We changed our name from IT Central Station: Here's why

RSA Archer OverviewUNIXBusinessApplication

RSA Archer is #1 ranked solution in top GRC tools, top IT Governance tools, and top IT Vendor Risk Management tools. PeerSpot users give RSA Archer an average rating of 8 out of 10. RSA Archer is most commonly compared to OneTrust GRC: RSA Archer vs OneTrust GRC. The top industry researching this solution are professionals from a computer software company, accounting for 26% of all views.
What is RSA Archer?
Archer adapt enterprise governance, risk, and compliance (GRC) products to your requirements, build applications, and integrate with other systems, control the audit lifecycle to enable improved governance of audit-related activities, data, and processes, reduce the risk of IT and business disruption, harmful operational events, and significant business crises and build an efficient, collaborative governance, risk, and compliance (GRC) program across IT, finance, operations, and legal.

RSA Archer was previously known as Archer.

RSA Archer Buyer's Guide

Download the RSA Archer Buyer's Guide including reviews and more. Updated: January 2022

RSA Archer Customers
T-Systems, Bridge Point, Equifax, First Data, Global Imaging Company, Manulife Financial
RSA Archer Video

RSA Archer Pricing Advice

What users are saying about RSA Archer pricing:
  • "RSA Archer's price is justifiable and not as expensive, compared to ServiceNow. I have heard that the licensing for ServiceNow is much more expensive. I'm unaware whether there are any additional costs after licensing fees."
  • "The price of RSA Archer is good. The price isn't too high considering it is a leading tool in the market."
  • RSA Archer Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Security Specialist at a tech consulting company with 1-10 employees
    Consultant
    Leaderboard
    Configure security applications easily while retaining the capability to customize with and without coding
    Pros and Cons
    • "The most valuable part of the product is the ease-of-use and the opportunity to create custom security applications easily."
    • "There are some issues with the interface for version 6.5 but these may already be repaired and simplified in the new versions that have been released."

    What is our primary use case?

    I am developing applications in Archer from RSA (Rivest, Shamir, and Adelman). It is quite easy to implement the application. You just configure the workflow, define the forms and how the data is processed in the application. Everything can be configured without coding. You can use a code also to create special functionalities, but it is easy to do almost everything without coding at all.  

    How has it helped my organization?

    It gives me the opportunity to create custom security applications easily.  

    What is most valuable?

    The most valuable part of the product is the ease-of-use.  

    What needs improvement?

    I am currently using an older version of the product so my installation is not current. There have already been two new versions of Archer released after the version I have. I use 6.5 and 6.6 and 6.7 have been released. These two are minor releases. They are not really affecting the inner workings of how to do tasks but improving certain features like the interface. When I am creating applications I like to have what I know is a stable and familiar version of the product, so I do not automatically upgrade to the newest versions available.  

    Because I have not upgraded, the graphical user interface is not the current one. It is not very modern and as user-friendly as it could be. I heard that the new versions have improved the graphical interface very much in this respect, and it should no longer be a problem at all. So, for now, I have some issues with the interface for this version but it may already be repaired and simplified in the new versions that exist.  

    One thing I might like added is the ability to record a workflow in another application. It is really a sort of very technical thing and it is possible to do it in other ways, but adding this to the product could really help with the simplification of creating new workflows. This could make it easier, to implement some technical things.  

    For how long have I used the solution?

    I have been using RSA Archer for one year.  

    What do I think about the stability of the solution?

    I have not experienced any problems with the stability of the product. It works as expected in accordance with the resources and feedback I received from my IT department. It can use a SQL server, a web server, or whatever I need. There is no problem with lag or overuse of resources on the server.  

    What do I think about the scalability of the solution?

    The product is flexible and scalable. The processes that are created with the product are going to be used by every manager in this company. That is a total of about forty to sixty people right now.  

    As far as how extensively I will use RSA Archer in development, everything I develop is per request. When somebody requests functionality, I am the one responsible for implementing it. It is not really possible to predict how often or how many requests come in or how complicated they will be. Usually, I am using it at least a few days every month. But I may be asked to implement an application that the other employees may use daily.  

    How are customer service and technical support?

    I had a few problems initially understanding the sample they showed for the implementation. Once I contacted support they told me a few things to try and sent me links to additional documentation. When I read about it, I was able to easily resolve the issues I was having. When I was then also introduced to the community, I was able to continue to quickly solve any problems I had. There is a huge community of users that is quite active and can help other users to solve issues. It is great when others who have already solved similar problems in real life share their knowledge about how to solve those problems in your own environment.  

    But in general, from my experiences, I would rate the support at RSA as very good.  

    Another benefit is that — although there are many features already — you can propose new features directly to the company. There is a place in the user community to propose those features where they can be discussed. If they are popular features with users, they are implemented. So you can ask for anything and if you have an idea which is good — something which is required by others — it is usually implemented. I have recommended about four or five features that are in the process of being considered. It is a really good way for the company to guide their efforts in improving the product.  

    Which solution did I use previously and why did I switch?

    A similar product that we used before RSA Archer was LDRPS (Living Disaster Recovery Planning System). We had to move from LDRPS to the RSA product because LDRPS went to the cloud. The security requirements of our management and of our customers are generally that they do not want to have very critical information on the cloud. In some cases, they can not have it there at all. We have to use a tool that is possible to install on-premises. When we were evaluating solutions, I was testing several of the products. I chose RSA Archer because it met this requirement and other needs we had for flexibility.  

    I chose RSA Archer because I was tasked to find a tool that could implement business continuity planning. Archer can implement more processes in many ways, so it not difficult to implement anything from incident management to business continuity, to change management. Anything somebody asks me to do, they provide the requirements and it is really easy to implement it in this. On top of that, it is easy to customize.  

