RSA Archer Reviews

The most valuable features of this solution are the Data integration, the different kinds of Data import, Data feeds, and the API. 

One of the useful features is the ability to connect to various systems in order to accommodate data.

Otherwise, all of our administrative functions, business apps, and application development are available, but this is the most important. 

It can integrate with other systems to get that data, as well as get data out of Archer and into other legacy systems.

Reporting is very good. You can have reports and IUs on your dashboard, as well as different types of IUs. 

Reporting is excellent for all types of aggregators, as well as for different types of integrators. That is one of the positive aspects.

I am not at the level to show someone how to improve whatever features they have. They are good if they work.

They are better now than previous versions. I am working on version 5, and they are now on version 6.9. They have made significant progress.

There should be an in-built feature that allows live data from vulnerabilities and threats from reliable sources to be streamed directly through their data field.

RSA can provide that kind of service, providing real-time data, vulnerability, and threats, without any local, asking for a contribution from someone else.

I would like to see real-time data, from vulnerabilities, and threats.

I have been working with RSA Archer for 12 years.

RSA Archer is very stable.

The current versions are very stable.

Nothing is perfect, I would not give a rating of ten, but in terms of stability, I would rate it an eight out of ten.

RSA Archer is scalable. The scalability is on various parameters. For user accounts, it is quite scalable.

I work with a large organization. We have 50,000 accounts.

I have 12 years of experience in technical support. My job entails providing technical support for legacy systems as well as current systems. Archer, I work on both technical and functional support. In my case, I'm a CSA, CS, and Archer CISO candidate for all business applications.

Their technical support is good, they are very prompt.

I have only ever worked with RSA Archer. I have not worked with other GRC systems, but I have seen other companies switch from other platforms to RSA Archer because it better met their needs.

RSA Archer has been deployed both on-premises and in the cloud.

The cloud-based version is less painful for us.

The initial setup is straightforward. There are good manuals available. It is not that difficult. The configuration requires a person who has sufficient knowledge or experience.

Someone else should always have some experience on how to install it. The installation is simple, but the configuring is for the business requirements.

I am not sure about other companies, but it's quite expensive.

I would rate RSA Archer an eight out of ten.

RSA Archer's best features are advanced workflow, reports, dashboards, and notifications.

There is some lag and instability with the platform when using the cloud version. I would also like the look and feel of the layout to be updated and made more customizable. 

I've been using RSA Archer for eight to nine years.

RSA Archer is scalable.

RSA Archer's technical support is a little disappointing because the first level is always manned by junior members who don't have much technical expertise.

Neutral

The initial setup was straightforward.

I would give RSA Archer a rating of eight out of ten.

Archer is a repository tool that is leveraged by all the security teams across the firm. The analysts and architects use it to store their data and store the vulnerabilities, which are coming from other applications while scanning the devices and everything. 

My job is to integrate the other applications with this application and try to bring all the data from those applications in here and create a workflow, environment, and framework for the different teams to use those records or vulnerabilities to  make a decision on what they should do. It just makes their life easier.

We are using the solution on-premises, but we are going on the cloud next year.

The last project was for an investment group that was using Excel. Shifting their records from one position to another took approximately 15 minutes. In Archer, we created a workflow for them to leverage it, and they could send the single record with one click to one person within seconds. The whole process went from 15 minutes to two minutes to get the approval for the records. The main purpose of Archer is to just make it easy.

It is really valuable to me because there are a lot of things which I can do and learn from, especially different programming languages. It's not just built on one thing. There are multiple languages which I need to learn in order to run this. One is JavaScript. On the back end, it's C#.NET. On the server type, it's Java. Trying to figure out every single thing makes my knowledge grow more and more every day.

There is a platform called Archer Community where we can post our concerns and any areas that need to be improved, and they will reach out. Recently, we made a suggestion for cross references, like for one application to another. There were limitations there, so we're hoping that will be included in the next upgrade.

Whenever there's an upgrade, they'll just make changes to the application. RSA is a Dell company. Dell is the parent company, and RSA is under that.

There are performance issues and bugs here and there, but it hasn't been a real concern. Sometimes it's slow, but mostly it's on our computers and processors. We just need to delete some stuff there and put them back on the server.

It is very easy to scale. Right now, we have three teams using the solution. It's about 15 to 20 people.

We are responsible for maintenance. There's a team of 20 to 25 people dedicated to Archer. Once it goes to the cloud, then we won't be responsible for maintenance.

