RSA Archer Reviews

RSA Archer's best features are advanced workflow, reports, dashboards, and notifications.

There is some lag and instability with the platform when using the cloud version. I would also like the look and feel of the layout to be updated and made more customizable. 

I've been using RSA Archer for eight to nine years.

RSA Archer is scalable.

RSA Archer's technical support is a little disappointing because the first level is always manned by junior members who don't have much technical expertise.

The initial setup was straightforward.

I would give RSA Archer a rating of eight out of ten.

RSA Archer is a governance tool, used especially for bank applications. At the same time, there is the NetWitness tool, a SIEM solution that was created by the RSA division. They have integrated the incident management, along with RSA Archer. Whenever the SIEM solution creates alerts, Archer can be triggered, and you can elect notifications to your mailbox. 

If you click on the link, it'll link to you the actual incident, what happened in cybersecurity. You can do a number of things, like a workflow and approval from the manager level.

The features help save a lot of time in the organization.

The most valuable features of RSA Archer are the asset management, risk management, and vendor management. It's a very simple tool that you can learn within a short period of time.

If I use an AGP, for the onboarding process, for example, I'll create a workflow. An item will go to my manager, the manager approves, and I'll automatically get an alert notification sent to me saying that you are being onboarded. 

You can also put a lot of limitations, like permissions and values, in the AGP. As a security person, that is important to me. You can use any number of groups and permission levels. Now I created vendor management and many people have different kinds of applications in the AGP. Many people are users, but that doesn't mean each particular person can access all the applications in the AGP; it'll be limited. At the same time, I also can give edit permissions at the system level.

One area that could be improved is the solution needs to go further with most of the APIs. They need to create multiple APIs and integrations, in my opinion. A few things can't be done from the RSA level and it's not user-friendly when you're working with the other tools. With the RSA products, it's very easy, because it's an inbuilt application. If you need to integrate the RSA products with another SIEM solution, then it doesn't work properly. You have to create a new API for that integration of Archer.

Beyond that, additional features would make the solution too complex. If additional features were added, the solution would need better sustainability and marketing. RSA would also need better online support. The solution would be more attractive with improvement to these items.

I've been working with RSA since 2013.

The stability and performance of the solution is good.

The solution is easy and simple to scale.

The initial setup is not complex; anyone can do it. Deployment should not take more than two people. The time it takes depends upon the cluster environment. If it's a single instance, you have only one database server, it shouldn't take more than four to five hours for the deployment. If it is a cluster with a lot of employees and a big organization, they'll have disaster recovery and more involved. In that case, it'll require at least two days or so.

We are involved in the integration of everything.

The license is costly for the solution, but the remaining setup and maintenance is a lot cheaper.

The RSA Archer tool is useful for governance listing, workflow, risk management, incident management, and auditing. It's a very easy methodology for senior management. In Archer, even though it's confidential data, you can store it in the proper way, and there were a lot of APIs which can integrate with Archer. For senior management, it'll trigger an alert and you'll see a project automatically to approve. You can do wonders with this tool, but you have to be very specific in your utilization.

If you only use two to three products in RSA, you're wasting a lot of money and people resources. You have to bring awareness; what is this tool? Show users the solutions that can be implemented.  

I would rate the solution an eight out of ten.

Archer is a repository tool that is leveraged by all the security teams across the firm. The analysts and architects use it to store their data and store the vulnerabilities, which are coming from other applications while scanning the devices and everything. 

My job is to integrate the other applications with this application and try to bring all the data from those applications in here and create a workflow, environment, and framework for the different teams to use those records or vulnerabilities to  make a decision on what they should do. It just makes their life easier.

We are using the solution on-premises, but we are going on the cloud next year.

The last project was for an investment group that was using Excel. Shifting their records from one position to another took approximately 15 minutes. In Archer, we created a workflow for them to leverage it, and they could send the single record with one click to one person within seconds. The whole process went from 15 minutes to two minutes to get the approval for the records. The main purpose of Archer is to just make it easy.