    So this is the reason why we chose Archer. It is easy to implement, it is easy to change the workflow, and it is easy to customize the processes.  

    How was the initial setup?

    Archer can be set up for use in very small environments and you can use one tool for several installations. It can be installed on several servers concurrently, so every server might be configured to have special features and styles and the instances of the installations cooperate together to provide the functionality of the tool. So the complexity of the setup depends on how large an environment you have. At this moment, I have experience only with very small environments, running the product on one computer. But the product also has great documentation. Just using the documentation alone I was able to install the product really easily and get it up and running on the one server.  

    It took me a little more than one day to install. The deployment really depends on the use case. The use case is processing or the kind of process you are creating. For example, processing may need to analyze requirements supplied by customers. The more requirements and more processes you need in Archer the more complex the setup will be. Usually, it takes a few days to create a process. I would say on average that processes are implemented in five days. The options and features that the tool has are really quite vast. There are lots of features and every company only chooses to use some of them, which they license and use separately. It can be compared to something like Jira.  

    What about the implementation team?

    I did not have to consider using an outside vendor for the installation and I was able to complete the install by myself with the help of the documentation.  

    Which other solutions did I evaluate?

    Many tools that I tested had processes wired into the application without any option to change them. When I needed to fill requirements that differed even slightly from what was already implanted in the tool I would need to make a workaround or need to implement another tool. This would not have been the best way to go about what I would need to accomplish regularly.  

    What other advice do I have?

    For people considering this product, they have to be sure that it is a product that could really do what they need it to do. Mostly any workflow can be implemented in the process in the application if they want to build it. The best thing would probably be that they should just try it and see. I would definitely recommend this product, but it may not be the tool everyone likes the best.  

    On a scale from one to ten where one is the worst and ten is the best, I would rate RSA Archer as a nine-out-of-ten.  

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Specialist - RSA Archer at a tech services company with 10,001+ employees
    Real User
    Complete end-to-end solution that's easy to integrate and customize
    Pros and Cons
    • "Integration is another great aspect of RSA Archer. From the beginning, integration has been a central focus for RSA, and Archer has always integrated well with most tools on the market today."
    • "RSA Archer might be a bit expensive for small companies because it's a vast tool."

    What is our primary use case?

    I'm an administrator for RSA Archer and a consultant, so I create platforms for various businesses based on their requirements. RSA Archer is a GRC tool, so RSA Archer controls and regulates different enterprise GRC solutions and IRM modules. I create those platforms for various business users according to their specifications. They provide us with the storyline, and then we advise them on ways to use RSA Archer to manage their processes. And then, once that is done, we create an RSA Archer platform.

    How has it helped my organization?

    RSA Archer has updated its UI many times. And the UI is now much more rich and user-friendly. That's one of the major things that they have changed recently. Our business users are much more comfortable with the latest UI. Also, the reporting mechanism inside RSA Archer is another thing that is very user-friendly. And all the business users, in most of the cases I've seen that they are very comfortable in using the reporting tools.

    What is most valuable?

    RSA Archer is a valuable tool because it can manage the end-to-end functioning of any enterprise GRC module, such as compliance and risk management or business continuity plans and the entire BCM module. RSA Archer also provides many out-of-the-box solutions, which are use cases derived from the standards for GRC or risk management, governance, and compliance. It provides an end-to-end mechanism for business users on a single platform. That includes reporting, managing workflow, creating documentation, or tracking a process where you need to get approval from the various levels within the organization's hierarchy. 

    Integration is another great aspect of RSA Archer. From the beginning, integration has been a central focus for RSA, and Archer has always integrated well with most tools on the market today. RSA Archer has its own APA that can be integrated into any other tools using Dorknet, Java, or any other language you can think of. So the APAs are excellent and easy to work with. 

    RSA is also increasing the scope of customization. When using a tool, consultants like us might need to customize it because the out-of-the-box solution does not perfectly match the client's requirements. So RSA is quickly incorporating those customizations and allowing us various ways to do that. In doing so, RSA is opening up more areas where Archer can be used. Vendor management is the latest example. They have already added one vendor management module. I'm not entirely familiar with it, but it can be integrated with other tools directly on a real-time basis. So that's one feature, which is very new to Archer, and I think it's going to be a breakthrough.

    What needs improvement?

    There are many small things that need improvement but on the whole, it is much better now than it was when I first started using it six years ago. They are putting out updates almost every day. The latest version came out just a few days ago, so they are constantly making minute fixes and tweaks based on input from different users. Users like us are developing applications on the tool, so when we have an issue, we open a ticket with RSA directly. If it is a new issue and they can't fix it, then they log it and provide a solution in the next release of their tool. They're also planning to move to a completely cloud-based solution, so they are providing all the support for RSA Archer to be easily hosted on the cloud and everything.

    For how long have I used the solution?

    I've been working with RSA Archer for the last six years.

    What do I think about the stability of the solution?

    Performance is always an issue with any coding system. And RSA Archer used to have more performance issues. It was completely on-prem, so there were some slowdowns because of that. However, they've upgraded their backend systems, the codes, supporting database structures, etc. So the speed has picked up lately. They have improved in the last few releases, and I hope they will also continue to do that. 

    What do I think about the scalability of the solution?

    We have various mechanisms to scale up. For example, we already have the lab configuration in RSA Archer, so we can use their lab to get that directory from the organization. And whenever it changes or updates, that's automatically reflected in RSA Archer too. So that is a very straightforward thing and easy to maintain also. And we plan to increase usage. My company is an RSA Archer partner, so they're always looking to increase the number of projects in RSA Archer. 

