RSA Archer Reviews

I perform all of our information security management governance and risk -related activities through Archer. My organization manages all types of audits and Enterprise risk activities using Archer.

Archer has improved our organization ISMS activities more effectively and with more visibility to management.

From my perspective as a customer and end user, Archer has an impressive look and feel, but the most adaptive feature is its ease of configuration which helps to enhance our process according to our maturity. It's more about our organization getting centralized with an integrated approach that focuses on risk governance and compliance. When can provide a detailed dashboards to management with the details of risks from top-down or bottom-up prioritizing actions based on its criticality or necessity. This allows us to show end users and management where the issues lie and effectively demonstrate accountability and visibility in compliance.

If the user needs to fill data, they need to go to one page and then to the next page if they can reduce the number of clicks to perform some activities and would like RSA to improve in this area. Additionally, while the AI features are emerging, it's not yet up to the market standard.

Since 2013, I have been working with RSA Archer.

I would rate stability a seven out of ten. The reason is that it is stable. I am considering stability connected to performance. Performance issues arise mainly since it is not a core service for most organizations, so the resources provided are fewer. During peak times like audits, there can be performance issues due to the increased number of users accessing the system.

Scalability depends on the number of servers, including web and service servers. On each server, we can expect processes to take approximately half an hour to one hour. It all depends on that.

Initial technical support is a little weak, and I would rate it six out of ten. However, the professional support is good. The issue with initial support is that new engineers are often not as experienced. 

As an experienced person, I might have already completed the troubleshooting they are attempting at the initial level. When we reach the first level of support, we may need to request escalation to a more experienced technical person.

Neutral

I used SAI 360 GRC solution sometime during the mid-point of my career. I have also worked with R-SAM.

Setting it up is not a big deal. Making sure the prerequisites are available is important.

ROI is not just about cost savings. It relates to the effectiveness of employees and the time taken to complete tasks manually versus using the RSA system.

Before RSA Archer, I used SSI 360 RSA, sometime during the mid-point of my career. I have also worked with RSA.

Overall, I would give it a nine out of ten.

Our use case is specifically designed to solve a problem within our business. To address one specific issue in our business, I designed a use case. I identify this as an operational risk management use case. This use case aims to solve problems related to the risk management of our business. That describes our use case.

Risk management is one of the most impressive features of Archer, especially with the recent restructuring of the user interface. Previously, the user interface was a major concern for us and our admins. Archer recognized this and reinvented it. 

The interface is improving with the integration of artificial intelligence (AI). I can write policies and receive expert opinions directly from RSA Archer using AI techniques.

Additionally, in the banking sector, Archer has been used to automate processes such as business continuity management, transitioning from manual processes to automated systems. This includes storing risks, managing risk repositories, applying controls to mitigate risks, and calculating inherited and residual risks.

Archer is moving in the right direction, addressing major problematic areas, such as the outdated front-end interface. This interface, built long ago, persisted despite issues for us and our admins, however, it is now being revamped. A modern user interface has been released for some modules, while others are in progress. 

A remaining area for improvement is integration. There should be built-in integration mechanisms, for example, for organizations switching from platforms like ServiceNow to Archer, instead of custom integrations for each client. Built-in integrations would facilitate transitions to or from Archer for us.

I have been working for at least a decade, around seven to ten years.

I would say our experience with stability is rated around seven or eight out of ten, as far as I'm aware.

Generally, I would rate scalability a seven. The level of scalability depends on customization and how skillful our customization team is. If implemented properly, it is scalable.

Overall, I would rate the technical support an eight, as I usually receive very technical support from Archer. They are responsive and perform well in technical support.

Positive

Archer now has distributed teams to ensure support is available 24/7. The teams are structured across different regions.

Initially, I had doubts about Archer's pricing. However, after comparing it with other products in the market, I would rate it around six or seven out of ten, as the price is relative.

ServiceNow and Onspring are major competitors of Archer. Onspring is evolving in the US but is not yet focusing on the Middle East or other regions. In the US, Onspring is growing well, making them a major competitor.

Archer is a relatively simple tool, easy to understand and explain, with a significant amount of RSA best practices already integrated. These practices are presented to us, and out-of-the-box solutions align well with new customer needs, requiring little customization. 

Overall, I would rate Archer an eight out of ten, as it provides great value. 

Regarding the compliance, risk, and governance tools, I am comfortable discussing the tools in the GRC category.

The specific module from ServiceNow is the ServiceNow Compliance, Risk, and Governance module, which I find very useful, but it's more suitable for larger companies.

