RSA Archer Reviews

Our primary use case of this solution is for GRC. I work for a bank and we used this tool to audit our information security team and our cybersecurity team. We had our control library, regulatory requirements, and third-party risks on Archer. So basically, I would say audit, regulatory requirements, third-party risk management solutions, and all kinds of controls, including SOX. These are the integrations we had set up. Right now, it's deployed on-prem. 

This solution helped us with the centralization of our governance data, so we could house all of our controls in one place. We could use that central repository of all our controls to build our risk management strategy and our policy and governance. So we could use controls as a central library and build policy, and then build risk management around it. 

One of the most valuable features is the ease of use. The customizable forms and drop-downs are pretty easy to configure. Automated notifications is another feature that is nice. The whole workflow, basically—if you're going through a workflow process, the whole process is automated with notifications. Basically, it's a pretty straightforward, easy-to-understand interface. I've also had the chance to develop some backend configurations, which is straightforward as well, if you want to add a new field or anything. 

Archer could be improved by having more customization. I'm not sure if the backend processes have API calls and those kinds of seamless integrations, but from the front, some of the solutions are very out-of-the-box. It's not customizable, so that could be a little problematic since you have to use their features. In terms of the backend structure, I'm not too sure because I'm not a developer—I was an end user and product owner of Archer—and I don't quite know the backend and developmental features. But since it's an out-of-the-box solution, sometimes customization was challenging and support was a little problematic because we had to reach out to them all the time. 

I have been working with this solution for the past 18 months. 

We did have a few outages, but otherwise, I must say it's fairly reliable. 

For maintenance, there's an admin dashboard. It's a capability that is handed over to our user and admin has super user access. 

This solution is quite scalable. At that point, it really depends on the strategy. Since we had all our controls on Archer, it was easy for us to scale and deploy other applications or develop other applications seamlessly. But imagine you had your controls on a different application—if it was not on Archer and you had to scale, it would be challenging to move all your data into Archer and then scale. So that is something that could be challenging, but since our strategy was already Archer through and through, we did not find it difficult to scale. 

There are approximately 500 users, across all departments, using Archer. It is being used extensively at the moment. Right now, we don't have plans to increase usage, but I'm sure there's going to be organic growth. 

On a scale of one to five, I would probably rate support a three. I wouldn't say it's the best, but it's not bad either, in terms of both the response time as well as the support. 

We used SharePoint for a bit. We switched to Archer because the graph, user interface, and all that was better than SharePoint. I'm not too sure about the strategic decision because I wasn't with the organization back then, but I know that they wanted a centralized location for their governance, risk, and applications. 

I think the deployment process is pretty straightforward. The solution was deployed for us through a third-party consulting agency, so it wasn't Archer or RSA developers, but a third party that implemented the solution for us. During the time of deployment, we were in a CI/CD mode, so we always had new applications, customization, new fields getting added. 

A third party implemented the solution for us. 

If you are considering implementation, my advice would be to decide on a strategy first before you implement a solution. The solution is nice, but unless you have a strategy, I don't see the point in implementing it. 

I rate Archer a seven out of ten. 

We customize this solution for our clients. We take all their requirements and prepare the design and format by creating fields, notifications, access controls and workflows. We use all the management features that the solution provides to support our clients. We are customers of RSA Archer and I'm a senior consultant. 

The Advanced Workflow feature is one of the most valuable and user-friendly. We used to have to write multiple calculations. With Advanced Workflow, things are much easier for the developer and end user. It's a robust feature that allows users to easily identify what they're doing and where they are. We're able to create multiple layers with a specified functionality that gives an understanding of what is required as well as increased flexibility. Archer provides good security, enabling access where necessary. It's also a useful reporting tool, clearly showing functional data and, when needed, the ability for comparison. The default dashboard shows daily activities that are easily captured allowing for information to be extracted. 

In the current version, RSA is a little slow mainly because of Silverlight which I believe has been removed in the next version. We have some issues using .NET because migrating requires retraining the custom object every time; it's a manual change which is challenging. For that reason, we don't use the custom object. What's needed is a valueless field, where we can drag and drop, add some values and the process is automatic. I'd also like to see an 'approved' button incorporated in the notifications for updates. It would save time and make life easier for the end users.  

I've been using this solution for 11 years. 

This solution is very easy to scale and easy for new users to understand.

Because we use most of the modules we're paying a lot to get good support. We interact with someone from RSA on a weekly basis and deal with any issues on the platform.

