RSA Archer Reviews

I am using RSA Archer for internal audit management. It is used for the entire life cycle for audit, which includes engagement planning, reporting, action management, and so on. It is also used for internal resource management. The timesheet management, resource management, and training are being managed through the same system. 

It has been deployed on-premises. My organization has 16 groups. It is installed and managed centrally by the headquarters, and we are using the application.

We got rid of a lot of paperwork. As an internal auditor, we have to comply with IIA guidelines. There are standards that we need to follow while completing an engagement. A lot of requirements have been automated through the system, such as quality assurance, engagement review, audit follow-ups, and so on. It has supported the organization as a whole.

It is highly customized for our organization. It is primarily for GRC, but we are using it for audit management, resource management, timesheet management, and so on. These were add-ons features that were customized and developed by the vendor.

Its user interface is pretty neat, and there is flexibility in generating the data. You can customize reports at any level. You can directly get reports in Tableau format. If you want to generate statistical data, you can create reports with graphs. There is an adequate amount of flexibility for changing the format, the type of graphs, etc. 

The dashboard that is a part of the RSA Archer could be more aesthetic. 

There should be a way to export and get data from the system in PDF or PowerPoint presentation format. This would be a great addition.

It has been almost two years since we have been using the product. We have been using it almost on a daily basis.

We have been using the web application, and sometimes, there are issues related to the network availability, etc. Other than that, we have not seen any issues in terms of performance and input and output controls. We never had any reports that were not correct. So, more or less, it is fine.

Scalability-wise, we already have a proven case. Deploying a solution in one company with a fixed, organized structure is one thing, but deploying at a mass level in multiple companies and bringing them all together in one single platform is a completely different thing. It proves the scalability of the solution. There is no doubt that it can be scaled to multiple organizations in one go.

We have more than 200 users. They are internal auditors, but if we also count the auditees who use the same system, the number would be much higher.

Our version of RSA Archer is heavily customized. Therefore, at the initial stage of the deployment, there were a few issues for which we needed support. We had a few workflow issues or anomalies in the reporting. 

At the organization level, we have a uniform IT management system for IT tickets. We have an IT support team at the group level, and then we have a support team in headquarters. It is being managed just like any other solution in the organization. We are satisfied with the support.

I have seen the deployment of the SAP-based audit management system in 2013 or 2014, which might have changed a lot over these years. From a user's point of view, RSA Archer has a better user interface. It is easier to use. SAP had a typical structure and user interface. It might not have been user-friendly for everyone. RSA Archer is more user-friendly. Its acceptability is much higher when you are deploying it in an organization.

It followed the usual SDLC life cycle. They came and understood the processes. They understood the way the audit was being managed in our organization. It was a joint effort between our organization and the vendor. There were a lot of sessions to understand how we conduct our processes and what are the challenges that we face. Bringing almost 16 to 17 companies in one single platform was a challenge in itself. Even though we had the same policy procedure, there were some differences in the way things were being done, the formats of the files that we were using, and the way people were doing the audits.

It took a lot of time to have a good base of the design itself, but it was worth it. The deployment was done phase-wise. It was not a single-phase deployment; it was a multi-phase deployment. Initially, we just implemented the basic audit management in which we were able to create engagements and add the findings. Later on, more complexities were added related to quality management, timesheet management, detailed reporting, and so on.

It required a lot of interaction with the group companies and the development team in the HQ. There was one whole team in the HQ that had 15 to 20 people. From each company, there were about two to three people. It was a big team. My estimate is that we had at least 20 to 30 people.

The initial deployment probably happened in a span of six months. Every quarter or every six months, they take feedback from different companies, and they ask for whatever modification is required from our side, and they keep on releasing the updates, small modifications, and so on. It is a continuous process, and we are still fine-tuning the system.

I'm not an administrator, so I don't have information about the maintenance it requires in the backend. Because it is heavily customized, whatever development happens, it happens only internally. The production and the development environments are optimized. Apart from that, the routine activities that we require are related to any data modification with reference to the audit parameters of the attributes. We usually request to change or modify them. There is also an approval process. These are the kinds of interactions that we have as users.