It is really valuable to me because there are a lot of things which I can do and learn from, especially different programming languages. It's not just built on one thing. There are multiple languages which I need to learn in order to run this. One is JavaScript. On the back end, it's C#.NET. On the server type, it's Java. Trying to figure out every single thing makes my knowledge grow more and more every day.

There is a platform called Archer Community where we can post our concerns and any areas that need to be improved, and they will reach out. Recently, we made a suggestion for cross references, like for one application to another. There were limitations there, so we're hoping that will be included in the next upgrade.

Whenever there's an upgrade, they'll just make changes to the application. RSA is a Dell company. Dell is the parent company, and RSA is under that.

There are performance issues and bugs here and there, but it hasn't been a real concern. Sometimes it's slow, but mostly it's on our computers and processors. We just need to delete some stuff there and put them back on the server.

It is very easy to scale. Right now, we have three teams using the solution. It's about 15 to 20 people.

We are responsible for maintenance. There's a team of 20 to 25 people dedicated to Archer. Once it goes to the cloud, then we won't be responsible for maintenance.

We have plans to increase usage in the future. We are talking to the different departments of the company. Archer is not like a business. It doesn't go outside the business because it's really a security tool, and it's just used by the security departments and different departments who are involved with security. It just involves the company. We're trying to leverage it to different departments and we'll see what happens.

They are good. They don't need any improvement, but sometimes they need some guidance. We have our documentation, so they can just refer to that.

Previously, they were purely on Excel files and getting data from the applications inside Excel or Word format. I think this is the first solution they went to, and this is the best tool for GRC, governance, risk, and compliance. There are other tools but they would be confusing for the business, so Archer is the best right now.

The setup process was really easy. You just have to package and install it. There were two or three people involved in the deployment. It took about a day.

I would rate this solution 8 out of 10. My advice is don't just stick to Archer. Learn different tools because it's just a tool in the end. It will be fully configured, and you won't have anything else to do. Go into the business side and try to learn the business.

We use Archer as a risk management portal. We've customized Archer to follow the Sherwood Applied Business Security methodology for governance and risk assessment. We don't use the compliance module much.

The main benefit is that we can automate risk management. The whole purpose of having Archer is to automate governance, risk, and compliance. Previously, we used to do everything in Excel sheets and Notepad. It was mostly manual. We'd send emails to people and collect information. Once you have Archer, you can automate all these processes.

I like how Archer requires very little programming ability. A person with minimum coding experience can configure the necessary fields in Archer. It's more of a drag-and-drop solution. 

When we have to do formulas or some other type of calculation in Archer, it sometimes doesn't work correctly. The fields don't display right, and we have to contact RSA Archer support to fix things. I think the calculation components are a bit complicated.

I've been using RSA Archer every day for the past six years.

RSA Archer's overall performance is good. It slows down at times whenever a script or some process is running in the backend. Sometimes our users have complained about the speed.

Scaling up RSA Archer is a straightforward process. You just need to upgrade your hardware and software. We have about 80 end-users working on Archer now. 

We've opened several tickets with RSA, and they're settled pretty quickly. The experience has always been good. 

When we started working with Archer, it was more or less the only product in the field that could do GRC automation. A few have been launched since then, but we've only ever worked with Archer.

Deploying RSA Archer is effortless. You just need to make a database backup of Archer and keep it somewhere. Then you can install Archer on any server and load the backup. Everything from A to Z comes back. It's restored, and you don't have to do anything. It's a straightforward process. The initial installation takes three hours, and two technicians can handle the job. 

After installation, it doesn't need much maintenance. We periodically deploy some security patches on the operating system, make backups, and cross-verify if the backup is working correctly or not. 

The initial purchase is cheap. You pay a nominal price to start then renew the license annually. You also must buy a license for each module. I'm not too fond of that aspect of the licensing model. You buy the elephant and then spend more money to feed the elephant.

