RSA® ARCHER ® I N S P I R E E V E R Y O N E T O O W N R I S K

2

© Copyright 2016 EMC Corporation. All rights reserved.

Executive Priorities

25% Technology

initiatives are second

priority

Business Growth & Technology

Growth

is the highest

priority

54%

From Gartner’s report “The 2015 CEO and Senior Executive Survey: ‘Committing to Digital’

3

© Copyright 2016 EMC Corporation. All rights reserved.

Executive Perspectives on Risk

According to Gartner’s report “The 2015 CEO and Senior Executive Survey: ‘Committing to Digital’:

77% 65% 83%

New risks

challenge the business

Risk Management

is falling behind

Agility

is increasingly important

7

© Copyright 2016 EMC Corporation. All rights reserved.

Risk Convergence

The business relies on technology

like never before

Business and Digital strategies are

intertwined

Technology risk is a board level

topic

To be successful in today’s market,

organizations must address

cyber risk and business risk together

8

© Copyright 2016 EMC Corporation. All rights reserved.

Decision Makers Need Insight…

What controls

need to be

implemented?

Where do we

allocate

resources?

How can

investments be

arranged?

Who owns this

risk?

When do we

have to be

ready?

9

© Copyright 2016 EMC Corporation. All rights reserved.

Is Your GRC Program Ready?

10

© Copyright 2016 EMC Corporation. All rights reserved.

The Challenge R

esults

Reach

Resource overload

High rate of change

Lack of resources

Lack of business context

Compliance Risk

Opportunity

11

© Copyright 2016 EMC Corporation. All rights reserved.

Inspire Everyone to Own Risk R

esults

Reach

Compliance Risk

Opportunity

Risk management is the key to protecting your competitive advantage.

Transform Harness

Exploit

12

© Copyright 2016 EMC Corporation. All rights reserved.

RSA Archer: Risk Management for the Modern Enterprise

Risk is

multi-dimensional

Constant vigilance is

necessary to keep up

with risk

The pressure is on to

manage risk

Adapt your program at the

speed of risk

Empower a common risk

conversation

Tap into collective

knowledge

13

© Copyright 2016 EMC Corporation. All rights reserved.

Risk Is Multi-Dimensional Empower a Common Risk Conversation

‘Most companies do not have a consistent way of assessing risk across the

enterprise. 20% of companies say there is no process to develop and aggregate

a risk profile and a further 38% rely on a self-assessment by the business units.

Almost half profess difficulties in understanding their enterprise-wide risk

exposure.’

- Global Risk Survey: Expectations of Risk Management Outpacing Capabilities—It’s Time for Action, KPMG,

2013.

• Broadest suite of integrated solutions

• Rapid implementation

• Business context

14

© Copyright 2016 EMC Corporation. All rights reserved.

Constant Vigilance is Necessary Adapt at the Speed of Risk

• Configurable system administration

• Configurable reporting engine

• Upgradable

‘73% of companies have seen the volume and complexity of risks increase over

the past five years, and 20% of companies have seen the volume and

complexity of risks extensively increase over that same period.’

- Current State of Enterprise Risk Oversight: Progress is Occurring but Opportunities for Improvement Remain,

July 2012, ERM Initiative at North Carolina State University on behalf of the American Institute of CPAs Business,

Industry & Government Team.

15

© Copyright 2016 EMC Corporation. All rights reserved.

Pressure to Get Your Program Right

‘98% of company Boards or Board-level risk committees regularly

review risk management reports, an increase from 85 percent in 2010.’

- Setting a Higher Bar, Deloitte, 2013

• Largest GRC peer community

• Collaborative partner ecosystem

• Partner with the industry leader

Tap into Collective Knowledge

16

© Copyright 2016 EMC Corporation. All rights reserved.

Industry Leadership

1300 + deployments 43 + countries 25 + industries

Leader in Ops Risk MQ 2015

Leader in IT Risk MQ 2015

Leader in IT Vendor Management 2016

Leader in BCM MQ 2014

59 Fortune 100

Leader in Forrester GRC Wave

Quoted as “the most mature offering in

many occasions”

148 Fortune 500 125 Global 500 10 Out of 10 Biggest U.S.

Banks*

* bankrate.com

17

© Copyright 2016 EMC Corporation. All rights reserved.