The helpful features of RSA Archer include providing an integrated overview of the landscape in the company, which leads the user to use the same inventory and other components, sharing the same set of references and objects we are working on. This integration level is the most useful feature for managing compliance work, unlike using Excel, where agents may not work together

They keep the referential integrity, which is significant.

While it provides benefits in terms of security, the pricing is a bit higher than customers typically expect.

It would be helpful if RSA Archer had the capability for two-way integration because, in any information technology area, having the ability to provide feedback is beneficial.

It could facilitate the process back to the operational level.

Dashboards are usually effective, but while visibility from the dashboard level is good, drill-down details may be difficult to access, as they don't seem to have direct support for this drill-down.

Dashboards are not an issue, but navigating from the dashboard to details could be challenging.

Deployment is not complicated, as deployment itself is relatively easy for any application.

The most challenging aspect of implementation is managing the interfaces to the sources.

RSA's technical support has sufficient services in the market, though it depends on the knowledge of the people providing the support, and it's relatively not cheap but at an average level.

If I were to rate RSA technical support on a scale from one to ten, I would give it about four, as there is definitely room for improvement, but support is available.

The response time from RSA Archer's support team is not an issue; usually, there's no problem getting a timely response, but there could be more knowledgeable agents available.

Neutral

Compared to some competitors, RSA Archer is higher priced, but the comparison depends on what competitors you consider. I know RSA Archer and ServiceNow, whereas other modules such as SAP and Oracle are more dependent on their specific technologies and are not as general or open.

I have been in touch with about three companies who use RSA Archer actively in the compliance area.

These companies use RSA Archer for nearly all purposes, including governance, internal risk, and third-party risk management and inventory management.

RSA Archer doesn't have its own inventory; it operates differently compared to ServiceNow, which is built on its own inventory and service management. The advantage of ServiceNow is that the risk and compliance module is tied with this inventory.

Regarding integration, it's relatively easy to integrate RSA Archer with third-party tools since it's mostly about the import process. There is an open API or import by file, so it's not a problem.

Both RSA Archer and ServiceNow have good reporting capabilities, with general reports presented at a very good level, namely the executive overview of security and compliance. However, if specific reports are required, it can be complicated since these tools are at the end of the compliance process and may lack the ability to provide raw data back to the process.

It's one-way integration with RSA Archer, which is a feature by the design of RSA Archer to focus on providing executive-level information.

Using RSA Archer provides sufficient benefits, as it sets a bar for compliance, assuring the company that security and compliance are at an adequate level.

On a scale of one to ten, I rate RSA Archer a seven.

I used it before it was configured for specific use cases. Basically, I am using it for compliance management, primarily for compliance management. Our platform is utilized by multiple teams. The audit team is using it, and the IT team is using it. I am responsible for OT, so I primarily use it now for compliance management and risk management.

The tool has stability, and it allows me to automate whatever process I have. We have very good standard processes that we have implemented, and the tool is very good in that. It looks like we have uploaded our policies and the questionnaires. Now, we are looking at the end users themselves doing the compliance assessment instead of us, as the compliance team, doing it on their behalf. We have reached that level.

The tool basically automates whatever processes you already have, so I cannot specify improvements in that regard. However, my main issue with Archer is the graphics. The graphics have always been lacking. I always need to depend on another tool to read information from Archer to have better dashboards. It is like using Linux, and it has a Linux mindset and interface. I want to use Archer for top management and CEOs, but it looks too technical, and the dashboards are not really friendly. They are bulky, like opening an old Nintendo system from nineteen-ninety. The management agrees that Archer lacks in terms of presentation and dashboarding. It is complex, not user-friendly, and bulky. The interface just looks old.

I have used the solution since 2018.

The tool has stability, and it allows me to automate whatever process I have. We have very good standard processes that we have implemented, and the tool is very good in that.

RSA support is good. There are no issues. There is a dedicated team working on Archer and our IMRAN.

Positive

Since I am interfacing with a different team that provides our in-house technical support, I explain our requirements. We get the support we need. So that is not an issue.

This is where we are right now. Pricing is not my domain. Another team handles the pricing.

I would rate the overall solution seven out of ten.

My use case is for security assessment. It's my daily task. I use it for security assessment in Azure. We have tickets where users need to submit details about an application, computer, or server.

For Archer, my direct task is to assess the security risk of an application, infrastructure, or computer system. The server submitting the ticket provides all the details in Archer. 

From my end, I review the complete security portion of the particular application and based on my analysis, I enter a certain assessment into Archer and submit it back to the request service.

Archer has simplified our security audits. It's made it easier to raise and trigger questionnaires to customers.

The tool is very easy to learn and use. The most valuable feature is its user-friendliness. It's easy to understand and use.