The initial setup is straightforward when you understand the system. We put our new users in the sandbox environment and get them to play around with it before setting out our requirements. It can be a bit of a challenge initially but not for long. It's not a common platform and is different from other tools. Once our users are implementing, it's a very smooth process for them. We have a total of seven developers, four are in-house and three are on contract. 

Deployment time depends on the use case; if it's a large implementation, it can take between six and nine months. The solution needs maintenance because of the updates and that often results in patching needs. We're using Archer on a daily basis. 

I'm not sure about the cost of the solution but every year we purchase additional on-demand applications. Archer offers a package that allows the purchase of 10 on-demand applications. You can purchase more than that and the price goes up accordingly. I believe these purchases come with two years of maintenance support. 

This is a good solution compared to others in the market because it is more secure. It's suitable for any size company although smaller companies will only need to use certain modules with larger organizations using multiple modules. This is a one-stop storage device that you can access from anywhere. 

I rate this solution nine out of 10. 

My primary use case for this solution is for the customizing and compliance system, especially for the first standard, ISO 27001, related to the information security management system.

RSA Archer has reduced the time and effort required for meetings because every person or department can enter their asset register by themselves. It's also useful that to get information on the spot, you don't need to have it in an Excel sheet to make it a compiler or a function. It is also a unified product, meaning that every person can enter any font or type of equation they need. It records information for several years, which means if I need to fix any observation from the past five years, I can do so on the system on the spot. Finally, it provides intelligent suggestions for solutions and risk management.

The most valuable feature of this solution is that risk mitigation and risk register are very easy - it's very simple to enter the data.

I would like to see a version of the product customized for small businesses, perhaps something cloud-based on a monthly basis. I would also like the product to be more easily integrated with the Arabic language. 

I have been using RSA Archer for around two years.

This product is 100% stable, without a lot of bugs.

The solution is scalable.

The setup was complex, taking around three to six months.

I used a vendor team.

First of all, we have gained time back that was previously wasted in management meetings. Secondly, approving any risk is much quicker with this solution, requiring only one click. RSA Archer has given us a return of investment on both time and money.

The product is expensive, and there are additional costs if you need to integrate more licenses or want more features.

Before choosing RSA Archer, I evaluated MetricStream.

I totally recommend RSA Archer for anything related to ERC for mid-to-large-sized businesses. I wouldn't recommend it for small businesses as it is very expensive. I would rate this solution as ten out of ten

I work with user management, policy management, enterprise management, risk management, and third-party management.

We are using its service version. We have to buy that license, and based on the license, they're providing us with the application.

It is a very friendly tool. We can easily understand what is going on inside the tool. I like this tool. We can work with the tool for the ERP platform. We can create automated applications based on the requirements.

It is very secure with three levels of access. We can give three levels of access in Archer. We can give access at the field level, application level, and code level. So, it is very secure.

There were so many problems that we had found. One time, the search index was not working. We also faced slowness in Archer, but I resolved this issue. The queue services were running on two servers, whereas they should have been running only on one server. There were also many duplicate records. I had to go and check the specific field and update that. After that, we removed all duplicate records from Archer.

We faced performance issues only in the lower version. The reason was that they were using only three servers and one database. We increased the services and RAM, and we had two application servers, three web servers, and one database. Whenever there are any performance issues, we need to check the jobs in the server backend. Sometimes, jobs are running for the last five days and that's why new jobs are not being picked up. In such cases, we have to prioritize the jobs that will go first and that will go second.

It is easy to scale. If we want to increase the number of users in Archer, we have so many tools. We can create more than 1,000 users in Archer at one time. We only need a license. 

Currently, more than 30,000 users are using Archer. We plan to keep using this solution. It is being used by so many companies.

When we face any issues related to the application, RSA is there immediately. We can raise a ticket and after that, they help us. Everything is fine in terms of support.

Previously, they were storing the data in Excel sheets, but when they wanted to move to Archer, based on the requirements, I created the fields, and I created the workflow and access control for that.

I have worked on SAP ERP in my previous company. I started to work on Archer after I moved to this company.

In our team, we have only three members. I am from India and two more people are from the US. Because our team size is very small, we have to perform every activity. We take care of the administrative work, development work, and support work. If anything happens in the system, we will check why it is happening and sort it out.

An application's deployment typically takes one month, but it will vary based on the requirement. If we are working on one application with more than 100 fields or critical workflows, it will take time. For fewer fields or workflows, we can create an application within a week, and we can move it to production.

It is not expensive. It is reasonable. We only pay for the licensing.

I would rate RSA Archer an eight out of 10.

The solution is an integrated platform. We use it for risk management, mitigation and integration. 

I like that the solution has the ability to export data and provide us with daily reports. 