We have plans to increase usage in the future. We are talking to the different departments of the company. Archer is not like a business. It doesn't go outside the business because it's really a security tool, and it's just used by the security departments and different departments who are involved with security. It just involves the company. We're trying to leverage it to different departments and we'll see what happens.

They are good. They don't need any improvement, but sometimes they need some guidance. We have our documentation, so they can just refer to that.

Previously, they were purely on Excel files and getting data from the applications inside Excel or Word format. I think this is the first solution they went to, and this is the best tool for GRC, governance, risk, and compliance. There are other tools but they would be confusing for the business, so Archer is the best right now.

The setup process was really easy. You just have to package and install it. There were two or three people involved in the deployment. It took about a day.

I would rate this solution 8 out of 10. My advice is don't just stick to Archer. Learn different tools because it's just a tool in the end. It will be fully configured, and you won't have anything else to do. Go into the business side and try to learn the business.

We are using RSA Archer to provide GRC services to our client. GRC means, governance, risk and compliance. In Archer we implement business continuity management, policy management, risk management solutions, audit management solutions, and third party governance solutions. We even utilize a privacy governance model of RSA Archer, as well.

Currently, we are analyzing and evaluating software as a service option for one client to reduce effort and time on infra related activities.

Our clients are using RSA Archer to automate their manual processes and activies to avoid manual intervention and have a clear visibility to leadership. This increased the client's process efficiency, they are more compliant and reduces the risk and overall governance structure improved. Also, it adds some value added features on the reporting and gives clear visibility of the entire business unit or   divisions of the company. Suppose the CEO of company want to see their high risk BUs , he or she can easily see the count and detail. Automated timely email trigger and integration with other tools/application helps client to assess their processes and BUs to find out risks and remediate risk on time.

There are lots of features which motivate our client to use RSA Archer. First of all, its access control feature which provides access at application level, access at record level and  at page level. It helps client to avoid any unauthorised access.

Also, there is a strong integration between the RSA Archer modules and also option to integrate with other application/ process help client to increase confidence on data integrity.

Suppose if anyone is using RSA Archer audit management or any out of the box use cases, it also provides some of the inbuilt capability of the assessment, like some of the questionnaires and some of the controls that are available in RSA Archer.

 Capability of sending automated email triggers to the stakeholder on a fix frequency.

Workflow feature, reports and dashboard capability etc. lucrate client towards Archer.

 UI/UX can be improved and a feature to allow end user to update assessment question and add or remove recipients from a notification will help client to minimize their dependecy on Archer developer.RSA Archer somehow lag behind in the user interface.

Additionally, the reporting capability of Archer should be improved. Because generally what clients do is analyze processes, their records, their status. They integrate it with either Tableau or Power BI just to customize their reports and see more user friendly reports. So I would suggest to improve reporting capabilities as well.

In terms of stability and performance, Archer is good.

RSA Archer is easy to scale, it's not complex.

It is a requirement to maintain RSA Archer. Our team even provides the managed services to the client, as well.

Some of my clients are moving their GRC solution from other platforms to RSA Archer because of scalability.

Support is good, but sometimes I feel there are some queries or issues, where I or our client need a resolution quickly, but sometimes it gets delayed from the customer support side.

Generally client without GRC framework move to Archer to automate their processes.

Generally we deploy the RSA Archer on client's infrastructure. It is not complex, even for the first time user, process to setup Archer is easy if they refer manuals or guide.

Generally, one person can easily install if it is a small or medium and not a complex deployment. But if it is a large scale deployment I think there will be more requirement of other team involvement as well.

Yes, we do evaluate other options/framework available in market e.g. ServiceNow GRC, OneTrust etc.

But we suggest best option basis the client requirement and which suites most in terms of cost and effort.

My advice to anyone considering RSA Archer would be to use it for their GRC capability and automate their manual tasks. If they are doing any manual task, they can simply automate through RSA Archer. It will increase efficiency, minimize their risk and will make them more compliant.

On a scale of one to ten, I would give RSA Archer an 8 out of 10

We have four primary uses of the solution. My job role was mainly the administration of RSA Archer, in financial services for the public sector bank. Our main use cases were security incident management, mainly to the cyber security incident management, and also the governance risk and compliance part to the DRC part. The auditing and audit updates all were taken through the RSA Archer, and also the customer feedback. But mainly RSA Archer was used for inventory. 