There is absolutely no doubt that it is a very good tool for audit management as a whole. If you are deploying RSA Archer, the most important thing is that you need to be very clear of your requirements and the processes for audit management. It can maintain the organization hierarchy, business hierarchy, processes, projects, and assets. It can maintain a lot of repositories and attributes related to an organization for mapping individual audits. It is a wonderful tool, but if you are not clear about how you want to deploy it, it could be a mess. This is applicable to any enterprise-level tool. 

The reason I'm certifying with RSA Archer is that when you are using it for audit, there is a particular strategy and the way to do it, which may vary from organization to organization. So, you have to be very particular about what you want from the tool before deploying it. You should not deploy it and then define your processes. 

I would rate RSA Archer a nine out of 10.

We have four primary uses of the solution. My job role was mainly the administration of RSA Archer, in financial services for the public sector bank. Our main use cases were security incident management, mainly to the cyber security incident management, and also the governance risk and compliance part to the DRC part. The auditing and audit updates all were taken through the RSA Archer, and also the customer feedback. But mainly RSA Archer was used for inventory. 

At my organization, we used to have a manual process for every communication work. For example, security monitoring management and everything was happening through mail and was on Excel sheets, things like that. So after acquiring RSA Archer, we were able to have a single platform, a dedicated platform where we can get all our requirements. The solution has improved my organization by having everything combined into a single platform.

I have used a couple of other products for the same domain. As compared to Archer, this solution is a highly mature product. The interaction has highly improved, especially in the latest two updates. The flexibility of the application and the usability have improved a lot as well. That's what I think stands out for RSA Archer.

One area that could be improved with the solution is the administration part, the backend task. That is a bit complex; or rather, the user interface can be made easier. For the newcomer, Archer might seem a bit complex. But once you get used to that, it's all fine.

In the next release of the solution, I'd like to see more inbuilt applications. For example, I talked about our organization having security management. Those are custom applications built by our own team. These are not out-of-the-box applications.

I have a total of three years experience with RSA Archer.

After deployment, my company managed the solution. We've had multiple issues with RSA Archer. The database has gone down; the infrastructure on the application side had a couple of issues; sometimes the services went down. After upgrading to the latest version of the solution, they are more stable than the previous one and it is a lot better now.

I'm really satisfied with the performance. We have more than 1000 or 2000 current users on RSA Archer, and we haven't faced many problems.

It's really scalable because we have options to import users or applications automatically; there are options to import a large number of users. Last year, we had a merging of three banks, and the users of the other two banks were brought into our Archer. They had more then, about 1,000 to 1,500 users, and that was done within a month. We were able to integrate all applications and users. Scalability won't be an issue.

I have been in touch with Archer customer support a couple of times. I have had good experiences; I haven't faced many issues with them. But it will depend upon the company's contract with RSA. There are different support levels.

I haven't worked on the deployment of the solution, but I know the basics of the infrastructure. It's not highly complex, but it is complex as compared to other applications because, in addition to applications and databases, we have the services side as well.

Our deployment of the solution was done by a third-party.

The solution is not at all a cheap product. Whenever someone is planning to buy the RSA Archer application for their organization, the first thing is to understand whether they really need it or not. We have our in-built applications, but first, we need to check whether we require it or not. That is the main thing. The second thing is whether they have the technical people available who are able to handle Archer. Even if they have the product and all, there aren't many people in Archer. We always be making custom applications; we hardly use any built application. So we should have technical employees there.

Talking about my personal use, RSA Archer is one of the four tools which I have managed. And talking about in my organization, it is used extensively. The main core use was security incident management.

I would rate the solution an eight out of ten.

Our use cases for Archer include third-party management, enterprise risk management, and compliance management. We have a partnership with RSA Archer and I'm a manager in risk advisory.

