RSA Archer Reviews

There are six to seven use cases currently. Most of the time, clients request a customized application. Right now, we're using RSA Archer for risk and issue management— like building a risk registry. We'll respond to risks using findings in the risk registry. So we'll set policies for risk discrimination and acceptance based on inherent and residual risk. We have all kinds of environments, covering DEV, SIT, and UIT. Currently, we have 6.9 Service Pack 2.

With RSA Archer, an admin can set permissions for a normal user to go directly to the tool they need to input some data. Admins can then go through that and approve some requests. Also, they can log in based on these kinds of permissions, including ticketing, service patches, or upgrades. The manager gets a notification, and they can log into the mobile application using this tool.

It would be nice if RSA Archer featured more customization. When customers are updating, they should be notified whether certain updates are optional. The install screen should not proceed to the next page unless we make some selections about which updates we want to install. That feature should be implemented in Azure so that users are aware. 

There is also an issue with managing records. If we add or remove records, something has to be updated.  Something has to be developed in this subform so that if a developer unexpectedly removes the total recorder linked to the parent record, it doesn't interrupt the connection. They have to come up with a solution for that.

Previously, we used RSA Archer to review data events. For example, we have a feature called Subscription Notification that was called Generate Notification. The letterhead was changed after migration, so we needed to update the letterhead manually. In Service Pack 2 6.9, links were embedded. So if we edited STTP, we had to remove the double slashes at the beginning of the address and update them to use only one slash. However, it is not recommended practice, so currently they're still updating that. We have notified the RSA team, and they are working on that.

I've been working with RSA Archer for seven years. I started my career as an administrator, and after that, I switched to development. Currently, I'm leading the team in an architectural role, like gathering requirements, deployments, and support.

In terms of performance, I would rate RSA Archer seven out of 10.

After deployment, some customers complain that the database must be constantly updated every time they add users, and the update process takes them a long time. For example, one of my clients has 60,000 to 70,000 users in their environment. It takes them three to four days to rebuild the search index on the database side.

We're in touch with RSA Archer's support on a daily basis. We have set up a scrum call every day to check if the clients have any issues identified post-deployment. In addition, we stay in touch with the tech team and provide support after deployment to address minor issues like, for example, if a customer needs to change their configuration. So we are implementing and releasing in two to three days if any minor changes are required. 

I previously worked on ITGC Controls in the IT sector conducting general control audits. I have performed other roles. We used to collect all the systems-related information showing that the server is updated correctly. We used to check database server-related information, so we'd verify that the daily backup is done. All the IT environments should have maintenance on policies ISO 7001, and I performed the general control audits.

I was using a related tool, but at the time, I was interested more in development, so that's why I have switched. Initially, it was a minor project that required significantly less personnel. RSA Archer is growing mature, so I just switched.

When you're first installing RSA Archer, the mobile feature is not available, but users can still manually input the details in the initial phase. And initially, it's like a normal input process. Then, after that, they have to come back and monitor using the PC or the laptop. 

The personnel needed for deployment depends on the solution. If there is one developer, they don't have any direct authority to deploy it. So we have some third-party monitoring at the time of deployment because if they touch any course other than this, the dedicated solution has to monitor it. Generally, one developer is enough for one solution. And after deployment, they have to recheck using that third party because most of them are in the banking sector, so everything should be monitored.

It takes about an hour to install. But, of course, if any jobs are running, it might take longer. So we have to give the system time to install all the code correctly. After installation, we also need to check for upgrades. 

I can say RSA Archer is worth the cost.

The price of RSA Archer is good. The price isn't too high considering it is a leading tool in the market. However, some Level Three companies cannot afford this license because they're charging too much. For example, the price might be reasonable for Level Five companies doing a four-month project, but they have to lower prices to make the product more competitive in the market for companies below Level Three.

I rate RSA Archer nine out of 10. It's an increasingly mature and very secure tool in the market. Every environment should have this kind of tool. It's useful for tracking any security threat.

For Archer, today there is everything from risk management to looking at security and how to track all the security defects. We don't have Archer connected to ServiceNow. We had the better version when I was at Albertsons. Just before I joined UFG, we used it not only tracking deficiencies, but also doing all the risk work and all of the vulnerability management, but we tied it to ServiceNow so we could issue tickets and track stuff. That's the way to do it.