    How are customer service and support?

    RSA technical support is good. They're very approachable and provide quick solutions. Sometimes there may be a delay, but only if it is a very complex problem or one they might not have encountered earlier. 

    How was the initial setup?

    RSA Archer is very deployment friendly because it is quick and straightforward. Migration and deployment aren't too complicated. RSA Archer can do it more quickly than most other GRC tools in the market right now, like SAP GRC. RSA Archer is one or two steps ahead because the migration is pretty smooth and can be done very quickly. One person can handle it pretty easily, but it also depends on the level of customization you want. Whenever we are customizing a tool, we need a specialist. So during migration, the senior consultants monitor what the team is doing and the others supervise. But if we're talking about how easy it is, then one or two people can easily do it.

    Then there is the regular maintenance, but it's more accurate to say "enhancement" than "maintenance." Every time the user has a new requirement, we need to add those things into our resources. So it's pretty easy to do if you have two or three environments with you, development, UAT, QA, production, etc. The migration is pretty quick, so it's easier to manage from the maintenance point of view.

    What was our ROI?

    We've seen a return with RSA Archer. My organization started with a single project in RSA Archer, and now we are handling multiple businesses at multiple levels and doing several different projects in RSA Archer. And the clients are returning customers. They want to get into RSA Archer as much as they can.

    What's my experience with pricing, setup cost, and licensing?

    RSA Archer might be a bit expensive for small companies because it's a vast tool. It provides many built-in solutions and functions that can meet all of a company's GRC needs. So, ultimately, it is cost-effective because it offers tools that serve a variety of functions. It is costly, but if you are a big company, the decision is pretty straightforward in terms of the cost versus the service Archer provides.

    The licensing scheme has several levels, and you can purchase additional licenses depending on your needs. So you can opt to get only a license for the use cases that apply to your organization. You don't need to buy the entire thing, so that is a good thing.

    What other advice do I have?

    I rate RSA Archer eight out of 10. Nothing is perfect and every day RSA is perfecting its own tool, so I rate it eight. It is one of the best GRC tools on the market at the moment. But, every day new tools are emerging. For example, ServiceNow is one of RSA Archer's strongest competitors. They are also coming up with their own ASA application use case. But I would say that RSA Archer is a much more mature GRC tool, and it stacks up well against other GRC platforms like SAP GRC and IBM Openpages. So in that sense, I would say Archer is a more mature tool with good services that can be helpful for your organization. I would recommend it. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    Learn what your peers think about RSA Archer. Get advice and tips from experienced pros sharing their opinions. Updated: January 2022.
    563,780 professionals have used our research since 2012.
    Vice President at a financial services firm with 10,001+ employees
    Real User
    Useful modules and workflows, self-explanatory UI, and good integration
    Pros and Cons
    • "It is enterprise-wide accessible. So, it is very helpful for all the employees in our bank. They can log in and do their risk management activities. It has a few inbuilt modules that are helpful for doing risk management activities, such as issue management, risk identification, risk assessment, and policy exception management. It also has some inbuilt workflows inside these modules. They are also helpful."
    • "There is no inbuilt alert in Archer to let us know that a data feed has failed or did not run for different reasons. So, we don't even get to know that a feed has not run until somebody reports it to us. This has been a problem all the time. Data feeds have always been a big headache for us because there is no feature to let us know if a feed has not run or has failed. If Archer had a feature to send us an email notification when a feed has failed, it would've been very helpful. This is the reason why our users are slowly moving away to another platform. Some of the modules that I have been managing are being moved to ServiceNow. Next year, a lot of our modules will be moved from RSA Archer to ServiceNow, and the data feed issue has been one of the main reasons."

    What is our primary use case?

    We use this product for operational risk management in our bank. It is a multinational U.S. bank, and we use this platform for enterprise risk management. 

    We are slowly moving away from RSA Archer to another platform.

    What is most valuable?

    It is enterprise-wide accessible. So, it is very helpful for all the employees in our bank. They can log in and do their risk management activities. It has a few inbuilt modules that are helpful for doing risk management activities, such as issue management, risk identification, risk assessment, and policy exception management. It also has some inbuilt workflows inside these modules. They are also helpful.

    Its user interface is pretty good. It is pretty self-explanatory and intuitive, which is again helpful. It is also customizable to some extent. We can customize some of the functionalities and enhance some of the features to meet the user requirements for our bank.

    The integration of data with application servers and databases is also helpful. We can also use API calls. For some of the functionalities, we can integrate API calls with RSA Archer to meet some of the user requirements.

    What needs improvement?

    Many a time, data feeds create problems. We keep seeing that the feeds have not run on schedule or have failed, and that's why the reports were not processed or created. It probably also has something to do with the strength of our server. For example, in our production environment, the servers are more powerful. We have more memory space, so we don't see this issue very often, but in the test environments, where there are constraints in terms of server and memory space, we keep seeing this issue.

    There is no inbuilt alert in Archer to let us know that a data feed has failed or did not run for different reasons. So, we don't even get to know that a feed has not run until somebody reports it to us. This has been a problem all the time. Data feeds have always been a big headache for us because there is no feature to let us know if a feed has not run or has failed. If Archer had a feature to send us an email notification when a feed has failed, it would've been very helpful. This is the reason why our users are slowly moving away to another platform. Some of the modules that I have been managing are being moved to ServiceNow. Next year, a lot of our modules will be moved from RSA Archer to ServiceNow, and the data feed issue has been one of the main reasons.