Among the most valuable features of this solution is the easy implementation and the degree of automation that it offers. This product is very compatible with our business processes and the dashboarding features are creative. This is an easy tool to learn and to work on. They have a great community where you can ask any question and be sure to get some responses. 

Archer has evolved significantly over the last five to eight years, but there are still some areas that could be improved. We've noticed recently with the advanced workflow jobs that we're receiving some errors. It's a showstopper for us and it's clear that some kind of development support is needed. If there were an improvement in the design and the advanced workflow, jobs would run more smoothly, and a lot of value would be added to the business. Another aspect that could be improved is the UI which has a very old generation feel. For additional features, I'd very much like to see tools added in the next release. This could include a live connection that could be built in order to bring all the client data from the legacy system directly into Archer. Right now it's a data feed. There are currently some ActiveX options for live collections, but not for all the products. 

I've been using this solution for five years. 

The solution is stable, it's a very mature product and if anything goes wrong we can provide the answers or the Archer community has the answers. We are currently having some problems with performance and our clients are complaining. The issues are with calculations and advanced workflows and it's creating a slow down in the system. We probably have around 5,000 users through our client companies.

The solution is very scalable. The design approaches Archer provides are very easy to change and scale. In an agile project, it's very easy to handle or develop with most of the configurations based on drag and drop as per the document framework.

Most of the issues we've had to escalate to RSA support belong to the advanced workflow section. These problems cannot be solved by Archer's UI and require back-end support or technical support from RSA. We're satisfied to a degree, it can take a few days to get a response. 

The initial setup is straightforward, the complexity lies in the operations. The entire configuration project requires minimal manpower. Archer has a built-in wizard where you can either create a package and send it to the higher environment or just install the package. It doesn't take more than half a day. In the latest versions, we've seen that some of the features are not automatically deployed and manual checks are required. We're expecting to see that rectified in future versions. 

The licensing is more expensive than other similar products and it often makes our clients step back and go for cheaper options. That said, the company is very clean and transparent in terms of pricing. There are no additional costs.

I have experience working with other GSU products and as a competitive analysis, I'd rate RSA's capability above that of other products. RSA Archer is more mature in terms of providing solutions. It's only when you compare the UI between solutions that Archer's competitors have an advantage. 

This is an easy solution and it's very good for agile projects when requirements can change abruptly. The only concern we have is with the advanced workflow which should be simplified so that if any errors come up, it's easier to change or modify. I recommend checking the target environment for all the configuration areas, making sure that it has been properly deployed, and checking whether it needs some post-deployment checks.

I would rate the solution very high but because of the error messages we've been receiving which require technical support and cannot be fixed by the Archer UI or the Archer configuration interface, I have to bring the rating down. If they improve the UI, I'd rate them more highly. 

For now, I rate this solution eight out of 10. 

My primary use case varies depending on the requirements, but uses include working on email notifications, fetching data feeds, and working on feed managers.

Archer allows us to define the progress of the organization's processes and helps build the right cyclic process and improve the current structure. We also track a lot and transfer a lot of vendors and users, and Archer has a repository that allows us to collect that data step by step. It also makes auditing easier.

The most valuable features of RSA Archer are notifications, workflow routing, and data filtering.

An area for improvement is the turnaround time for advice from the support team. In the next release, I would like to see a maturity rating feature that would provide industry ratings and information on the market.

I have been using this solution for about a year and a half.

Stability has improved over time, but there's still a lot of latency with some features, like looking up or checking the database.

This solution is scalable.

The tech support team's turnaround time is often slow.

Previously, I have used Aravo, and currently, I'm using Process Utility.

The initial setup was fairly straightforward as we were given hands-on training. Deployment took around three months.

When implementing Archer, I recommend looking through the videos supplied and making use of the free sessions that Archer provides. I would rate this product as six out of ten.

My use cases of RSA Archer are for WISP and controls-based audit purposes. For WISP, we keep the information security, like written informed consent protocol, and I manage almost 15 applications that I need to review the architecture of. I use RSA Archer to review the design document, the zone the application is hosted in, whether there is any kind of zoning division, the cryptography design, the cryptography used for data in motion, and what encryption they're using. 