Our version is on-prem, which I used also used at Wells Fargo where we had it on-prem as well. I thought the best version we used was at Albertsons, we were in the cloud and we were using their stuff. To me, that's a better way to go. You want to keep it up to par, and you can't screw around with the data structures. It really keeps you current which is probably the best example so you get the best bang for your buck.

When you get it to work, then it's valuable to me. The part I liked about Archer was the risk assessment for deficiencies and being able to use it there. The part I don't like is what it takes to get it really working right. That's not trivial. You need people that really understand it, and you also have to get people to stop making changes to the data schema and the rules, because if they do that, then it defeats the whole purpose of Archer.

The problem is, and I've had years and years of experience using it, let's say decades of experience with it, and they keep changing it. It could be as much as two years or so and they change the product. My concern is when they go from module to module, what do they do? Is it consistent to what the industry wants? And they could also add some things and improve on their product for when we want to match up CVS to it and a few other things. And I think the training is hard. I think they need to emphasize that you take people and send them to training. But today with COVID, how do you do that?

I use RSA Archer on a daily basis. Some people in the Archer group call me a pain, they keep saying, "Well, we can't do this and we can't do that." I say, "Let me show you how it's done."

I have been using it since they first started. So that's got to be almost 15 years now. I knew it when it wasn't even Archer, when it was part of Ernst & Young's suite of risk products. And then Silver Shire took it out of there, formed his own company called Archer. And that's how it was developed. I go that far back with Archer. I've seen it evolve, and they keep changing modules, names, pricing. It's kind of fun to watch the industry.

In terms of stability, if you do it yourself, it can grow big depending on how you want to use it. I've seen and been in companies that want to do all this fancy stuff and all the rules and everything else and it just eats resources you could point at, being 20, 30 servers. It's big.

It's resource-hungry, that's the best way of putting it.

In terms of scalability, that's a problem. When you want it to scale, it costs you resources, just like that other product I hate, Splunk. I love the products, but not the resources they eat. It is expensive that way.

When you find the right one in tech support, it's good. They're all good, but some are better than others. When you're in a crunch, you want the best person right away. Guess what? I want it now. It's like a kid. I want it now.

I'd give tech support an eight to nine.

The initial setup is complex. It's not straightforward and never was.

It requires knowing what all the modules do, understanding what you want to do, and then finding the right people that can program it. And finding those experts is not trivial.

At one time, it was the only thing available. Now there are other products that I would consider.

Make sure you know what you want to really do and pick the right modules and do a lot of planning, planning, planning. It's like building a house. If you don't do the planning, when it comes down to trying to build it, you really get screwed or the team gets screwed. And I don't think people do a lot of planning.

On a scale of one to ten, I'd give RSA Archer an eight.

It's Archer - there are days when their stuff is awesome, there are other days when the frustration level is way too high.

My use case is for security assessment. It's my daily task. I use it for security assessment in Azure. We have tickets where users need to submit details about an application, computer, or server.

For Archer, my direct task is to assess the security risk of an application, infrastructure, or computer system. The server submitting the ticket provides all the details in Archer. 

From my end, I review the complete security portion of the particular application and based on my analysis, I enter a certain assessment into Archer and submit it back to the request service.

Archer has simplified our security audits. It's made it easier to raise and trigger questionnaires to customers.

The tool is very easy to learn and use. The most valuable feature is its user-friendliness. It's easy to understand and use.

The tool has minimal complexity.

The ticket handling process could be improved.

I have been using this product for three years. I currently use version 2.3.

I would rate the stability around an eight out of ten.

I would rate the scalability a seven out of ten. If project pipelines increase, we would like to expand it to a few specific users.

The initial setup was very easy to set up.

We needed developers and most of the delivery team. It's not like maintenance is extensive, but server maintenance is necessary, especially when it's deployed in the cloud. 

So, maintenance involves checking server speed and memory usage. Besides that, there's nothing else in terms of maintenance with the tool.

We saw an ROI.  So, it's like we mostly get back whatever investment we put in and took for the license of RSA Archer. Within six months, we can retrieve it.

The pricing is okay. The licensing costs are very reasonable; it is very affordable to us. 

We evaluated multiple tools, but we thought Archer would best fit for our use case.

Overall, I would rate the solution a nine out of ten. I would recommend it. It's very usable, and you can easily understand the process.