    We have also had issues with API calls. API calls have always been a problem. Policy exception management is one of the modules that I was managing, and in this module, we had built a few API calls. We had a few API call issues where the API call had failed and records did not get created. Sometimes, records even got deleted. We had numerous calls with RSA Archer, and they always said that unless we reproduce the issue in a lower environment, they cannot help us, but the issue only happens in production, and it happens intermittently. It happens maybe once every two months or three months. We don't know why the API call is failing and the records are not getting created, deleted, or de-linked from the associated parent records. They couldn't provide us with any reason. If their issue resolution team was more proactive, it would have been helpful. This has been a major issue, and this is the reason that this function has been moved to a different platform earlier this year. 

    For how long have I used the solution?

    I have been working with this solution for the last five and a half years. I started working with it in June 2016.

    What do I think about the stability of the solution?

    Its stability is medium. It has been really good during the first few years, but after we upgraded in 2018 or 2019, we started experiencing issues. We didn't have the issues with the API calls in the first version that we installed, but after we upgraded in 2018 or 2019, we started having a lot of issues with the API calls, which could not be resolved. They couldn't give us a reason for these issues. The reason has still not been found.

    Data feeds had a slowness issue, but it was probably happening because of the memory space issue on the server. This issue is more related to our bank's side because we don't have adequate infrastructure. It is not really an RSA Archer issue. When we initially deployed it, we deployed it with the expected performance or expected number of records or users who will be using the system. Over the years, the number of users or records or the amount of data that we have in the system has increased a lot. Its performance has deteriorated a lot, and in the last few years, it is not able to handle the amount of data that we have. That's why we are seeing intermittent slowness. Sometimes, our users are not able to log in, which has had a big impact.

    What do I think about the scalability of the solution?

    Its scalability is of medium complexity. It is not very easy to scale, but it is also not too difficult.

    We have been using it very extensively. We have 300,000 employees, and everyone has access to the Archer platform. Some of the modules are open to everyone by default. For example, policy exception management is open to all, and everybody can request an exception to a company policy. Some of the modules are more restrictive, and access to them is given based on the user roles.

    Many of our functions are dependent on the RSA platform, but people are slowly moving to other platforms. In the next two or three years, I don't know how extensively it'll be used, but over the last five years, it has been used a lot.

    How are customer service and support?

    They are responsive, but they are not very helpful. They probably have limitations from their side. When we have any issue, they always want us to recreate it in a lower environment. We have to provide the details and steps to recreate it, and if we cannot do that, they cannot help or provide any root cause or resolution of the issue, which doesn't help, but they are always reachable. We have a couple of contact points in case we have any issues, and we can always email them. We have a weekly call with them where we can discuss any open items.

    How was the initial setup?

    I was not really involved in the initial setup, but based on what I heard from others who were working on the backend tasks, it was fairly complex. It was not very simple.

    What about the implementation team?

    It was mostly done by our team, but there was some collaboration with the vendor.

    In terms of maintenance, we are responsible for doing the upgrades. In the last five years, I have seen two upgrades. We had two or three patches this year, and every two or three years, we have an upgrade. The last upgrade was probably two years ago, and we are scheduled for an upgrade next year.

    What other advice do I have?

    It is a very useful tool. It has a lot of good features, but because of a couple of major drawbacks or issues, people are showing some resistance to Archer. If they can solve those issues, it will be a very good product that can be sold to more companies. 

    I would rate it an eight out of 10.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Sr. Internal Auditor at a energy/utilities company with 10,001+ employees
    Real User
    Highly scalable, provides flexibility for creating reports, and reduces a lot of paperwork
    Pros and Cons
    • "Its user interface is pretty neat, and there is flexibility in generating the data. You can customize reports at any level. You can directly get reports in Tableau format. If you want to generate statistical data, you can create reports with graphs. There is an adequate amount of flexibility for changing the format, the type of graphs, etc."
    • "There should be a way to export and get data from the system in PDF or PowerPoint presentation format. This would be a great addition."

    What is our primary use case?

    I am using RSA Archer for internal audit management. It is used for the entire life cycle for audit, which includes engagement planning, reporting, action management, and so on. It is also used for internal resource management. The timesheet management, resource management, and training are being managed through the same system. 

    It has been deployed on-premises. My organization has 16 groups. It is installed and managed centrally by the headquarters, and we are using the application.

    How has it helped my organization?

    We got rid of a lot of paperwork. As an internal auditor, we have to comply with IIA guidelines. There are standards that we need to follow while completing an engagement. A lot of requirements have been automated through the system, such as quality assurance, engagement review, audit follow-ups, and so on. It has supported the organization as a whole.

    It is highly customized for our organization. It is primarily for GRC, but we are using it for audit management, resource management, timesheet management, and so on. These were add-ons features that were customized and developed by the vendor.

    What is most valuable?

    Its user interface is pretty neat, and there is flexibility in generating the data. You can customize reports at any level. You can directly get reports in Tableau format. If you want to generate statistical data, you can create reports with graphs. There is an adequate amount of flexibility for changing the format, the type of graphs, etc. 

    What needs improvement?

    The dashboard that is a part of the RSA Archer could be more aesthetic. 

    There should be a way to export and get data from the system in PDF or PowerPoint presentation format. This would be a great addition.

    For how long have I used the solution?

    It has been almost two years since we have been using the product. We have been using it almost on a daily basis.

    What do I think about the stability of the solution?

    We have been using the web application, and sometimes, there are issues related to the network availability, etc. Other than that, we have not seen any issues in terms of performance and input and output controls. We never had any reports that were not correct. So, more or less, it is fine.

    What do I think about the scalability of the solution?