The tool has minimal complexity.

The ticket handling process could be improved.

I have been using this product for three years. I currently use version 2.3.

I would rate the stability around an eight out of ten.

I would rate the scalability a seven out of ten. If project pipelines increase, we would like to expand it to a few specific users.

The initial setup was very easy to set up.

We needed developers and most of the delivery team. It's not like maintenance is extensive, but server maintenance is necessary, especially when it's deployed in the cloud. 

So, maintenance involves checking server speed and memory usage. Besides that, there's nothing else in terms of maintenance with the tool.

We saw an ROI.  So, it's like we mostly get back whatever investment we put in and took for the license of RSA Archer. Within six months, we can retrieve it.

The pricing is okay. The licensing costs are very reasonable; it is very affordable to us. 

We evaluated multiple tools, but we thought Archer would best fit for our use case.

Overall, I would rate the solution a nine out of ten. I would recommend it. It's very usable, and you can easily understand the process.

We primarily use the system control module and specific IT control models for ongoing risk assessment activities. We use it on a day-to-day basis. 

It has various valuable features. For example, showing us if a control aligns with specific standards or frameworks helps us understand it better and verify its compliance.

The user interface needs work. There are many small text boxes, like credit card size's boxes, where we need to input a lot of text. You can't see what you're typing beyond the tiny window, so you have to scroll or type elsewhere and copy-paste it. It's very inconvenient.

So, improving the user interface would be beneficial.

I have been using this solution for two years. 

I would rate the stability a seven out of ten. It's stable, but most of the time it takes a long time to load, even with good internet. Maybe it's on our end or because it's on-premises.

So it could be faster to load. I would like to see improvement in the stability of the solution.

There are around 300 end users using this solution in our company. We all access it to manage compliance through the system.

I would rate my experience with the initial setup an eight out of ten, where one is difficult, and ten is easy. 

From my perspective, it's a useful tool with all the essential modules and features for governance, risk management, and compliance activities. The reference information linked to controls and risks is also beneficial and provides flexibility. Overall, I would recommend RSA Archer.

Moreover, I would rate the solution an eight out of ten. 

The product has a much broader footprint than Workiva and AuditBoard. It's IT risk, IT service management, third-party risk, enterprise risk, internal audit, SOX, regulatory compliance, and regulatory change management. It's a much more integrated end-to-end suite of products or a suite of processes.

It allows us to build out our policies and processes, tie them to the risks, and allows us to go look at our risk and compliance program, from the policy to the processes to the risk to the controls to the issues. We can report from our issues up to the policy and regulation or from the regulation down to the issues. Therefore, we can look at how we can connect that string so they can look at all those various pieces.

The integrated data model of a one-to-many/many-to-one relationship is quite useful. It shows what needs to be done around your risk controls, policies, and processes. I can tie one risk to many business processes and have those controls tested once, and then apply them to many different risks and regulatory initiatives.

The technology's a little outdated. They need to get a little bit more updated. AuditBoard and Workiva, as examples, are built on later or newer versions of the technology stacks and just have a little bit more to offer and a little bit easier to implement and integrate. Archer's just a little bit, in the current structure, older. that said, obviously, it has the most sophistication of any of the platforms out there.

There are no features that need to be added. It's really making the technology more current and upgrading the technology stack to where it works a little bit more seamlessly and efficiently. Being an older technology, some of the integrations and some of the things you need to do are a little harder and a little bit more old school, if you will, than a little bit of the open-style integrations that you have today with some of the newer tools.

I've used the solution for a long time. I've likely used it for 20 or more years. It's been a while. I've used it basically for the entire time it has been around.

The product is less stable than some others, given just it's on an older technology stack. However, it is still at or above industry standards.

The solution is very scalable. 

I'm also familiar with Workiva and Auditboard. They are a bit more modern. This product is more old-school. 

The more processes you try to implement, the harder it gets to set up. That said, on a one-to-one basis, it's pretty simple. Since it's a larger-scale tool, it takes a little bit more planning and management. Therefore, if you're just implementing SOX, it's not that different from a Workiva or an AuditBoard. If you're trying to implement ten processes, it adds to the complexity of what you're trying to do.

In terms of how long it takes to deploy the solution, if it's a one-to-one process, it takes about two to four weeks. However, if you're doing eight, nine, or ten processes, it could take months based on the sophistication of what you're trying to achieve.

I am not acquainted with the pricing or licensing aspects of the product.

As a system integrator, we have worked in and around all versions of the product. We're working on the latest and a lot of their SaaS and hosted versions now.

