on Archer, it was easy for us to scale and deploy other applications or develop other applications seamlessly. But imagine you had your controls on a different application—if it was not on Archer and you had to scale, it would be challenging to move all your data into Archer and then scale. So that is something that could be challenging, but since our strategy was already Archer through and through, we did not find it difficult to scale. 

There are approximately 500 users, across all departments, using Archer. It is being used extensively at the moment. Right now, we don't have plans to increase usage, but I'm sure there's going to be organic growth. 

On a scale of one to five, I would probably rate support a three. I wouldn't say it's the best, but it's not bad either, in terms of both the response time as well as the support. 

We used SharePoint for a bit. We switched to Archer because the graph, user interface, and all that was better than SharePoint. I'm not too sure about the strategic decision because I wasn't with the organization back then, but I know that they wanted a centralized location for their governance, risk, and applications. 

I think the deployment process is pretty straightforward. The solution was deployed for us through a third-party consulting agency, so it wasn't Archer or RSA developers, but a third party that implemented the solution for us. During the time of deployment, we were in a CI/CD mode, so we always had new applications, customization, new fields getting added. 

A third party implemented the solution for us. 

If you are considering implementation, my advice would be to decide on a strategy first before you implement a solution. The solution is nice, but unless you have a strategy, I don't see the point in implementing it. 

I rate Archer a seven out of ten. 

We use RSA Archer in my organization for assessments (ISO, GDPR, PCIDSS, etc.) or to raise dispensation for any application, security-related controls.

If we want to perform the application assessment or any ISMS assessment, earlier, we had to do it manually. The RSA Archer tool gives us the output in an automated manner, it is beautiful and has helped our organization.

RSA Archer is the most usable GRC tool and leading tool and I have found performing the application, ISMS, and TPRM assessments beneficial.

In a future release, there should be an option to upload the main data.

I used RSA Archer within the last 12 months.

Early on we faced lots of issues because the communicating with the RSA Archer, the database was not synced properly. Two times when we installed RSA Archer in an environment a few settings and configuration was not correct, this caused the passwords not to match.

The stability could improve.

The scalability is easy to achieve.

Most of our clients are large businesses. I have plans to continue the usage of RSA Archer.

The technical support is good, but they respond a little late, sometimes it can be a few days to have a response.

Positive

The initial setup is a bit complex. The whole process can take approximately three hours with one or two people.

We have faced challenges. For example, the database is not synced with the RSA Archer. A few services were not running if the RSA Archer was logged in through local admin or the specific user, we have received few errors. 

Archer is responsible for the maintenance of the solution.

The ROI depends on the company's needs as RSA has 7 solutions, the company can pay based on the subscription. 

The solution's price should be reduced. You only have to pay the license and there are no additional fees.

I did not previously evaluate any other solutions.

They have to use RSA Archer if they use the automated tools, their data will be safe.

Though there are some issues with the technicality of the solution, such as errors. The solution provides great features, such as customization, we can customize it as per our requirements.

I rate RSA Archer a ten out of ten.

The most valuable features of this solution are the Data integration, the different kinds of Data import, Data feeds, and the API. 

One of the useful features is the ability to connect to various systems in order to accommodate data.

Otherwise, all of our administrative functions, business apps, and application development are available, but this is the most important. 

It can integrate with other systems to get that data, as well as get data out of Archer and into other legacy systems.

Reporting is very good. You can have reports and IUs on your dashboard, as well as different types of IUs. 

Reporting is excellent for all types of aggregators, as well as for different types of integrators. That is one of the positive aspects.

I am not at the level to show someone how to improve whatever features they have. They are good if they work.

They are better now than previous versions. I am working on version 5, and they are now on version 6.9. They have made significant progress.

There should be an in-built feature that allows live data from vulnerabilities and threats from reliable sources to be streamed directly through their data field.

RSA can provide that kind of service, providing real-time data, vulnerability, and threats, without any local, asking for a contribution from someone else.

I would like to see real-time data, from vulnerabilities, and threats.

I have been working with RSA Archer for 12 years.

RSA Archer is very stable.

The current versions are very stable.

Nothing is perfect, I would not give a rating of ten, but in terms of stability, I would rate it an eight out of ten.

RSA Archer is scalable. The scalability is on various parameters. For user accounts, it is quite scalable.

I work with a large organization. We have 50,000 accounts.

I have 12 years of experience in technical support. My job entails providing technical support for legacy systems as well as current systems. Archer, I work on both technical and functional support. In my case, I'm a CSA, CS, and Archer CISO candidate for all business applications.

Their technical support is good, they are very prompt.

I have only ever worked with RSA Archer. I have not worked with other GRC systems, but I have seen other companies switch from other platforms to RSA Archer because it better met their needs.

RSA Archer has been deployed both on-premises and in the cloud.

The cloud-based version is less painful for us.

The initial setup is straightforward. There are good manuals available. It is not that difficult. The configuration requires a person who has sufficient knowledge or experience.

Someone else should always have some experience on how to install it. The installation is simple, but the configuring is for the business requirements.

I am not sure about other companies, but it's quite expensive.

I would rate RSA Archer an eight out of ten.