I rate RSA Archer seven out of 10. To anyone thinking about deploying Archer, I would suggest exploring other products in the market as well. Archer is a bit costly compared to its competitors. 

We are using RSA Archer to provide GRC services to our client. GRC means, governance, risk and compliance. In Archer we implement business continuity management, policy management, risk management solutions, audit management solutions, and third party governance solutions. We even utilize a privacy governance model of RSA Archer, as well.

Currently, we are analyzing and evaluating software as a service option for one client to reduce effort and time on infra related activities.

Our clients are using RSA Archer to automate their manual processes and activies to avoid manual intervention and have a clear visibility to leadership. This increased the client's process efficiency, they are more compliant and reduces the risk and overall governance structure improved. Also, it adds some value added features on the reporting and gives clear visibility of the entire business unit or   divisions of the company. Suppose the CEO of company want to see their high risk BUs , he or she can easily see the count and detail. Automated timely email trigger and integration with other tools/application helps client to assess their processes and BUs to find out risks and remediate risk on time.

There are lots of features which motivate our client to use RSA Archer. First of all, its access control feature which provides access at application level, access at record level and  at page level. It helps client to avoid any unauthorised access.

Also, there is a strong integration between the RSA Archer modules and also option to integrate with other application/ process help client to increase confidence on data integrity.

Suppose if anyone is using RSA Archer audit management or any out of the box use cases, it also provides some of the inbuilt capability of the assessment, like some of the questionnaires and some of the controls that are available in RSA Archer.

 Capability of sending automated email triggers to the stakeholder on a fix frequency.

Workflow feature, reports and dashboard capability etc. lucrate client towards Archer.

 UI/UX can be improved and a feature to allow end user to update assessment question and add or remove recipients from a notification will help client to minimize their dependecy on Archer developer.RSA Archer somehow lag behind in the user interface.

Additionally, the reporting capability of Archer should be improved. Because generally what clients do is analyze processes, their records, their status. They integrate it with either Tableau or Power BI just to customize their reports and see more user friendly reports. So I would suggest to improve reporting capabilities as well.

In terms of stability and performance, Archer is good.

RSA Archer is easy to scale, it's not complex.

It is a requirement to maintain RSA Archer. Our team even provides the managed services to the client, as well.

Some of my clients are moving their GRC solution from other platforms to RSA Archer because of scalability.

Support is good, but sometimes I feel there are some queries or issues, where I or our client need a resolution quickly, but sometimes it gets delayed from the customer support side.

Generally client without GRC framework move to Archer to automate their processes.

Generally we deploy the RSA Archer on client's infrastructure. It is not complex, even for the first time user, process to setup Archer is easy if they refer manuals or guide.

Generally, one person can easily install if it is a small or medium and not a complex deployment. But if it is a large scale deployment I think there will be more requirement of other team involvement as well.

Yes, we do evaluate other options/framework available in market e.g. ServiceNow GRC, OneTrust etc.

But we suggest best option basis the client requirement and which suites most in terms of cost and effort.

My advice to anyone considering RSA Archer would be to use it for their GRC capability and automate their manual tasks. If they are doing any manual task, they can simply automate through RSA Archer. It will increase efficiency, minimize their risk and will make them more compliant.

On a scale of one to ten, I would give RSA Archer an 8 out of 10

I am using RSA Archer for internal audit management. It is used for the entire life cycle for audit, which includes engagement planning, reporting, action management, and so on. It is also used for internal resource management. The timesheet management, resource management, and training are being managed through the same system. 

It has been deployed on-premises. My organization has 16 groups. It is installed and managed centrally by the headquarters, and we are using the application.

We got rid of a lot of paperwork. As an internal auditor, we have to comply with IIA guidelines. There are standards that we need to follow while completing an engagement. A lot of requirements have been automated through the system, such as quality assurance, engagement review, audit follow-ups, and so on. It has supported the organization as a whole.