Right now, while they do offer on-prem versions, it's almost always in the cloud. It's not a multi-tenant structure like an AuditBoard or Workiva. It's still a single instance in the cloud, as it's a little bit older.

Similar to Workiva and as a system integrator, using something like this product is about understanding what you're trying to achieve and then getting the tool to use it. Each tool has nuances, strengths, and weaknesses. It's in knowing what you want to achieve that will allow you to ensure you're getting what you want to be completed that makes the tool successful.

I'd rate the product six out of ten. 

The most valuable features of this solution are the Data integration, the different kinds of Data import, Data feeds, and the API. 

One of the useful features is the ability to connect to various systems in order to accommodate data.

Otherwise, all of our administrative functions, business apps, and application development are available, but this is the most important. 

It can integrate with other systems to get that data, as well as get data out of Archer and into other legacy systems.

Reporting is very good. You can have reports and IUs on your dashboard, as well as different types of IUs. 

Reporting is excellent for all types of aggregators, as well as for different types of integrators. That is one of the positive aspects.

I am not at the level to show someone how to improve whatever features they have. They are good if they work.

They are better now than previous versions. I am working on version 5, and they are now on version 6.9. They have made significant progress.

There should be an in-built feature that allows live data from vulnerabilities and threats from reliable sources to be streamed directly through their data field.

RSA can provide that kind of service, providing real-time data, vulnerability, and threats, without any local, asking for a contribution from someone else.

I would like to see real-time data, from vulnerabilities, and threats.

I have been working with RSA Archer for 12 years.

RSA Archer is very stable.

The current versions are very stable.

Nothing is perfect, I would not give a rating of ten, but in terms of stability, I would rate it an eight out of ten.

RSA Archer is scalable. The scalability is on various parameters. For user accounts, it is quite scalable.

I work with a large organization. We have 50,000 accounts.

I have 12 years of experience in technical support. My job entails providing technical support for legacy systems as well as current systems. Archer, I work on both technical and functional support. In my case, I'm a CSA, CS, and Archer CISO candidate for all business applications.

Their technical support is good, they are very prompt.

I have only ever worked with RSA Archer. I have not worked with other GRC systems, but I have seen other companies switch from other platforms to RSA Archer because it better met their needs.

RSA Archer has been deployed both on-premises and in the cloud.

The cloud-based version is less painful for us.

The initial setup is straightforward. There are good manuals available. It is not that difficult. The configuration requires a person who has sufficient knowledge or experience.

Someone else should always have some experience on how to install it. The installation is simple, but the configuring is for the business requirements.

I am not sure about other companies, but it's quite expensive.

I would rate RSA Archer an eight out of ten.

We use this product for operational risk management in our bank. It is a multinational U.S. bank, and we use this platform for enterprise risk management. 

We are slowly moving away from RSA Archer to another platform.

It is enterprise-wide accessible. So, it is very helpful for all the employees in our bank. They can log in and do their risk management activities. It has a few inbuilt modules that are helpful for doing risk management activities, such as issue management, risk identification, risk assessment, and policy exception management. It also has some inbuilt workflows inside these modules. They are also helpful.

Its user interface is pretty good. It is pretty self-explanatory and intuitive, which is again helpful. It is also customizable to some extent. We can customize some of the functionalities and enhance some of the features to meet the user requirements for our bank.

The integration of data with application servers and databases is also helpful. We can also use API calls. For some of the functionalities, we can integrate API calls with RSA Archer to meet some of the user requirements.

Many a time, data feeds create problems. We keep seeing that the feeds have not run on schedule or have failed, and that's why the reports were not processed or created. It probably also has something to do with the strength of our server. For example, in our production environment, the servers are more powerful. We have more memory space, so we don't see this issue very often, but in the test environments, where there are constraints in terms of server and memory space, we keep seeing this issue.

There is no inbuilt alert in Archer to let us know that a data feed has failed or did not run for different reasons. So, we don't even get to know that a feed has not run until somebody reports it to us. This has been a problem all the time. Data feeds have always been a big headache for us because there is no feature to let us know if a feed has not run or has failed. If Archer had a feature to send us an email notification when a feed has failed, it would've been very helpful. This is the reason why our users are slowly moving away to another platform. Some of the modules that I have been managing are being moved to ServiceNow. Next year, a lot of our modules will be moved from RSA Archer to ServiceNow, and the data feed issue has been one of the main reasons.