I have found all the features to be valuable, including those involving reporting, the dashboard, notifications, email modules, the database and data input.

There are many issues which Archer needs to work on, including those involving the database and the UI. I find the tech support to be inadequately knowledgeable. 

As I am a developer and responsible for providing production support, I do not have personal knowledge of the pricing. However, my colleagues claim that it is very expensive in comparison with other tools. 

As concerns the stability, we have not encountered any bugs, glitches or performance issues. 

Starting from the outset, we have employed very few applications, the current number being just shy of 50. 

The tech support should be more knowledgeable. 

We did not use a different solution prior to RSA Archer, which we have been with for a long time. 

As relates to the deployment process, I found the new packaging thing to be a bit complex, although it is fine. I got used to it. 

The length of the process varies with the number of applications. 

One person is required to set up the solution. The solution must be maintained. 

As I am a developer and responsible for providing production support, I do not have personal knowledge of the pricing. However, my colleagues claim that it is very expensive in comparison with other tools.

There are presently between 50 and 100 people making use of the solution in our organization. 

The solution comes with very good features. If they could just fix a couple of things then this solution would make a very good evergreen tool. 

I rate RSA Archer as a seven out of ten. 

My role is as a developer or administrator of this tool, but I'm also a user. I work as a senior system developer and we are customers of RSA Archer. 

Previously, the process we required was carried out in Excel data with follow-up emails through Outlook and it was very difficult to track. After we implemented Archer, things worked a lot more smoothly, and rather than looking for things, the system sends a notification reminder. We can do everything within the tools; updating records and publishing them, maintaining approvals, reminders, reporting, and dashboards. 

Some of our clients who use Archer bring the activities scan and present data into Archer, and can then manage their workflow. They can see the overall risk rating, how it relates and where it's coming from, the device causing it, those kinds of things. They wouldn't have been able to do that without Archer. 

The tool is really well designed overall and you can develop any application, automate any workflow including the GRC work processes. Workflow can be automated very easily so that providing access and making changes are all relatively simple. I find that integrations are very easy in this tool. For example, bringing data from an external tool is easy and manageable. It also provides a single tool to manage all the different workflows and different processes. For example, you can perform risk management, policy compliance, audit, and all other processes. It's really a one-stop-shop and a great feature compared to what other tools offer. Finally, the core solution and library provided with the tool are great compared to other tools like ServiceNow, which still process metrics. I don't think they come close to Archer. 

Other tools, specifically designed for audit management have a better GUI than Archer. The problem with Archer is the business process. If you design in Archer you get a lot of tasks and a lot of information that gets congealed, which users don't like. The issues can be solved using the advanced workflow feature of Archer but it was only recently introduced and most clients are still using the old version to run the workflow.

If your process requests many tasks, many approvals, workflows, etc., then you're definitely going to see a lot of information in one sheet which makes the job harder. It's all dependent on your process. There are some flaws in the system, which are generally rectified over time but there is still room for improvement. I've previously given some feedback and, in general, there are a lot of complaints about the GUI. 

I've been using this solution for three years. 

The solution is very stable but as the data grows and the size of the database grows, you need to add additional servers or sources to manage latency. It creates a lot of logs and the data fills up if it's not properly maintained. It doesn't require daily maintenance but a clean-up is needed at least once a year. If you have really good hardware resources, you don't really need to do that.

The solution is easy to scale. Just add a server, then store the tool in it and then load balance it. It's not difficult. We have around 2,000 regular users and we're likely to increase that.

I think customer support is really good. There are some times when they don't have a solution to a new problem, something newly identified, but they submit it to the engineering team and ultimately it gets fixed. It can sometimes take a few months but I don't see any major issues with their support. I think they're pretty good.

The initial setup is reasonably straightforward. Deployment is generally carried out by one person. If a company wants to maintain segregation of duties, then multiple teams are necessary; one for development and another for deploying the change in production. Deployment time depends on the change you are pushing. If there are multiple items involved, the best option is to deploy the package. If the application has millions of records, then it will take longer to recalculate. If there's a smaller number of records, deployment can be done in a couple of hours. 

We've definitely seen a saving with the automation of the process. It saves time which can be spent on other activities. And, of course, that means a cost saving. 

I believe our licensing costs are around $100,000 for the tool and that possibly includes a basic solution that comes with the tool. If you then need another solution then there is an added cost for that. I don't know how that compares to the cost of other tools. 

For anyone trying to automate a data GI processor, Archer is a good product.

I rate the solution nine out of 10. 