It is highly customized for our organization. It is primarily for GRC, but we are using it for audit management, resource management, timesheet management, and so on. These were add-ons features that were customized and developed by the vendor.

Its user interface is pretty neat, and there is flexibility in generating the data. You can customize reports at any level. You can directly get reports in Tableau format. If you want to generate statistical data, you can create reports with graphs. There is an adequate amount of flexibility for changing the format, the type of graphs, etc. 

The dashboard that is a part of the RSA Archer could be more aesthetic. 

There should be a way to export and get data from the system in PDF or PowerPoint presentation format. This would be a great addition.

It has been almost two years since we have been using the product. We have been using it almost on a daily basis.

We have been using the web application, and sometimes, there are issues related to the network availability, etc. Other than that, we have not seen any issues in terms of performance and input and output controls. We never had any reports that were not correct. So, more or less, it is fine.

Scalability-wise, we already have a proven case. Deploying a solution in one company with a fixed, organized structure is one thing, but deploying at a mass level in multiple companies and bringing them all together in one single platform is a completely different thing. It proves the scalability of the solution. There is no doubt that it can be scaled to multiple organizations in one go.

We have more than 200 users. They are internal auditors, but if we also count the auditees who use the same system, the number would be much higher.

Our version of RSA Archer is heavily customized. Therefore, at the initial stage of the deployment, there were a few issues for which we needed support. We had a few workflow issues or anomalies in the reporting. 

At the organization level, we have a uniform IT management system for IT tickets. We have an IT support team at the group level, and then we have a support team in headquarters. It is being managed just like any other solution in the organization. We are satisfied with the support.

I have seen the deployment of the SAP-based audit management system in 2013 or 2014, which might have changed a lot over these years. From a user's point of view, RSA Archer has a better user interface. It is easier to use. SAP had a typical structure and user interface. It might not have been user-friendly for everyone. RSA Archer is more user-friendly. Its acceptability is much higher when you are deploying it in an organization.

It followed the usual SDLC life cycle. They came and understood the processes. They understood the way the audit was being managed in our organization. It was a joint effort between our organization and the vendor. There were a lot of sessions to understand how we conduct our processes and what are the challenges that we face. Bringing almost 16 to 17 companies in one single platform was a challenge in itself. Even though we had the same policy procedure, there were some differences in the way things were being done, the formats of the files that we were using, and the way people were doing the audits.

It took a lot of time to have a good base of the design itself, but it was worth it. The deployment was done phase-wise. It was not a single-phase deployment; it was a multi-phase deployment. Initially, we just implemented the basic audit management in which we were able to create engagements and add the findings. Later on, more complexities were added related to quality management, timesheet management, detailed reporting, and so on.

It required a lot of interaction with the group companies and the development team in the HQ. There was one whole team in the HQ that had 15 to 20 people. From each company, there were about two to three people. It was a big team. My estimate is that we had at least 20 to 30 people.

The initial deployment probably happened in a span of six months. Every quarter or every six months, they take feedback from different companies, and they ask for whatever modification is required from our side, and they keep on releasing the updates, small modifications, and so on. It is a continuous process, and we are still fine-tuning the system.

I'm not an administrator, so I don't have information about the maintenance it requires in the backend. Because it is heavily customized, whatever development happens, it happens only internally. The production and the development environments are optimized. Apart from that, the routine activities that we require are related to any data modification with reference to the audit parameters of the attributes. We usually request to change or modify them. There is also an approval process. These are the kinds of interactions that we have as users.

There is absolutely no doubt that it is a very good tool for audit management as a whole. If you are deploying RSA Archer, the most important thing is that you need to be very clear of your requirements and the processes for audit management. It can maintain the organization hierarchy, business hierarchy, processes, projects, and assets. It can maintain a lot of repositories and attributes related to an organization for mapping individual audits. It is a wonderful tool, but if you are not clear about how you want to deploy it, it could be a mess. This is applicable to any enterprise-level tool. 