    Scalability-wise, we already have a proven case. Deploying a solution in one company with a fixed, organized structure is one thing, but deploying at a mass level in multiple companies and bringing them all together in one single platform is a completely different thing. It proves the scalability of the solution. There is no doubt that it can be scaled to multiple organizations in one go.

    We have more than 200 users. They are internal auditors, but if we also count the auditees who use the same system, the number would be much higher.

    How are customer service and support?

    Our version of RSA Archer is heavily customized. Therefore, at the initial stage of the deployment, there were a few issues for which we needed support. We had a few workflow issues or anomalies in the reporting. 

    At the organization level, we have a uniform IT management system for IT tickets. We have an IT support team at the group level, and then we have a support team in headquarters. It is being managed just like any other solution in the organization. We are satisfied with the support.

    Which solution did I use previously and why did I switch?

    I have seen the deployment of the SAP-based audit management system in 2013 or 2014, which might have changed a lot over these years. From a user's point of view, RSA Archer has a better user interface. It is easier to use. SAP had a typical structure and user interface. It might not have been user-friendly for everyone. RSA Archer is more user-friendly. Its acceptability is much higher when you are deploying it in an organization.

    How was the initial setup?

    It followed the usual SDLC life cycle. They came and understood the processes. They understood the way the audit was being managed in our organization. It was a joint effort between our organization and the vendor. There were a lot of sessions to understand how we conduct our processes and what are the challenges that we face. Bringing almost 16 to 17 companies in one single platform was a challenge in itself. Even though we had the same policy procedure, there were some differences in the way things were being done, the formats of the files that we were using, and the way people were doing the audits.

    It took a lot of time to have a good base of the design itself, but it was worth it. The deployment was done phase-wise. It was not a single-phase deployment; it was a multi-phase deployment. Initially, we just implemented the basic audit management in which we were able to create engagements and add the findings. Later on, more complexities were added related to quality management, timesheet management, detailed reporting, and so on.

    It required a lot of interaction with the group companies and the development team in the HQ. There was one whole team in the HQ that had 15 to 20 people. From each company, there were about two to three people. It was a big team. My estimate is that we had at least 20 to 30 people.

    The initial deployment probably happened in a span of six months. Every quarter or every six months, they take feedback from different companies, and they ask for whatever modification is required from our side, and they keep on releasing the updates, small modifications, and so on. It is a continuous process, and we are still fine-tuning the system.

    I'm not an administrator, so I don't have information about the maintenance it requires in the backend. Because it is heavily customized, whatever development happens, it happens only internally. The production and the development environments are optimized. Apart from that, the routine activities that we require are related to any data modification with reference to the audit parameters of the attributes. We usually request to change or modify them. There is also an approval process. These are the kinds of interactions that we have as users.

    What other advice do I have?

    There is absolutely no doubt that it is a very good tool for audit management as a whole. If you are deploying RSA Archer, the most important thing is that you need to be very clear of your requirements and the processes for audit management. It can maintain the organization hierarchy, business hierarchy, processes, projects, and assets. It can maintain a lot of repositories and attributes related to an organization for mapping individual audits. It is a wonderful tool, but if you are not clear about how you want to deploy it, it could be a mess. This is applicable to any enterprise-level tool. 

    The reason I'm certifying with RSA Archer is that when you are using it for audit, there is a particular strategy and the way to do it, which may vary from organization to organization. So, you have to be very particular about what you want from the tool before deploying it. You should not deploy it and then define your processes. 

    I would rate RSA Archer a nine out of 10.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Manash Banerjee
    Technology Manager at a tech services company with 10,001+ employees
    Real User
    A rich application with good workflow, but search feature needs improvement
    Pros and Cons
    • "RSA is a very rich application. I like its adaptive suggestion, where based on your users and the class of data, it can actually recommend you the proper control to choose. For example, we have been using PCI DSS as an NIST. So based on application feedback, it will provide you with a suggestion on which control objective needs to be set. Based on that, you can make a decision—you don't need to take the suggestion, but you can customize that particular provided suggestion. RSA Archer's workflow is also good, in terms of process automation."
    • "The first improvement I would suggest for RSA Archer is a better search feature. The search criteria needs to be improved. Sometimes I do a search and the search doesn't return the exact item I'm looking for. RSA Archer could also be improved by being more user-friendly. Maybe I have been using a limited version of RSA Archer, but I'm not sure whether it has ESG, environmental and social governance. In the next couple of years, ESG is the next feature that will be integrated into GRC tools. I would recommend RSA Archer adds ESG."

    What is our primary use case?

    My use cases of RSA Archer are for WISP and controls-based audit purposes. For WISP, we keep the information security, like written informed consent protocol, and I manage almost 15 applications that I need to review the architecture of. I use RSA Archer to review the design document, the zone the application is hosted in, whether there is any kind of zoning division, the cryptography design, the cryptography used for data in motion, and what encryption they're using. 

    Other than that, we have been using RSA Archer for a controls baseline. We had policies set up earlier and, based on those policies, control objectives were stated in RSA Archer for each and every application. 

    This solution is deployed on-premise. 

    What is most valuable?

    RSA is a very rich application. I like its adaptive suggestion, where based on your users and the class of data, it can actually recommend you the proper control to choose. For example, we have been using PCI DSS as an NIST. So based on application feedback, it will provide you with a suggestion on which control objective needs to be set. Based on that, you can make a decision—you don't need to take the suggestion, but you can customize that particular provided suggestion. RSA Archer's workflow is also good, in terms of process automation. 

    What needs improvement?