We have also had issues with API calls. API calls have always been a problem. Policy exception management is one of the modules that I was managing, and in this module, we had built a few API calls. We had a few API call issues where the API call had failed and records did not get created. Sometimes, records even got deleted. We had numerous calls with RSA Archer, and they always said that unless we reproduce the issue in a lower environment, they cannot help us, but the issue only happens in production, and it happens intermittently. It happens maybe once every two months or three months. We don't know why the API call is failing and the records are not getting created, deleted, or de-linked from the associated parent records. They couldn't provide us with any reason. If their issue resolution team was more proactive, it would have been helpful. This has been a major issue, and this is the reason that this function has been moved to a different platform earlier this year. 

I have been working with this solution for the last five and a half years. I started working with it in June 2016.

Its stability is medium. It has been really good during the first few years, but after we upgraded in 2018 or 2019, we started experiencing issues. We didn't have the issues with the API calls in the first version that we installed, but after we upgraded in 2018 or 2019, we started having a lot of issues with the API calls, which could not be resolved. They couldn't give us a reason for these issues. The reason has still not been found.

Data feeds had a slowness issue, but it was probably happening because of the memory space issue on the server. This issue is more related to our bank's side because we don't have adequate infrastructure. It is not really an RSA Archer issue. When we initially deployed it, we deployed it with the expected performance or expected number of records or users who will be using the system. Over the years, the number of users or records or the amount of data that we have in the system has increased a lot. Its performance has deteriorated a lot, and in the last few years, it is not able to handle the amount of data that we have. That's why we are seeing intermittent slowness. Sometimes, our users are not able to log in, which has had a big impact.

Its scalability is of medium complexity. It is not very easy to scale, but it is also not too difficult.

We have been using it very extensively. We have 300,000 employees, and everyone has access to the Archer platform. Some of the modules are open to everyone by default. For example, policy exception management is open to all, and everybody can request an exception to a company policy. Some of the modules are more restrictive, and access to them is given based on the user roles.

Many of our functions are dependent on the RSA platform, but people are slowly moving to other platforms. In the next two or three years, I don't know how extensively it'll be used, but over the last five years, it has been used a lot.

They are responsive, but they are not very helpful. They probably have limitations from their side. When we have any issue, they always want us to recreate it in a lower environment. We have to provide the details and steps to recreate it, and if we cannot do that, they cannot help or provide any root cause or resolution of the issue, which doesn't help, but they are always reachable. We have a couple of contact points in case we have any issues, and we can always email them. We have a weekly call with them where we can discuss any open items.

I was not really involved in the initial setup, but based on what I heard from others who were working on the backend tasks, it was fairly complex. It was not very simple.

It was mostly done by our team, but there was some collaboration with the vendor.

In terms of maintenance, we are responsible for doing the upgrades. In the last five years, I have seen two upgrades. We had two or three patches this year, and every two or three years, we have an upgrade. The last upgrade was probably two years ago, and we are scheduled for an upgrade next year.

It is a very useful tool. It has a lot of good features, but because of a couple of major drawbacks or issues, people are showing some resistance to Archer. If they can solve those issues, it will be a very good product that can be sold to more companies. 

I would rate it an eight out of 10.

We use RSA Archer in my organization for assessments (ISO, GDPR, PCIDSS, etc.) or to raise dispensation for any application, security-related controls.

If we want to perform the application assessment or any ISMS assessment, earlier, we had to do it manually. The RSA Archer tool gives us the output in an automated manner, it is beautiful and has helped our organization.

RSA Archer is the most usable GRC tool and leading tool and I have found performing the application, ISMS, and TPRM assessments beneficial.

In a future release, there should be an option to upload the main data.

I used RSA Archer within the last 12 months.

Early on we faced lots of issues because the communicating with the RSA Archer, the database was not synced properly. Two times when we installed RSA Archer in an environment a few settings and configuration was not correct, this caused the passwords not to match.

The stability could improve.

The scalability is easy to achieve.

Most of our clients are large businesses. I have plans to continue the usage of RSA Archer.

The technical support is good, but they respond a little late, sometimes it can be a few days to have a response.

Positive

The initial setup is a bit complex. The whole process can take approximately three hours with one or two people.

We have faced challenges. For example, the database is not synced with the RSA Archer. A few services were not running if the RSA Archer was logged in through local admin or the specific user, we have received few errors. 

Archer is responsible for the maintenance of the solution.

The ROI depends on the company's needs as RSA has 7 solutions, the company can pay based on the subscription. 

The solution's price should be reduced. You only have to pay the license and there are no additional fees.

I did not previously evaluate any other solutions.

They have to use RSA Archer if they use the automated tools, their data will be safe.

Though there are some issues with the technicality of the solution, such as errors. The solution provides great features, such as customization, we can customize it as per our requirements.

I rate RSA Archer a ten out of ten.