The reason I'm certifying with RSA Archer is that when you are using it for audit, there is a particular strategy and the way to do it, which may vary from organization to organization. So, you have to be very particular about what you want from the tool before deploying it. You should not deploy it and then define your processes. 

I would rate RSA Archer a nine out of 10.

We have four primary uses of the solution. My job role was mainly the administration of RSA Archer, in financial services for the public sector bank. Our main use cases were security incident management, mainly to the cyber security incident management, and also the governance risk and compliance part to the DRC part. The auditing and audit updates all were taken through the RSA Archer, and also the customer feedback. But mainly RSA Archer was used for inventory. 

At my organization, we used to have a manual process for every communication work. For example, security monitoring management and everything was happening through mail and was on Excel sheets, things like that. So after acquiring RSA Archer, we were able to have a single platform, a dedicated platform where we can get all our requirements. The solution has improved my organization by having everything combined into a single platform.

I have used a couple of other products for the same domain. As compared to Archer, this solution is a highly mature product. The interaction has highly improved, especially in the latest two updates. The flexibility of the application and the usability have improved a lot as well. That's what I think stands out for RSA Archer.

One area that could be improved with the solution is the administration part, the backend task. That is a bit complex; or rather, the user interface can be made easier. For the newcomer, Archer might seem a bit complex. But once you get used to that, it's all fine.

In the next release of the solution, I'd like to see more inbuilt applications. For example, I talked about our organization having security management. Those are custom applications built by our own team. These are not out-of-the-box applications.

I have a total of three years experience with RSA Archer.

After deployment, my company managed the solution. We've had multiple issues with RSA Archer. The database has gone down; the infrastructure on the application side had a couple of issues; sometimes the services went down. After upgrading to the latest version of the solution, they are more stable than the previous one and it is a lot better now.

I'm really satisfied with the performance. We have more than 1000 or 2000 current users on RSA Archer, and we haven't faced many problems.

It's really scalable because we have options to import users or applications automatically; there are options to import a large number of users. Last year, we had a merging of three banks, and the users of the other two banks were brought into our Archer. They had more then, about 1,000 to 1,500 users, and that was done within a month. We were able to integrate all applications and users. Scalability won't be an issue.

I have been in touch with Archer customer support a couple of times. I have had good experiences; I haven't faced many issues with them. But it will depend upon the company's contract with RSA. There are different support levels.

I haven't worked on the deployment of the solution, but I know the basics of the infrastructure. It's not highly complex, but it is complex as compared to other applications because, in addition to applications and databases, we have the services side as well.

Our deployment of the solution was done by a third-party.

The solution is not at all a cheap product. Whenever someone is planning to buy the RSA Archer application for their organization, the first thing is to understand whether they really need it or not. We have our in-built applications, but first, we need to check whether we require it or not. That is the main thing. The second thing is whether they have the technical people available who are able to handle Archer. Even if they have the product and all, there aren't many people in Archer. We always be making custom applications; we hardly use any built application. So we should have technical employees there.

Talking about my personal use, RSA Archer is one of the four tools which I have managed. And talking about in my organization, it is used extensively. The main core use was security incident management.

I would rate the solution an eight out of ten.

Our use cases for Archer include third-party management, enterprise risk management, and compliance management. We have a partnership with RSA Archer and I'm a manager in risk advisory.

Among the most valuable features of this solution is the easy implementation and the degree of automation that it offers. This product is very compatible with our business processes and the dashboarding features are creative. This is an easy tool to learn and to work on. They have a great community where you can ask any question and be sure to get some responses. 