At my organization, we used to have a manual process for every communication work. For example, security monitoring management and everything was happening through mail and was on Excel sheets, things like that. So after acquiring RSA Archer, we were able to have a single platform, a dedicated platform where we can get all our requirements. The solution has improved my organization by having everything combined into a single platform.

I have used a couple of other products for the same domain. As compared to Archer, this solution is a highly mature product. The interaction has highly improved, especially in the latest two updates. The flexibility of the application and the usability have improved a lot as well. That's what I think stands out for RSA Archer.

One area that could be improved with the solution is the administration part, the backend task. That is a bit complex; or rather, the user interface can be made easier. For the newcomer, Archer might seem a bit complex. But once you get used to that, it's all fine.

In the next release of the solution, I'd like to see more inbuilt applications. For example, I talked about our organization having security management. Those are custom applications built by our own team. These are not out-of-the-box applications.

I have a total of three years experience with RSA Archer.

After deployment, my company managed the solution. We've had multiple issues with RSA Archer. The database has gone down; the infrastructure on the application side had a couple of issues; sometimes the services went down. After upgrading to the latest version of the solution, they are more stable than the previous one and it is a lot better now.

I'm really satisfied with the performance. We have more than 1000 or 2000 current users on RSA Archer, and we haven't faced many problems.

It's really scalable because we have options to import users or applications automatically; there are options to import a large number of users. Last year, we had a merging of three banks, and the users of the other two banks were brought into our Archer. They had more then, about 1,000 to 1,500 users, and that was done within a month. We were able to integrate all applications and users. Scalability won't be an issue.

I have been in touch with Archer customer support a couple of times. I have had good experiences; I haven't faced many issues with them. But it will depend upon the company's contract with RSA. There are different support levels.

I haven't worked on the deployment of the solution, but I know the basics of the infrastructure. It's not highly complex, but it is complex as compared to other applications because, in addition to applications and databases, we have the services side as well.

Our deployment of the solution was done by a third-party.

The solution is not at all a cheap product. Whenever someone is planning to buy the RSA Archer application for their organization, the first thing is to understand whether they really need it or not. We have our in-built applications, but first, we need to check whether we require it or not. That is the main thing. The second thing is whether they have the technical people available who are able to handle Archer. Even if they have the product and all, there aren't many people in Archer. We always be making custom applications; we hardly use any built application. So we should have technical employees there.

Talking about my personal use, RSA Archer is one of the four tools which I have managed. And talking about in my organization, it is used extensively. The main core use was security incident management.

I would rate the solution an eight out of ten.

My primary use cases of RSA Archer are for business resiliency, business continuity management, third party vendor management, IT risk management and some of the other governance and compliance applications. We are partners with RSA and I'm an Archer system administrator. 

There are many benefits to using Archer as a platform. Previously, all processes in the organization were scattered. Once Archer was implemented, everybody had a role to play. It was just a matter of logging in, doing the work, and moving the workflow to the next stage. Prior to Archer, all the work took place via emails or sharing of Excel files. Archer has streamlined everything and it's really helping the organization to manage potential risk and data security. Security is key these days.

I believe the record permissions and data import are the most flexible and user-friendly features because they enable all information to be available on the platform.

Compared to other GRC tools, RSA Archer is a little complex in the sense that even users need to have some knowledge of the tool. Without any knowledge, both users and developers will have a hard time. I'd like to see the access control part simplified. Reduced complexity in the Advance Workflow and on the front end part of the tool would be really helpful. 

System administrators have overall control over the system, but it would be good if they could get more control over Archer. Finally, Archer has the option of custom coding things not currently supported by RSA. If it were supported that would be a great innovation because clients have needs that are not adjustable or incorporated in the tool. All those changes require coding which increases complexity.

I've been using this solution for close to four years. 

I think the level of stability and performance is connected to the size of the organization. There can be issues when there is an Excel load in the system, or when there are too many users and too many processes running on the backend. Things can slow down and we've seen glitches and delays. If processing speed could be increased, that would likely solve the issue. 

Scalability is there but it's not easy. You need to be familiar with the system, which can take a couple of months. Once there's familiarity it becomes more user-friendly. It's not as easy as ServiceNow or OneTrust. Those are much lighter tools and easier to learn. Scaling should be more user-friendly. We currently have around 9,000 active users and I expect that to increase in the future.

Customer support is working well and I don't have any complaints about that. 

I have used ServiceNow but nowhere near as extensively as I've used Archer. The problem with GRC ServiceNow is that it has limited features, which is why we switched to Archer. It has better features and functionalities.