I'm an administrator for RSA Archer and a consultant, so I create platforms for various businesses based on their requirements. RSA Archer is a GRC tool, so RSA Archer controls and regulates different enterprise GRC solutions and IRM modules. I create those platforms for various business users according to their specifications. They provide us with the storyline, and then we advise them on ways to use RSA Archer to manage their processes. And then, once that is done, we create an RSA Archer platform.

RSA Archer has updated its UI many times. And the UI is now much more rich and user-friendly. That's one of the major things that they have changed recently. Our business users are much more comfortable with the latest UI. Also, the reporting mechanism inside RSA Archer is another thing that is very user-friendly. And all the business users, in most of the cases I've seen that they are very comfortable in using the reporting tools.

RSA Archer is a valuable tool because it can manage the end-to-end functioning of any enterprise GRC module, such as compliance and risk management or business continuity plans and the entire BCM module. RSA Archer also provides many out-of-the-box solutions, which are use cases derived from the standards for GRC or risk management, governance, and compliance. It provides an end-to-end mechanism for business users on a single platform. That includes reporting, managing workflow, creating documentation, or tracking a process where you need to get approval from the various levels within the organization's hierarchy. 

Integration is another great aspect of RSA Archer. From the beginning, integration has been a central focus for RSA, and Archer has always integrated well with most tools on the market today. RSA Archer has its own APA that can be integrated into any other tools using Dorknet, Java, or any other language you can think of. So the APAs are excellent and easy to work with. 

RSA is also increasing the scope of customization. When using a tool, consultants like us might need to customize it because the out-of-the-box solution does not perfectly match the client's requirements. So RSA is quickly incorporating those customizations and allowing us various ways to do that. In doing so, RSA is opening up more areas where Archer can be used. Vendor management is the latest example. They have already added one vendor management module. I'm not entirely familiar with it, but it can be integrated with other tools directly on a real-time basis. So that's one feature, which is very new to Archer, and I think it's going to be a breakthrough.

There are many small things that need improvement but on the whole, it is much better now than it was when I first started using it six years ago. They are putting out updates almost every day. The latest version came out just a few days ago, so they are constantly making minute fixes and tweaks based on input from different users. Users like us are developing applications on the tool, so when we have an issue, we open a ticket with RSA directly. If it is a new issue and they can't fix it, then they log it and provide a solution in the next release of their tool. They're also planning to move to a completely cloud-based solution, so they are providing all the support for RSA Archer to be easily hosted on the cloud and everything.

I've been working with RSA Archer for the last six years.

Performance is always an issue with any coding system. And RSA Archer used to have more performance issues. It was completely on-prem, so there were some slowdowns because of that. However, they've upgraded their backend systems, the codes, supporting database structures, etc. So the speed has picked up lately. They have improved in the last few releases, and I hope they will also continue to do that. 

We have various mechanisms to scale up. For example, we already have the lab configuration in RSA Archer, so we can use their lab to get that directory from the organization. And whenever it changes or updates, that's automatically reflected in RSA Archer too. So that is a very straightforward thing and easy to maintain also. And we plan to increase usage. My company is an RSA Archer partner, so they're always looking to increase the number of projects in RSA Archer. 

RSA technical support is good. They're very approachable and provide quick solutions. Sometimes there may be a delay, but only if it is a very complex problem or one they might not have encountered earlier. 

RSA Archer is very deployment friendly because it is quick and straightforward. Migration and deployment aren't too complicated. RSA Archer can do it more quickly than most other GRC tools in the market right now, like SAP GRC. RSA Archer is one or two steps ahead because the migration is pretty smooth and can be done very quickly. One person can handle it pretty easily, but it also depends on the level of customization you want. Whenever we are customizing a tool, we need a specialist. So during migration, the senior consultants monitor what the team is doing and the others supervise. But if we're talking about how easy it is, then one or two people can easily do it.

Then there is the regular maintenance, but it's more accurate to say "enhancement" than "maintenance." Every time the user has a new requirement, we need to add those things into our resources. So it's pretty easy to do if you have two or three environments with you, development, UAT, QA, production, etc. The migration is pretty quick, so it's easier to manage from the maintenance point of view.

We've seen a return with RSA Archer. My organization started with a single project in RSA Archer, and now we are handling multiple businesses at multiple levels and doing several different projects in RSA Archer. And the clients are returning customers. They want to get into RSA Archer as much as they can.

RSA Archer might be a bit expensive for small companies because it's a vast tool. It provides many built-in solutions and functions that can meet all of a company's GRC needs. So, ultimately, it is cost-effective because it offers tools that serve a variety of functions. It is costly, but if you are a big company, the decision is pretty straightforward in terms of the cost versus the service Archer provides.