Archer has evolved significantly over the last five to eight years, but there are still some areas that could be improved. We've noticed recently with the advanced workflow jobs that we're receiving some errors. It's a showstopper for us and it's clear that some kind of development support is needed. If there were an improvement in the design and the advanced workflow, jobs would run more smoothly, and a lot of value would be added to the business. Another aspect that could be improved is the UI which has a very old generation feel. For additional features, I'd very much like to see tools added in the next release. This could include a live connection that could be built in order to bring all the client data from the legacy system directly into Archer. Right now it's a data feed. There are currently some ActiveX options for live collections, but not for all the products. 

I've been using this solution for five years. 

The solution is stable, it's a very mature product and if anything goes wrong we can provide the answers or the Archer community has the answers. We are currently having some problems with performance and our clients are complaining. The issues are with calculations and advanced workflows and it's creating a slow down in the system. We probably have around 5,000 users through our client companies.

The solution is very scalable. The design approaches Archer provides are very easy to change and scale. In an agile project, it's very easy to handle or develop with most of the configurations based on drag and drop as per the document framework.

Most of the issues we've had to escalate to RSA support belong to the advanced workflow section. These problems cannot be solved by Archer's UI and require back-end support or technical support from RSA. We're satisfied to a degree, it can take a few days to get a response. 

The initial setup is straightforward, the complexity lies in the operations. The entire configuration project requires minimal manpower. Archer has a built-in wizard where you can either create a package and send it to the higher environment or just install the package. It doesn't take more than half a day. In the latest versions, we've seen that some of the features are not automatically deployed and manual checks are required. We're expecting to see that rectified in future versions. 

The licensing is more expensive than other similar products and it often makes our clients step back and go for cheaper options. That said, the company is very clean and transparent in terms of pricing. There are no additional costs.

I have experience working with other GSU products and as a competitive analysis, I'd rate RSA's capability above that of other products. RSA Archer is more mature in terms of providing solutions. It's only when you compare the UI between solutions that Archer's competitors have an advantage. 

This is an easy solution and it's very good for agile projects when requirements can change abruptly. The only concern we have is with the advanced workflow which should be simplified so that if any errors come up, it's easier to change or modify. I recommend checking the target environment for all the configuration areas, making sure that it has been properly deployed, and checking whether it needs some post-deployment checks.

I would rate the solution very high but because of the error messages we've been receiving which require technical support and cannot be fixed by the Archer UI or the Archer configuration interface, I have to bring the rating down. If they improve the UI, I'd rate them more highly. 

For now, I rate this solution eight out of 10. 

My primary use case varies depending on the requirements, but uses include working on email notifications, fetching data feeds, and working on feed managers.

Archer allows us to define the progress of the organization's processes and helps build the right cyclic process and improve the current structure. We also track a lot and transfer a lot of vendors and users, and Archer has a repository that allows us to collect that data step by step. It also makes auditing easier.

The most valuable features of RSA Archer are notifications, workflow routing, and data filtering.

An area for improvement is the turnaround time for advice from the support team. In the next release, I would like to see a maturity rating feature that would provide industry ratings and information on the market.

I have been using this solution for about a year and a half.

Stability has improved over time, but there's still a lot of latency with some features, like looking up or checking the database.

This solution is scalable.

The tech support team's turnaround time is often slow.

Previously, I have used Aravo, and currently, I'm using Process Utility.

The initial setup was fairly straightforward as we were given hands-on training. Deployment took around three months.

When implementing Archer, I recommend looking through the videos supplied and making use of the free sessions that Archer provides. I would rate this product as six out of ten.

My use cases of RSA Archer are for WISP and controls-based audit purposes. For WISP, we keep the information security, like written informed consent protocol, and I manage almost 15 applications that I need to review the architecture of. I use RSA Archer to review the design document, the zone the application is hosted in, whether there is any kind of zoning division, the cryptography design, the cryptography used for data in motion, and what encryption they're using. 

Other than that, we have been using RSA Archer for a controls baseline. We had policies set up earlier and, based on those policies, control objectives were stated in RSA Archer for each and every application. 

This solution is deployed on-premise. 