    The first improvement I would suggest for RSA Archer is a better search feature. The search criteria needs to be improved. Sometimes I do a search and the search doesn't return the exact item I'm looking for. RSA Archer could also be improved by being more user-friendly. 

    Maybe I have been using a limited version of RSA Archer, but I'm not sure whether it has ESG, environmental and social governance. In the next couple of years, ESG is the next feature that will be integrated into GRC tools. I would recommend RSA Archer adds ESG. 

    What do I think about the stability of the solution?

    I have seen some performance issues. For example, with the search criteria. When I'm searching with some of the IDs, it will return "FND_" and some finding numbers. Their search criteria is a bit cumbersome because I need to actually find what I need, but it's giving me a lot of other information. I have also experienced lagging when viewing an app configuration page, to see the controls associated with that particular app. I'm not certain whether it's a problem with Archer or with our implementation, but there are definitely some performance issues. 

    We have a maintenance team responsible for the required maintenance. They handle new patches and some of the new framework rules and updates. They're also planning on implementing and integrating FedRAMP. 

    What do I think about the scalability of the solution?

    RSA Archer is definitely easy to scale. It's not complex to add applications to our portfolio. For example, we can use one set of controls for one application, and then we can easily map another application with that same set of controls. 

    We have a huge organization, so RSA Archer is available for higher management. In our portfolio, there are about 26 users. We don't have plans to increase our usage of RSA Archer because we are migrating to ServiceNow. 

    How are customer service and support?

    I have the tech support where I evaluate according to a criteria. For example, how frequently that particular software version is being patched, whether the application server is updated with the proper software version or not, whether there is a failover plan, and what our data retention policies are, in terms of issues that are closed or obsolete, and how long we are keeping those. So I evaluate these questions with the maintenance team. 

    Which solution did I use previously and why did I switch?

    Archer was being used when I started at my company, but I think they were previously using some CA tool. We have been using RSA Archer and RSM, but we are finally migrating to ServiceNow. 

    How was the initial setup?

    I have not actually set up RSA Archer—a different team handles the setup and installation, and I integrate the frameworks for our applications and set up the control objectives. I have integrated different frameworks, like NIST and PCI DSS, and have found that you can create and upload your control objective from the spreadsheet and work on it. It's one of the easier ways to set your application-specific controls on RSA Archer. 

    What about the implementation team?

    A different team handled the implementation. 

    What was our ROI?

    Return on investment is definitely there, in a sense, because with this particular governance, we can mitigate the risks of different kinds of losses. For example, with one of our applications, I have been looking into the portfolio that deals with PCA and PA data. If the upper control objectives are not managed properly, then there may be vulnerabilities which, if not properly remediated, will lead to losses—customer data loss and intellectual property loss. So there is definitely an ROI with this GRC tool. 

    What's my experience with pricing, setup cost, and licensing?

    RSA Archer's price is justifiable and not as expensive, compared to ServiceNow. I have heard that the licensing for ServiceNow is much more expensive. I'm unaware whether there are any additional costs after licensing fees. 

    Which other solutions did I evaluate?

    We are migrating to ServiceNow, which isn't as rich as RSA Archer, but it's better in terms of usability. It's easier to integrate each and every control with the entities and it's easier to assign incidents and policies. The process automation and workflow is good in RSA Archer, but it's available in ServiceNow as well. For control audit purposes, since we are migrating to ServiceNow, we have actually mapped the entities and, from there, we are doing the controls-based audit. 

    What other advice do I have?

    To any teams who are looking to implement RSA Archer, I would say that one problem I faced when we integrated NIST, PCI DSS, and other tools was that there are a lot of common control objectives out there with policies that are actually mapped. So you need to be making sure that you are not making duplicate control objectives. For example, take disaster management. In the data retention policy for the database, one of the control objectives requires proper access management, so that will be applicable for network as well. You can use a similar control objective and map two or more different policies, which will reduce the amount of effort you need to put in. 

    I rate this solution a seven out of ten. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Archer developer
    Real User
    Top 20Leaderboard
    Attentive support and high return on investment
    Pros and Cons
    • "With RSA Archer, an admin can set permissions for a normal user to go directly to the tool they need to input some data. Admins can then go through that and approve some requests. Also, they can log in based on these kinds of permissions, including ticketing, service patches, or upgrades."
    • "It would be nice if RSA Archer featured more customization. When customers are updating, they should be notified whether certain updates are optional. The install screen should not proceed to the next page unless we make some selections about which updates we want to install."

    What is our primary use case?

    There are six to seven use cases currently. Most of the time, clients request a customized application. Right now, we're using RSA Archer for risk and issue management— like building a risk registry. We'll respond to risks using findings in the risk registry. So we'll set policies for risk discrimination and acceptance based on inherent and residual risk. We have all kinds of environments, covering DEV, SIT, and UIT. Currently, we have 6.9 Service Pack 2.

    What is most valuable?

    With RSA Archer, an admin can set permissions for a normal user to go directly to the tool they need to input some data. Admins can then go through that and approve some requests. Also, they can log in based on these kinds of permissions, including ticketing, service patches, or upgrades. The manager gets a notification, and they can log into the mobile application using this tool.

    What needs improvement?

    It would be nice if RSA Archer featured more customization. When customers are updating, they should be notified whether certain updates are optional. The install screen should not proceed to the next page unless we make some selections about which updates we want to install. That feature should be implemented in Azure so that users are aware. 

    There is also an issue with managing records. If we add or remove records, something has to be updated.  Something has to be developed in this subform so that if a developer unexpectedly removes the total recorder linked to the parent record, it doesn't interrupt the connection. They have to come up with a solution for that.