Other than that, we have been using RSA Archer for a controls baseline. We had policies set up earlier and, based on those policies, control objectives were stated in RSA Archer for each and every application. 

This solution is deployed on-premise. 

RSA is a very rich application. I like its adaptive suggestion, where based on your users and the class of data, it can actually recommend you the proper control to choose. For example, we have been using PCI DSS as an NIST. So based on application feedback, it will provide you with a suggestion on which control objective needs to be set. Based on that, you can make a decision—you don't need to take the suggestion, but you can customize that particular provided suggestion. RSA Archer's workflow is also good, in terms of process automation. 

The first improvement I would suggest for RSA Archer is a better search feature. The search criteria needs to be improved. Sometimes I do a search and the search doesn't return the exact item I'm looking for. RSA Archer could also be improved by being more user-friendly. 

Maybe I have been using a limited version of RSA Archer, but I'm not sure whether it has ESG, environmental and social governance. In the next couple of years, ESG is the next feature that will be integrated into GRC tools. I would recommend RSA Archer adds ESG. 

I have seen some performance issues. For example, with the search criteria. When I'm searching with some of the IDs, it will return "FND_" and some finding numbers. Their search criteria is a bit cumbersome because I need to actually find what I need, but it's giving me a lot of other information. I have also experienced lagging when viewing an app configuration page, to see the controls associated with that particular app. I'm not certain whether it's a problem with Archer or with our implementation, but there are definitely some performance issues. 

We have a maintenance team responsible for the required maintenance. They handle new patches and some of the new framework rules and updates. They're also planning on implementing and integrating FedRAMP. 

RSA Archer is definitely easy to scale. It's not complex to add applications to our portfolio. For example, we can use one set of controls for one application, and then we can easily map another application with that same set of controls. 

We have a huge organization, so RSA Archer is available for higher management. In our portfolio, there are about 26 users. We don't have plans to increase our usage of RSA Archer because we are migrating to ServiceNow. 

I have the tech support where I evaluate according to a criteria. For example, how frequently that particular software version is being patched, whether the application server is updated with the proper software version or not, whether there is a failover plan, and what our data retention policies are, in terms of issues that are closed or obsolete, and how long we are keeping those. So I evaluate these questions with the maintenance team. 

Archer was being used when I started at my company, but I think they were previously using some CA tool. We have been using RSA Archer and RSM, but we are finally migrating to ServiceNow. 

I have not actually set up RSA Archer—a different team handles the setup and installation, and I integrate the frameworks for our applications and set up the control objectives. I have integrated different frameworks, like NIST and PCI DSS, and have found that you can create and upload your control objective from the spreadsheet and work on it. It's one of the easier ways to set your application-specific controls on RSA Archer. 

A different team handled the implementation. 

Return on investment is definitely there, in a sense, because with this particular governance, we can mitigate the risks of different kinds of losses. For example, with one of our applications, I have been looking into the portfolio that deals with PCA and PA data. If the upper control objectives are not managed properly, then there may be vulnerabilities which, if not properly remediated, will lead to losses—customer data loss and intellectual property loss. So there is definitely an ROI with this GRC tool. 

RSA Archer's price is justifiable and not as expensive, compared to ServiceNow. I have heard that the licensing for ServiceNow is much more expensive. I'm unaware whether there are any additional costs after licensing fees. 

We are migrating to ServiceNow, which isn't as rich as RSA Archer, but it's better in terms of usability. It's easier to integrate each and every control with the entities and it's easier to assign incidents and policies. The process automation and workflow is good in RSA Archer, but it's available in ServiceNow as well. For control audit purposes, since we are migrating to ServiceNow, we have actually mapped the entities and, from there, we are doing the controls-based audit. 