RSA is a very rich application. I like its adaptive suggestion, where based on your users and the class of data, it can actually recommend you the proper control to choose. For example, we have been using PCI DSS as an NIST. So based on application feedback, it will provide you with a suggestion on which control objective needs to be set. Based on that, you can make a decision—you don't need to take the suggestion, but you can customize that particular provided suggestion. RSA Archer's workflow is also good, in terms of process automation. 

The first improvement I would suggest for RSA Archer is a better search feature. The search criteria needs to be improved. Sometimes I do a search and the search doesn't return the exact item I'm looking for. RSA Archer could also be improved by being more user-friendly. 

Maybe I have been using a limited version of RSA Archer, but I'm not sure whether it has ESG, environmental and social governance. In the next couple of years, ESG is the next feature that will be integrated into GRC tools. I would recommend RSA Archer adds ESG. 

I have seen some performance issues. For example, with the search criteria. When I'm searching with some of the IDs, it will return "FND_" and some finding numbers. Their search criteria is a bit cumbersome because I need to actually find what I need, but it's giving me a lot of other information. I have also experienced lagging when viewing an app configuration page, to see the controls associated with that particular app. I'm not certain whether it's a problem with Archer or with our implementation, but there are definitely some performance issues. 

We have a maintenance team responsible for the required maintenance. They handle new patches and some of the new framework rules and updates. They're also planning on implementing and integrating FedRAMP. 

RSA Archer is definitely easy to scale. It's not complex to add applications to our portfolio. For example, we can use one set of controls for one application, and then we can easily map another application with that same set of controls. 

We have a huge organization, so RSA Archer is available for higher management. In our portfolio, there are about 26 users. We don't have plans to increase our usage of RSA Archer because we are migrating to ServiceNow. 

I have the tech support where I evaluate according to a criteria. For example, how frequently that particular software version is being patched, whether the application server is updated with the proper software version or not, whether there is a failover plan, and what our data retention policies are, in terms of issues that are closed or obsolete, and how long we are keeping those. So I evaluate these questions with the maintenance team. 

Archer was being used when I started at my company, but I think they were previously using some CA tool. We have been using RSA Archer and RSM, but we are finally migrating to ServiceNow. 

I have not actually set up RSA Archer—a different team handles the setup and installation, and I integrate the frameworks for our applications and set up the control objectives. I have integrated different frameworks, like NIST and PCI DSS, and have found that you can create and upload your control objective from the spreadsheet and work on it. It's one of the easier ways to set your application-specific controls on RSA Archer. 

A different team handled the implementation. 

Return on investment is definitely there, in a sense, because with this particular governance, we can mitigate the risks of different kinds of losses. For example, with one of our applications, I have been looking into the portfolio that deals with PCA and PA data. If the upper control objectives are not managed properly, then there may be vulnerabilities which, if not properly remediated, will lead to losses—customer data loss and intellectual property loss. So there is definitely an ROI with this GRC tool. 

RSA Archer's price is justifiable and not as expensive, compared to ServiceNow. I have heard that the licensing for ServiceNow is much more expensive. I'm unaware whether there are any additional costs after licensing fees. 

We are migrating to ServiceNow, which isn't as rich as RSA Archer, but it's better in terms of usability. It's easier to integrate each and every control with the entities and it's easier to assign incidents and policies. The process automation and workflow is good in RSA Archer, but it's available in ServiceNow as well. For control audit purposes, since we are migrating to ServiceNow, we have actually mapped the entities and, from there, we are doing the controls-based audit. 

To any teams who are looking to implement RSA Archer, I would say that one problem I faced when we integrated NIST, PCI DSS, and other tools was that there are a lot of common control objectives out there with policies that are actually mapped. So you need to be making sure that you are not making duplicate control objectives. For example, take disaster management. In the data retention policy for the database, one of the control objectives requires proper access management, so that will be applicable for network as well. You can use a similar control objective and map two or more different policies, which will reduce the amount of effort you need to put in. 

I rate this solution a seven out of ten.