    Previously, we used RSA Archer to review data events. For example, we have a feature called Subscription Notification that was called Generate Notification. The letterhead was changed after migration, so we needed to update the letterhead manually. In Service Pack 2 6.9, links were embedded. So if we edited STTP, we had to remove the double slashes at the beginning of the address and update them to use only one slash. However, it is not recommended practice, so currently they're still updating that. We have notified the RSA team, and they are working on that.

    For how long have I used the solution?

    I've been working with RSA Archer for seven years. I started my career as an administrator, and after that, I switched to development. Currently, I'm leading the team in an architectural role, like gathering requirements, deployments, and support.

    What do I think about the stability of the solution?

    In terms of performance, I would rate RSA Archer seven out of 10.

    What do I think about the scalability of the solution?

    After deployment, some customers complain that the database must be constantly updated every time they add users, and the update process takes them a long time. For example, one of my clients has 60,000 to 70,000 users in their environment. It takes them three to four days to rebuild the search index on the database side.

    How are customer service and support?

    We're in touch with RSA Archer's support on a daily basis. We have set up a scrum call every day to check if the clients have any issues identified post-deployment. In addition, we stay in touch with the tech team and provide support after deployment to address minor issues like, for example, if a customer needs to change their configuration. So we are implementing and releasing in two to three days if any minor changes are required. 

    Which solution did I use previously and why did I switch?

    I previously worked on ITGC Controls in the IT sector conducting general control audits. I have performed other roles. We used to collect all the systems-related information showing that the server is updated correctly. We used to check database server-related information, so we'd verify that the daily backup is done. All the IT environments should have maintenance on policies ISO 7001, and I performed the general control audits.

    I was using a related tool, but at the time, I was interested more in development, so that's why I have switched. Initially, it was a minor project that required significantly less personnel. RSA Archer is growing mature, so I just switched.

    How was the initial setup?

    When you're first installing RSA Archer, the mobile feature is not available, but users can still manually input the details in the initial phase. And initially, it's like a normal input process. Then, after that, they have to come back and monitor using the PC or the laptop. 

    The personnel needed for deployment depends on the solution. If there is one developer, they don't have any direct authority to deploy it. So we have some third-party monitoring at the time of deployment because if they touch any course other than this, the dedicated solution has to monitor it. Generally, one developer is enough for one solution. And after deployment, they have to recheck using that third party because most of them are in the banking sector, so everything should be monitored.


    It takes about an hour to install. But, of course, if any jobs are running, it might take longer. So we have to give the system time to install all the code correctly. After installation, we also need to check for upgrades. 

    What was our ROI?

    I can say RSA Archer is worth the cost.

    What's my experience with pricing, setup cost, and licensing?

    The price of RSA Archer is good. The price isn't too high considering it is a leading tool in the market. However, some Level Three companies cannot afford this license because they're charging too much. For example, the price might be reasonable for Level Five companies doing a four-month project, but they have to lower prices to make the product more competitive in the market for companies below Level Three.

    What other advice do I have?

    I rate RSA Archer nine out of 10. It's an increasingly mature and very secure tool in the market. Every environment should have this kind of tool. It's useful for tracking any security threat.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Vivek Shah
    GRC Archer Consultant at a tech services company with 10,001+ employees
    Consultant
    Top 20Leaderboard
    Flexible record permissions and data import features; could be simplified in several key areas
    Pros and Cons
    • "Flexible record permissions and data import features."
    • "The solution as a whole could be simplified."

    What is our primary use case?

    My primary use cases of RSA Archer are for business resiliency, business continuity management, third party vendor management, IT risk management and some of the other governance and compliance applications. We are partners with RSA and I'm an Archer system administrator. 

    How has it helped my organization?

    There are many benefits to using Archer as a platform. Previously, all processes in the organization were scattered. Once Archer was implemented, everybody had a role to play. It was just a matter of logging in, doing the work, and moving the workflow to the next stage. Prior to Archer, all the work took place via emails or sharing of Excel files. Archer has streamlined everything and it's really helping the organization to manage potential risk and data security. Security is key these days.

    What is most valuable?

    I believe the record permissions and data import are the most flexible and user-friendly features because they enable all information to be available on the platform.

    What needs improvement?

    Compared to other GRC tools, RSA Archer is a little complex in the sense that even users need to have some knowledge of the tool. Without any knowledge, both users and developers will have a hard time. I'd like to see the access control part simplified. Reduced complexity in the Advance Workflow and on the front end part of the tool would be really helpful. 

    System administrators have overall control over the system, but it would be good if they could get more control over Archer. Finally, Archer has the option of custom coding things not currently supported by RSA. If it were supported that would be a great innovation because clients have needs that are not adjustable or incorporated in the tool. All those changes require coding which increases complexity.

    For how long have I used the solution?

    I've been using this solution for close to four years. 

    What do I think about the stability of the solution?

    I think the level of stability and performance is connected to the size of the organization. There can be issues when there is an Excel load in the system, or when there are too many users and too many processes running on the backend. Things can slow down and we've seen glitches and delays. If processing speed could be increased, that would likely solve the issue. 

    What do I think about the scalability of the solution?

    Scalability is there but it's not easy. You need to be familiar with the system, which can take a couple of months. Once there's familiarity it becomes more user-friendly. It's not as easy as ServiceNow or OneTrust. Those are much lighter tools and easier to learn. Scaling should be more user-friendly. We currently have around 9,000 active users and I expect that to increase in the future.

    How are customer service and support?

    Customer support is working well and I don't have any complaints about that. 

    Which solution did I use previously and why did I switch?

    I have used ServiceNow but nowhere near as extensively as I've used Archer. The problem with GRC ServiceNow is that it has limited features, which is why we switched to Archer. It has better features and functionalities.