The licensing scheme has several levels, and you can purchase additional licenses depending on your needs. So you can opt to get only a license for the use cases that apply to your organization. You don't need to buy the entire thing, so that is a good thing.

I rate RSA Archer eight out of 10. Nothing is perfect and every day RSA is perfecting its own tool, so I rate it eight. It is one of the best GRC tools on the market at the moment. But, every day new tools are emerging. For example, ServiceNow is one of RSA Archer's strongest competitors. They are also coming up with their own ASA application use case. But I would say that RSA Archer is a much more mature GRC tool, and it stacks up well against other GRC platforms like SAP GRC and IBM Openpages. So in that sense, I would say Archer is a more mature tool with good services that can be helpful for your organization. I would recommend it. 

There are six to seven use cases currently. Most of the time, clients request a customized application. Right now, we're using RSA Archer for risk and issue management— like building a risk registry. We'll respond to risks using findings in the risk registry. So we'll set policies for risk discrimination and acceptance based on inherent and residual risk. We have all kinds of environments, covering DEV, SIT, and UIT. Currently, we have 6.9 Service Pack 2.

With RSA Archer, an admin can set permissions for a normal user to go directly to the tool they need to input some data. Admins can then go through that and approve some requests. Also, they can log in based on these kinds of permissions, including ticketing, service patches, or upgrades. The manager gets a notification, and they can log into the mobile application using this tool.

It would be nice if RSA Archer featured more customization. When customers are updating, they should be notified whether certain updates are optional. The install screen should not proceed to the next page unless we make some selections about which updates we want to install. That feature should be implemented in Azure so that users are aware. 

There is also an issue with managing records. If we add or remove records, something has to be updated.  Something has to be developed in this subform so that if a developer unexpectedly removes the total recorder linked to the parent record, it doesn't interrupt the connection. They have to come up with a solution for that.

Previously, we used RSA Archer to review data events. For example, we have a feature called Subscription Notification that was called Generate Notification. The letterhead was changed after migration, so we needed to update the letterhead manually. In Service Pack 2 6.9, links were embedded. So if we edited STTP, we had to remove the double slashes at the beginning of the address and update them to use only one slash. However, it is not recommended practice, so currently they're still updating that. We have notified the RSA team, and they are working on that.

I've been working with RSA Archer for seven years. I started my career as an administrator, and after that, I switched to development. Currently, I'm leading the team in an architectural role, like gathering requirements, deployments, and support.

In terms of performance, I would rate RSA Archer seven out of 10.

After deployment, some customers complain that the database must be constantly updated every time they add users, and the update process takes them a long time. For example, one of my clients has 60,000 to 70,000 users in their environment. It takes them three to four days to rebuild the search index on the database side.

We're in touch with RSA Archer's support on a daily basis. We have set up a scrum call every day to check if the clients have any issues identified post-deployment. In addition, we stay in touch with the tech team and provide support after deployment to address minor issues like, for example, if a customer needs to change their configuration. So we are implementing and releasing in two to three days if any minor changes are required. 

I previously worked on ITGC Controls in the IT sector conducting general control audits. I have performed other roles. We used to collect all the systems-related information showing that the server is updated correctly. We used to check database server-related information, so we'd verify that the daily backup is done. All the IT environments should have maintenance on policies ISO 7001, and I performed the general control audits.

I was using a related tool, but at the time, I was interested more in development, so that's why I have switched. Initially, it was a minor project that required significantly less personnel. RSA Archer is growing mature, so I just switched.

When you're first installing RSA Archer, the mobile feature is not available, but users can still manually input the details in the initial phase. And initially, it's like a normal input process. Then, after that, they have to come back and monitor using the PC or the laptop. 

The personnel needed for deployment depends on the solution. If there is one developer, they don't have any direct authority to deploy it. So we have some third-party monitoring at the time of deployment because if they touch any course other than this, the dedicated solution has to monitor it. Generally, one developer is enough for one solution. And after deployment, they have to recheck using that third party because most of them are in the banking sector, so everything should be monitored.

It takes about an hour to install. But, of course, if any jobs are running, it might take longer. So we have to give the system time to install all the code correctly. After installation, we also need to check for upgrades. 

I can say RSA Archer is worth the cost.

The price of RSA Archer is good. The price isn't too high considering it is a leading tool in the market. However, some Level Three companies cannot afford this license because they're charging too much. For example, the price might be reasonable for Level Five companies doing a four-month project, but they have to lower prices to make the product more competitive in the market for companies below Level Three.

I rate RSA Archer nine out of 10. It's an increasingly mature and very secure tool in the market. Every environment should have this kind of tool. It's useful for tracking any security threat.