To any teams who are looking to implement RSA Archer, I would say that one problem I faced when we integrated NIST, PCI DSS, and other tools was that there are a lot of common control objectives out there with policies that are actually mapped. So you need to be making sure that you are not making duplicate control objectives. For example, take disaster management. In the data retention policy for the database, one of the control objectives requires proper access management, so that will be applicable for network as well. You can use a similar control objective and map two or more different policies, which will reduce the amount of effort you need to put in. 

I rate this solution a seven out of ten. 

Our primary use case of this solution is for GRC. I work for a bank and we used this tool to audit our information security team and our cybersecurity team. We had our control library, regulatory requirements, and third-party risks on Archer. So basically, I would say audit, regulatory requirements, third-party risk management solutions, and all kinds of controls, including SOX. These are the integrations we had set up. Right now, it's deployed on-prem. 

This solution helped us with the centralization of our governance data, so we could house all of our controls in one place. We could use that central repository of all our controls to build our risk management strategy and our policy and governance. So we could use controls as a central library and build policy, and then build risk management around it. 

One of the most valuable features is the ease of use. The customizable forms and drop-downs are pretty easy to configure. Automated notifications is another feature that is nice. The whole workflow, basically—if you're going through a workflow process, the whole process is automated with notifications. Basically, it's a pretty straightforward, easy-to-understand interface. I've also had the chance to develop some backend configurations, which is straightforward as well, if you want to add a new field or anything. 

Archer could be improved by having more customization. I'm not sure if the backend processes have API calls and those kinds of seamless integrations, but from the front, some of the solutions are very out-of-the-box. It's not customizable, so that could be a little problematic since you have to use their features. In terms of the backend structure, I'm not too sure because I'm not a developer—I was an end user and product owner of Archer—and I don't quite know the backend and developmental features. But since it's an out-of-the-box solution, sometimes customization was challenging and support was a little problematic because we had to reach out to them all the time. 

I have been working with this solution for the past 18 months. 

We did have a few outages, but otherwise, I must say it's fairly reliable. 

For maintenance, there's an admin dashboard. It's a capability that is handed over to our user and admin has super user access. 

This solution is quite scalable. At that point, it really depends on the strategy. Since we had all our controls on Archer, it was easy for us to scale and deploy other applications or develop other applications seamlessly. But imagine you had your controls on a different application—if it was not on Archer and you had to scale, it would be challenging to move all your data into Archer and then scale. So that is something that could be challenging, but since our strategy was already Archer through and through, we did not find it difficult to scale. 

There are approximately 500 users, across all departments, using Archer. It is being used extensively at the moment. Right now, we don't have plans to increase usage, but I'm sure there's going to be organic growth. 

On a scale of one to five, I would probably rate support a three. I wouldn't say it's the best, but it's not bad either, in terms of both the response time as well as the support. 

We used SharePoint for a bit. We switched to Archer because the graph, user interface, and all that was better than SharePoint. I'm not too sure about the strategic decision because I wasn't with the organization back then, but I know that they wanted a centralized location for their governance, risk, and applications. 

I think the deployment process is pretty straightforward. The solution was deployed for us through a third-party consulting agency, so it wasn't Archer or RSA developers, but a third party that implemented the solution for us. During the time of deployment, we were in a CI/CD mode, so we always had new applications, customization, new fields getting added. 

A third party implemented the solution for us. 

If you are considering implementation, my advice would be to decide on a strategy first before you implement a solution. The solution is nice, but unless you have a strategy, I don't see the point in implementing it. 

I rate Archer a seven out of ten. 

We customize this solution for our clients. We take all their requirements and prepare the design and format by creating fields, notifications, access controls and workflows. We use all the management features that the solution provides to support our clients. We are customers of RSA Archer and I'm a senior consultant. 

The Advanced Workflow feature is one of the most valuable and user-friendly. We used to have to write multiple calculations. With Advanced Workflow, things are much easier for the developer and end user. It's a robust feature that allows users to easily identify what they're doing and where they are. We're able to create multiple layers with a specified functionality that gives an understanding of what is required as well as increased flexibility. Archer provides good security, enabling access where necessary. It's also a useful reporting tool, clearly showing functional data and, when needed, the ability for comparison. The default dashboard shows daily activities that are easily captured allowing for information to be extracted. 