    How was the initial setup?

    The initial deployment needs to be carried out in coordination with RSA because it's their product. It requires a web service, application service, database service, everything needs to be designed for the platform. It would be great to have some kind of video or technical demo to help with this. 

    If the process of going from the ESC environment all the way to the production environment could be easier that would be really helpful because it's very likely that not all environments will be in sync in most organizations. Features are going to differ from the broad environment to the lower environment and while packaging, the features of the lower environment also come into the production environment. Maintaining synchronization takes a lot of time so if there could be some flexibility and ease, that would save a lot of time for the organization.

    What was our ROI?

    In terms of return on investment, I think the processes and management as far as risk and governance compliance is concerned, have been very effective. Achieving their objectives and tasks in a timely manner with all the necessary security and parameters along with streamlining is a return on investment. I'm unsure about the benefit in revenue, it's more about improving risk and the governance processes.

    What's my experience with pricing, setup cost, and licensing?

    Archer is expensive compared to other GRC tools. The product is generally used in multi-national companies like JP Morgan, Morgan Stanley, Amazon, Goldman, or eCommerce. They all use Archer. The cost would be prohibitive for a small or medium-scale company. If Archer is looking at promoting this product, they need to work on the pricing because only large organizations can afford it. There are many additional costs involved so that if one needs to develop some features in the tool there is an additional charge; if you ask RSA for any kind of enhancement or development, they will charge you; and if you'd like some consultation in regards to the product, they will charge you for that too.

    What other advice do I have?

    This is a really nice tool because the majority of what it provides is not offered by other solutions. It's a matter of learning the tool and accepting how it works with an open mind. Anyone using it will find it really helpful for the GRC processes.

    I rate the solution seven out of 10. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    Vice President and Risk Management at a financial services firm with 10,001+ employees
    Real User
    Top 10Leaderboard
    Robust and feature rich solution
    Pros and Cons
    • "The part I liked about Archer was the risk assessment for deficiencies and being able to use it there."
    • "It's resource-hungry, that's the best way of putting it."

    What is our primary use case?

    For Archer, today there is everything from risk management to looking at security and how to track all the security defects. We don't have Archer connected to ServiceNow. We had the better version when I was at Albertsons. Just before I joined UFG, we used it not only tracking deficiencies, but also doing all the risk work and all of the vulnerability management, but we tied it to ServiceNow so we could issue tickets and track stuff. That's the way to do it.

    How has it helped my organization?

    Our version is on-prem, which I used also used at Wells Fargo where we had it on-prem as well. I thought the best version we used was at Albertsons, we were in the cloud and we were using their stuff. To me, that's a better way to go. You want to keep it up to par, and you can't screw around with the data structures. It really keeps you current which is probably the best example so you get the best bang for your buck.

    What is most valuable?

    When you get it to work, then it's valuable to me. The part I liked about Archer was the risk assessment for deficiencies and being able to use it there. The part I don't like is what it takes to get it really working right. That's not trivial. You need people that really understand it, and you also have to get people to stop making changes to the data schema and the rules, because if they do that, then it defeats the whole purpose of Archer.

    What needs improvement?

    The problem is, and I've had years and years of experience using it, let's say decades of experience with it, and they keep changing it. It could be as much as two years or so and they change the product. My concern is when they go from module to module, what do they do? Is it consistent to what the industry wants? And they could also add some things and improve on their product for when we want to match up CVS to it and a few other things. And I think the training is hard. I think they need to emphasize that you take people and send them to training. But today with COVID, how do you do that?

    For how long have I used the solution?

    I use RSA Archer on a daily basis. Some people in the Archer group call me a pain, they keep saying, "Well, we can't do this and we can't do that." I say, "Let me show you how it's done."

    I have been using it since they first started. So that's got to be almost 15 years now. I knew it when it wasn't even Archer, when it was part of Ernst & Young's suite of risk products. And then Silver Shire took it out of there, formed his own company called Archer. And that's how it was developed. I go that far back with Archer. I've seen it evolve, and they keep changing modules, names, pricing. It's kind of fun to watch the industry.

    What do I think about the stability of the solution?

    In terms of stability, if you do it yourself, it can grow big depending on how you want to use it. I've seen and been in companies that want to do all this fancy stuff and all the rules and everything else and it just eats resources you could point at, being 20, 30 servers. It's big.

    It's resource-hungry, that's the best way of putting it.

    What do I think about the scalability of the solution?

    In terms of scalability, that's a problem. When you want it to scale, it costs you resources, just like that other product I hate, Splunk. I love the products, but not the resources they eat. It is expensive that way.

    How are customer service and technical support?

    When you find the right one in tech support, it's good. They're all good, but some are better than others. When you're in a crunch, you want the best person right away. Guess what? I want it now. It's like a kid. I want it now.

    I'd give tech support an eight to nine.

    How was the initial setup?

    The initial setup is complex. It's not straightforward and never was.

    It requires knowing what all the modules do, understanding what you want to do, and then finding the right people that can program it. And finding those experts is not trivial.

    Which other solutions did I evaluate?

    At one time, it was the only thing available. Now there are other products that I would consider.

    What other advice do I have?

    Make sure you know what you want to really do and pick the right modules and do a lot of planning, planning, planning. It's like building a house. If you don't do the planning, when it comes down to trying to build it, you really get screwed or the team gets screwed. And I don't think people do a lot of planning.

    On a scale of one to ten, I'd give RSA Archer an eight.

    It's Archer - there are days when their stuff is awesome, there are other days when the frustration level is way too high.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.