We are using RSA Archer to provide GRC services to our client. GRC means, governance, risk and compliance. In Archer we implement business continuity management, policy management, risk management solutions, audit management solutions, and third party governance solutions. We even utilize a privacy governance model of RSA Archer, as well.

Currently, we are analyzing and evaluating software as a service option for one client to reduce effort and time on infra related activities.

Our clients are using RSA Archer to automate their manual processes and activies to avoid manual intervention and have a clear visibility to leadership. This increased the client's process efficiency, they are more compliant and reduces the risk and overall governance structure improved. Also, it adds some value added features on the reporting and gives clear visibility of the entire business unit or   divisions of the company. Suppose the CEO of company want to see their high risk BUs , he or she can easily see the count and detail. Automated timely email trigger and integration with other tools/application helps client to assess their processes and BUs to find out risks and remediate risk on time.

There are lots of features which motivate our client to use RSA Archer. First of all, its access control feature which provides access at application level, access at record level and  at page level. It helps client to avoid any unauthorised access.

Also, there is a strong integration between the RSA Archer modules and also option to integrate with other application/ process help client to increase confidence on data integrity.

Suppose if anyone is using RSA Archer audit management or any out of the box use cases, it also provides some of the inbuilt capability of the assessment, like some of the questionnaires and some of the controls that are available in RSA Archer.

 Capability of sending automated email triggers to the stakeholder on a fix frequency.

Workflow feature, reports and dashboard capability etc. lucrate client towards Archer.

 UI/UX can be improved and a feature to allow end user to update assessment question and add or remove recipients from a notification will help client to minimize their dependecy on Archer developer.RSA Archer somehow lag behind in the user interface.

Additionally, the reporting capability of Archer should be improved. Because generally what clients do is analyze processes, their records, their status. They integrate it with either Tableau or Power BI just to customize their reports and see more user friendly reports. So I would suggest to improve reporting capabilities as well.

In terms of stability and performance, Archer is good.

RSA Archer is easy to scale, it's not complex.

It is a requirement to maintain RSA Archer. Our team even provides the managed services to the client, as well.

Some of my clients are moving their GRC solution from other platforms to RSA Archer because of scalability.

Support is good, but sometimes I feel there are some queries or issues, where I or our client need a resolution quickly, but sometimes it gets delayed from the customer support side.

Generally client without GRC framework move to Archer to automate their processes.

Generally we deploy the RSA Archer on client's infrastructure. It is not complex, even for the first time user, process to setup Archer is easy if they refer manuals or guide.

Generally, one person can easily install if it is a small or medium and not a complex deployment. But if it is a large scale deployment I think there will be more requirement of other team involvement as well.

Yes, we do evaluate other options/framework available in market e.g. ServiceNow GRC, OneTrust etc.

But we suggest best option basis the client requirement and which suites most in terms of cost and effort.

My advice to anyone considering RSA Archer would be to use it for their GRC capability and automate their manual tasks. If they are doing any manual task, they can simply automate through RSA Archer. It will increase efficiency, minimize their risk and will make them more compliant.

On a scale of one to ten, I would give RSA Archer an 8 out of 10

Archer is a repository tool that is leveraged by all the security teams across the firm. The analysts and architects use it to store their data and store the vulnerabilities, which are coming from other applications while scanning the devices and everything. 

My job is to integrate the other applications with this application and try to bring all the data from those applications in here and create a workflow, environment, and framework for the different teams to use those records or vulnerabilities to  make a decision on what they should do. It just makes their life easier.

We are using the solution on-premises, but we are going on the cloud next year.

The last project was for an investment group that was using Excel. Shifting their records from one position to another took approximately 15 minutes. In Archer, we created a workflow for them to leverage it, and they could send the single record with one click to one person within seconds. The whole process went from 15 minutes to two minutes to get the approval for the records. The main purpose of Archer is to just make it easy.

It is really valuable to me because there are a lot of things which I can do and learn from, especially different programming languages. It's not just built on one thing. There are multiple languages which I need to learn in order to run this. One is JavaScript. On the back end, it's C#.NET. On the server type, it's Java. Trying to figure out every single thing makes my knowledge grow more and more every day.

There is a platform called Archer Community where we can post our concerns and any areas that need to be improved, and they will reach out. Recently, we made a suggestion for cross references, like for one application to another. There were limitations there, so we're hoping that will be included in the next upgrade.

Whenever there's an upgrade, they'll just make changes to the application. RSA is a Dell company. Dell is the parent company, and RSA is under that.