The initial deployment needs to be carried out in coordination with RSA because it's their product. It requires a web service, application service, database service, everything needs to be designed for the platform. It would be great to have some kind of video or technical demo to help with this. 

If the process of going from the ESC environment all the way to the production environment could be easier that would be really helpful because it's very likely that not all environments will be in sync in most organizations. Features are going to differ from the broad environment to the lower environment and while packaging, the features of the lower environment also come into the production environment. Maintaining synchronization takes a lot of time so if there could be some flexibility and ease, that would save a lot of time for the organization.

In terms of return on investment, I think the processes and management as far as risk and governance compliance is concerned, have been very effective. Achieving their objectives and tasks in a timely manner with all the necessary security and parameters along with streamlining is a return on investment. I'm unsure about the benefit in revenue, it's more about improving risk and the governance processes.

Archer is expensive compared to other GRC tools. The product is generally used in multi-national companies like JP Morgan, Morgan Stanley, Amazon, Goldman, or eCommerce. They all use Archer. The cost would be prohibitive for a small or medium-scale company. If Archer is looking at promoting this product, they need to work on the pricing because only large organizations can afford it. There are many additional costs involved so that if one needs to develop some features in the tool there is an additional charge; if you ask RSA for any kind of enhancement or development, they will charge you; and if you'd like some consultation in regards to the product, they will charge you for that too.

This is a really nice tool because the majority of what it provides is not offered by other solutions. It's a matter of learning the tool and accepting how it works with an open mind. Anyone using it will find it really helpful for the GRC processes.

I rate the solution seven out of 10. 

My role is as a developer or administrator of this tool, but I'm also a user. I work as a senior system developer and we are customers of RSA Archer. 

Previously, the process we required was carried out in Excel data with follow-up emails through Outlook and it was very difficult to track. After we implemented Archer, things worked a lot more smoothly, and rather than looking for things, the system sends a notification reminder. We can do everything within the tools; updating records and publishing them, maintaining approvals, reminders, reporting, and dashboards. 

Some of our clients who use Archer bring the activities scan and present data into Archer, and can then manage their workflow. They can see the overall risk rating, how it relates and where it's coming from, the device causing it, those kinds of things. They wouldn't have been able to do that without Archer. 

The tool is really well designed overall and you can develop any application, automate any workflow including the GRC work processes. Workflow can be automated very easily so that providing access and making changes are all relatively simple. I find that integrations are very easy in this tool. For example, bringing data from an external tool is easy and manageable. It also provides a single tool to manage all the different workflows and different processes. For example, you can perform risk management, policy compliance, audit, and all other processes. It's really a one-stop-shop and a great feature compared to what other tools offer. Finally, the core solution and library provided with the tool are great compared to other tools like ServiceNow, which still process metrics. I don't think they come close to Archer. 

Other tools, specifically designed for audit management have a better GUI than Archer. The problem with Archer is the business process. If you design in Archer you get a lot of tasks and a lot of information that gets congealed, which users don't like. The issues can be solved using the advanced workflow feature of Archer but it was only recently introduced and most clients are still using the old version to run the workflow.

If your process requests many tasks, many approvals, workflows, etc., then you're definitely going to see a lot of information in one sheet which makes the job harder. It's all dependent on your process. There are some flaws in the system, which are generally rectified over time but there is still room for improvement. I've previously given some feedback and, in general, there are a lot of complaints about the GUI. 

I've been using this solution for three years. 

The solution is very stable but as the data grows and the size of the database grows, you need to add additional servers or sources to manage latency. It creates a lot of logs and the data fills up if it's not properly maintained. It doesn't require daily maintenance but a clean-up is needed at least once a year. If you have really good hardware resources, you don't really need to do that.

The solution is easy to scale. Just add a server, then store the tool in it and then load balance it. It's not difficult. We have around 2,000 regular users and we're likely to increase that.

I think customer support is really good. There are some times when they don't have a solution to a new problem, something newly identified, but they submit it to the engineering team and ultimately it gets fixed. It can sometimes take a few months but I don't see any major issues with their support. I think they're pretty good.

The initial setup is reasonably straightforward. Deployment is generally carried out by one person. If a company wants to maintain segregation of duties, then multiple teams are necessary; one for development and another for deploying the change in production. Deployment time depends on the change you are pushing. If there are multiple items involved, the best option is to deploy the package. If the application has millions of records, then it will take longer to recalculate. If there's a smaller number of records, deployment can be done in a couple of hours. 