In the current version, RSA is a little slow mainly because of Silverlight which I believe has been removed in the next version. We have some issues using .NET because migrating requires retraining the custom object every time; it's a manual change which is challenging. For that reason, we don't use the custom object. What's needed is a valueless field, where we can drag and drop, add some values and the process is automatic. I'd also like to see an 'approved' button incorporated in the notifications for updates. It would save time and make life easier for the end users.  

I've been using this solution for 11 years. 

This solution is very easy to scale and easy for new users to understand.

Because we use most of the modules we're paying a lot to get good support. We interact with someone from RSA on a weekly basis and deal with any issues on the platform.

The initial setup is straightforward when you understand the system. We put our new users in the sandbox environment and get them to play around with it before setting out our requirements. It can be a bit of a challenge initially but not for long. It's not a common platform and is different from other tools. Once our users are implementing, it's a very smooth process for them. We have a total of seven developers, four are in-house and three are on contract. 

Deployment time depends on the use case; if it's a large implementation, it can take between six and nine months. The solution needs maintenance because of the updates and that often results in patching needs. We're using Archer on a daily basis. 

I'm not sure about the cost of the solution but every year we purchase additional on-demand applications. Archer offers a package that allows the purchase of 10 on-demand applications. You can purchase more than that and the price goes up accordingly. I believe these purchases come with two years of maintenance support. 

This is a good solution compared to others in the market because it is more secure. It's suitable for any size company although smaller companies will only need to use certain modules with larger organizations using multiple modules. This is a one-stop storage device that you can access from anywhere. 

I rate this solution nine out of 10. 

It is used for enterprise risk audit, corporate compliance, and vulnerability reporting like threat management reporting. It is a whole suite that has different products depending on what you want to track and report on.

I do use the SaaS version, but I have also deployed it on-prem, and I also have experience with the original cloud version. The one that we deployed originally on the cloud was on AWS, but now they do everything on SaaS.

From my perspective, because I've always done it as a consultant, I do like the way it is configured. They've gone into changing the application builder interface, so it is even easier. When you're working with users, it is really easy to show them how to do things quickly and how to configure, change, and design stuff quickly.

Some of the error reporting isn't very clear. When you're looking for information on error codes, you got to do a lot of digging.

I've never seen any major issues.

Its scalability is very good. Because of the way they've set up their licensing, it's now very easy to scale, especially if you're using SaaS.

We have over 60,000 users across all departments. Some users just go to check the status. I would think it is being used extensively.

It has changed over the last six months, and it is a little bit more challenging. When you have to report an error, you can't really find a lot of detail online. You have to open a case file, and then after opening a case file, it does take some time for resolution. From one to five, I'm going to rate them a 3.5.

It is very straightforward. The documentation that they provide is clear in terms of the instructions that you have to follow through. It is very well documented. Most users and techs can follow it, even with very little experience.

For its deployment, usually, there are one or two people. You don't need more than that because it's a very easy product to upload. If you're doing it from scratch where you have absolutely nothing, it is about a half-day setup.

It requires very little maintenance. Their upgrade packages are pretty quick, and it is easy to do the upgrades. It is very user-friendly, and even if you have no tech background or you're a new Archer administrator, it is very easy to do.

Its ROI is quite high when you look at how long it takes for people to input stuff for compliance risk, vulnerability management, and threat management. The centralization of data allows you to get a pretty high return on your investment pretty quickly because it's really easy to implement. It doesn't take like a year. You can do it in less than two months, depending on the solution that you want to implement. The customization opportunities with reporting are also pretty high.

I am not 100% familiar with that, especially with their new model. I just know that the way they've licensed per user to scale is good.

I would advise others to know their requirements going in because there's so much flexibility with the product. You could over customize it just because it allows you to do so much, but sometimes too much of a good thing is not a good thing. If you know your requirements upfront, your road to success is short, but your return is high.

I would rate it a nine out of 10.