There are performance issues and bugs here and there, but it hasn't been a real concern. Sometimes it's slow, but mostly it's on our computers and processors. We just need to delete some stuff there and put them back on the server.

It is very easy to scale. Right now, we have three teams using the solution. It's about 15 to 20 people.

We are responsible for maintenance. There's a team of 20 to 25 people dedicated to Archer. Once it goes to the cloud, then we won't be responsible for maintenance.

We have plans to increase usage in the future. We are talking to the different departments of the company. Archer is not like a business. It doesn't go outside the business because it's really a security tool, and it's just used by the security departments and different departments who are involved with security. It just involves the company. We're trying to leverage it to different departments and we'll see what happens.

They are good. They don't need any improvement, but sometimes they need some guidance. We have our documentation, so they can just refer to that.

Previously, they were purely on Excel files and getting data from the applications inside Excel or Word format. I think this is the first solution they went to, and this is the best tool for GRC, governance, risk, and compliance. There are other tools but they would be confusing for the business, so Archer is the best right now.

The setup process was really easy. You just have to package and install it. There were two or three people involved in the deployment. It took about a day.

I would rate this solution 8 out of 10. My advice is don't just stick to Archer. Learn different tools because it's just a tool in the end. It will be fully configured, and you won't have anything else to do. Go into the business side and try to learn the business.

My role is as a developer or administrator of this tool, but I'm also a user. I work as a senior system developer and we are customers of RSA Archer. 

Previously, the process we required was carried out in Excel data with follow-up emails through Outlook and it was very difficult to track. After we implemented Archer, things worked a lot more smoothly, and rather than looking for things, the system sends a notification reminder. We can do everything within the tools; updating records and publishing them, maintaining approvals, reminders, reporting, and dashboards. 

Some of our clients who use Archer bring the activities scan and present data into Archer, and can then manage their workflow. They can see the overall risk rating, how it relates and where it's coming from, the device causing it, those kinds of things. They wouldn't have been able to do that without Archer. 

The tool is really well designed overall and you can develop any application, automate any workflow including the GRC work processes. Workflow can be automated very easily so that providing access and making changes are all relatively simple. I find that integrations are very easy in this tool. For example, bringing data from an external tool is easy and manageable. It also provides a single tool to manage all the different workflows and different processes. For example, you can perform risk management, policy compliance, audit, and all other processes. It's really a one-stop-shop and a great feature compared to what other tools offer. Finally, the core solution and library provided with the tool are great compared to other tools like ServiceNow, which still process metrics. I don't think they come close to Archer. 

Other tools, specifically designed for audit management have a better GUI than Archer. The problem with Archer is the business process. If you design in Archer you get a lot of tasks and a lot of information that gets congealed, which users don't like. The issues can be solved using the advanced workflow feature of Archer but it was only recently introduced and most clients are still using the old version to run the workflow.

If your process requests many tasks, many approvals, workflows, etc., then you're definitely going to see a lot of information in one sheet which makes the job harder. It's all dependent on your process. There are some flaws in the system, which are generally rectified over time but there is still room for improvement. I've previously given some feedback and, in general, there are a lot of complaints about the GUI. 

I've been using this solution for three years. 

The solution is very stable but as the data grows and the size of the database grows, you need to add additional servers or sources to manage latency. It creates a lot of logs and the data fills up if it's not properly maintained. It doesn't require daily maintenance but a clean-up is needed at least once a year. If you have really good hardware resources, you don't really need to do that.

The solution is easy to scale. Just add a server, then store the tool in it and then load balance it. It's not difficult. We have around 2,000 regular users and we're likely to increase that.

I think customer support is really good. There are some times when they don't have a solution to a new problem, something newly identified, but they submit it to the engineering team and ultimately it gets fixed. It can sometimes take a few months but I don't see any major issues with their support. I think they're pretty good.

The initial setup is reasonably straightforward. Deployment is generally carried out by one person. If a company wants to maintain segregation of duties, then multiple teams are necessary; one for development and another for deploying the change in production. Deployment time depends on the change you are pushing. If there are multiple items involved, the best option is to deploy the package. If the application has millions of records, then it will take longer to recalculate. If there's a smaller number of records, deployment can be done in a couple of hours. 

We've definitely seen a saving with the automation of the process. It saves time which can be spent on other activities. And, of course, that means a cost saving. 