We've definitely seen a saving with the automation of the process. It saves time which can be spent on other activities. And, of course, that means a cost saving. 

I believe our licensing costs are around $100,000 for the tool and that possibly includes a basic solution that comes with the tool. If you then need another solution then there is an added cost for that. I don't know how that compares to the cost of other tools. 

For anyone trying to automate a data GI processor, Archer is a good product.

I rate the solution nine out of 10. 

There are six to seven use cases currently. Most of the time, clients request a customized application. Right now, we're using RSA Archer for risk and issue management— like building a risk registry. We'll respond to risks using findings in the risk registry. So we'll set policies for risk discrimination and acceptance based on inherent and residual risk. We have all kinds of environments, covering DEV, SIT, and UIT. Currently, we have 6.9 Service Pack 2.

With RSA Archer, an admin can set permissions for a normal user to go directly to the tool they need to input some data. Admins can then go through that and approve some requests. Also, they can log in based on these kinds of permissions, including ticketing, service patches, or upgrades. The manager gets a notification, and they can log into the mobile application using this tool.

It would be nice if RSA Archer featured more customization. When customers are updating, they should be notified whether certain updates are optional. The install screen should not proceed to the next page unless we make some selections about which updates we want to install. That feature should be implemented in Azure so that users are aware. 

There is also an issue with managing records. If we add or remove records, something has to be updated.  Something has to be developed in this subform so that if a developer unexpectedly removes the total recorder linked to the parent record, it doesn't interrupt the connection. They have to come up with a solution for that.

Previously, we used RSA Archer to review data events. For example, we have a feature called Subscription Notification that was called Generate Notification. The letterhead was changed after migration, so we needed to update the letterhead manually. In Service Pack 2 6.9, links were embedded. So if we edited STTP, we had to remove the double slashes at the beginning of the address and update them to use only one slash. However, it is not recommended practice, so currently they're still updating that. We have notified the RSA team, and they are working on that.

I've been working with RSA Archer for seven years. I started my career as an administrator, and after that, I switched to development. Currently, I'm leading the team in an architectural role, like gathering requirements, deployments, and support.

In terms of performance, I would rate RSA Archer seven out of 10.

After deployment, some customers complain that the database must be constantly updated every time they add users, and the update process takes them a long time. For example, one of my clients has 60,000 to 70,000 users in their environment. It takes them three to four days to rebuild the search index on the database side.

We're in touch with RSA Archer's support on a daily basis. We have set up a scrum call every day to check if the clients have any issues identified post-deployment. In addition, we stay in touch with the tech team and provide support after deployment to address minor issues like, for example, if a customer needs to change their configuration. So we are implementing and releasing in two to three days if any minor changes are required. 

I previously worked on ITGC Controls in the IT sector conducting general control audits. I have performed other roles. We used to collect all the systems-related information showing that the server is updated correctly. We used to check database server-related information, so we'd verify that the daily backup is done. All the IT environments should have maintenance on policies ISO 7001, and I performed the general control audits.

I was using a related tool, but at the time, I was interested more in development, so that's why I have switched. Initially, it was a minor project that required significantly less personnel. RSA Archer is growing mature, so I just switched.

When you're first installing RSA Archer, the mobile feature is not available, but users can still manually input the details in the initial phase. And initially, it's like a normal input process. Then, after that, they have to come back and monitor using the PC or the laptop. 

The personnel needed for deployment depends on the solution. If there is one developer, they don't have any direct authority to deploy it. So we have some third-party monitoring at the time of deployment because if they touch any course other than this, the dedicated solution has to monitor it. Generally, one developer is enough for one solution. And after deployment, they have to recheck using that third party because most of them are in the banking sector, so everything should be monitored.

It takes about an hour to install. But, of course, if any jobs are running, it might take longer. So we have to give the system time to install all the code correctly. After installation, we also need to check for upgrades. 

I can say RSA Archer is worth the cost.

The price of RSA Archer is good. The price isn't too high considering it is a leading tool in the market. However, some Level Three companies cannot afford this license because they're charging too much. For example, the price might be reasonable for Level Five companies doing a four-month project, but they have to lower prices to make the product more competitive in the market for companies below Level Three.

I rate RSA Archer nine out of 10. It's an increasingly mature and very secure tool in the market. Every environment should have this kind of tool. It's useful for tracking any security threat.