I believe our licensing costs are around $100,000 for the tool and that possibly includes a basic solution that comes with the tool. If you then need another solution then there is an added cost for that. I don't know how that compares to the cost of other tools. 

For anyone trying to automate a data GI processor, Archer is a good product.

I rate the solution nine out of 10. 

We primarily use the system control module and specific IT control models for ongoing risk assessment activities. We use it on a day-to-day basis. 

It has various valuable features. For example, showing us if a control aligns with specific standards or frameworks helps us understand it better and verify its compliance.

The user interface needs work. There are many small text boxes, like credit card size's boxes, where we need to input a lot of text. You can't see what you're typing beyond the tiny window, so you have to scroll or type elsewhere and copy-paste it. It's very inconvenient.

So, improving the user interface would be beneficial.

I have been using this solution for two years. 

I would rate the stability a seven out of ten. It's stable, but most of the time it takes a long time to load, even with good internet. Maybe it's on our end or because it's on-premises.

So it could be faster to load. I would like to see improvement in the stability of the solution.

There are around 300 end users using this solution in our company. We all access it to manage compliance through the system.

I would rate my experience with the initial setup an eight out of ten, where one is difficult, and ten is easy. 

From my perspective, it's a useful tool with all the essential modules and features for governance, risk management, and compliance activities. The reference information linked to controls and risks is also beneficial and provides flexibility. Overall, I would recommend RSA Archer.

Moreover, I would rate the solution an eight out of ten. 

The product has a much broader footprint than Workiva and AuditBoard. It's IT risk, IT service management, third-party risk, enterprise risk, internal audit, SOX, regulatory compliance, and regulatory change management. It's a much more integrated end-to-end suite of products or a suite of processes.

It allows us to build out our policies and processes, tie them to the risks, and allows us to go look at our risk and compliance program, from the policy to the processes to the risk to the controls to the issues. We can report from our issues up to the policy and regulation or from the regulation down to the issues. Therefore, we can look at how we can connect that string so they can look at all those various pieces.

The integrated data model of a one-to-many/many-to-one relationship is quite useful. It shows what needs to be done around your risk controls, policies, and processes. I can tie one risk to many business processes and have those controls tested once, and then apply them to many different risks and regulatory initiatives.

The technology's a little outdated. They need to get a little bit more updated. AuditBoard and Workiva, as examples, are built on later or newer versions of the technology stacks and just have a little bit more to offer and a little bit easier to implement and integrate. Archer's just a little bit, in the current structure, older. that said, obviously, it has the most sophistication of any of the platforms out there.

There are no features that need to be added. It's really making the technology more current and upgrading the technology stack to where it works a little bit more seamlessly and efficiently. Being an older technology, some of the integrations and some of the things you need to do are a little harder and a little bit more old school, if you will, than a little bit of the open-style integrations that you have today with some of the newer tools.

I've used the solution for a long time. I've likely used it for 20 or more years. It's been a while. I've used it basically for the entire time it has been around.

The product is less stable than some others, given just it's on an older technology stack. However, it is still at or above industry standards.

The solution is very scalable. 

I'm also familiar with Workiva and Auditboard. They are a bit more modern. This product is more old-school. 

The more processes you try to implement, the harder it gets to set up. That said, on a one-to-one basis, it's pretty simple. Since it's a larger-scale tool, it takes a little bit more planning and management. Therefore, if you're just implementing SOX, it's not that different from a Workiva or an AuditBoard. If you're trying to implement ten processes, it adds to the complexity of what you're trying to do.

In terms of how long it takes to deploy the solution, if it's a one-to-one process, it takes about two to four weeks. However, if you're doing eight, nine, or ten processes, it could take months based on the sophistication of what you're trying to achieve.

I am not acquainted with the pricing or licensing aspects of the product.

As a system integrator, we have worked in and around all versions of the product. We're working on the latest and a lot of their SaaS and hosted versions now.

Right now, while they do offer on-prem versions, it's almost always in the cloud. It's not a multi-tenant structure like an AuditBoard or Workiva. It's still a single instance in the cloud, as it's a little bit older.

Similar to Workiva and as a system integrator, using something like this product is about understanding what you're trying to achieve and then getting the tool to use it. Each tool has nuances, strengths, and weaknesses. It's in knowing what you want to achieve that will allow you to ensure you're getting what you want to be completed that makes the tool successful.

I'd rate the product six out of ten.