Take Command of Your Journey

Siloed compliance focus, disconnected

risk, basic reporting

Reduce compliance cost

Compliance

Managed automated compliance,

expanded risk focus, improved analysis/metrics

Manage Known & unknown risks

Risk

Tra

nsit

ion

Advantaged fully risk aware, exploit

opportunity

Identify new business opportunities

Opportunity

Tra

nsfo

rm

RSA ARCHER SOLUTIONS

19 19

RSA Archer Solutions and Use Cases Risk Catalog

Bottom-Up Risk Assessment

Key Indicator Management

Loss Event Management

Top-Down Risk Assessment

Operational Risk Management

Third Party Catalog

Third Party Risk Assessment

Third Party Engagement

Third Party Governance

Issues Management

Audit Engagement & Workpapers

Audit Planning & Quality

Plan of Action & Milestones (POA&Ms)

Assessment & Authorization (A&A)

Continuous Monitoring

Business Impact Analysis

Incident Management

Business Continuity and IT Disaster Recovery Planning

Resiliency Management

Corporate Obligations Management

Policy Program Management

Controls Assurance Program Management

Controls Monitoring Program Management

IT and Security Policy Program Management

IT Controls Assurance

IT Security Vulnerabilities Program

IT Risk Management

PCI Management

Security Incident Management

Security Operations and Breach Management

IT Regulatory Management

Information Security Management System (ISMS)

Use Case list as of Q2 2016 (subject to change)

20 20

IT & Security Risk Management Use Cases

IT and Security Policy Program Management

IT Controls Assurance

IT Security Vulnerabilities Program

IT Risk Management

PCI Management

Security Incident Management

Security Operations and Breach Management

IT Regulatory Management

Information Security Management System (ISMS)

Use Case list as of Q2 2016 (subject to change)

21

IT & Security Risk Management Stage 1 Stage 2 Stage 3 Stage 4 Stage 5

Advantaged Transform Managed Transition Siloed

Security Incident Management

Ke

y D

rive

rs:

Secu

rity

in

cid

ents

V

uln

erab

iliti

es

Issues Management

Co

mp

lian

ce is

sues

IT Security Vulnerabilities Program

IT Risk Management

Security Operations & Breach Management

Po

licy/

Stan

dar

ds

IT & Security Policy Program Management

Policies Standards Procedures

IT Regulatory Management

Regulatory Intel Regulatory Change

Risk & Threat assessments

Risk Register & KRIs

Vulnerability Scans

Vulnerability Intel

Ad-hoc Response

Measured Response

Breach Assessment

24x7 Staffing & Operations

Findings + Remediation Plans

IT Controls Assurance Manual assessments Automated assessments Continuous Controls Monitoring

PCI Management Information Security Management System

22

Issues Management

Before Scenarios

Scattered lists of issues and findings in various documents

No consolidated view of outstanding issues related to security audits, IT compliance or IT/security risk assessments

Limited documentation on current and planned remediation efforts to address open risks

No list of approved and accepted risks (unapproved exceptions)

Key Features

Consolidated issue management process

Consolidated list of findings from IT and security audits and assessments

Consolidated list of remediation plans for IT & security issues

Exception management and governance through appropriate risk acceptance and sign-off

23

IT & Security Policy Program Management Before Scenarios

Scattered repositories of policies, standards and controls

with ambiguity between compliance/business requirements

and internal controls

Limited documentation of operational procedures (controls)

Manual tracking of policy changes or policies falling out of

step with business changes

Key Features

Framework and taxonomy for governance content (policies,

standards, controls)

Workflow and change management tracking

Best practice baseline IT & security content library

24

IT Regulatory Management Before Scenarios

No workflow or defined process to monitor changes to

regulations or laws

Disjointed strategy to manage changes to data protection

standards

Outdated controls based on old requirements or haphazard

approach to adjusting controls based on changing business

requirements

Key Features

Regulatory intelligence feeds with workflow for impact

analysis and change management tracking

Issue management for changes related to regulations and

other corporate obligations

Managed exceptions with appropriate risk sign-

off/acceptance

25

IT Controls Assurance

Before Scenarios

Duplicative efforts for measuring IT compliance based on

reacting to emerging regulatory and business requirements

individually

Limited to no consolidated visibility into IT compliance levels

across the enterprise with extensive manual testing and

reporting cycles

Haphazard approach to managing issues related to

compliance testing, audits and assessments

Key Features

Asset catalog, control repository and taxonomy for

compliance processes

Multiple testing approaches (automated and manual) for a

wide variety of IT controls including Integration with

testing/assessment technologies

Integrated issues management to manage reporting and

remediation of control gaps

26

IT Security Vulnerabilities Program Before Scenarios

Multiple scanners producing too much data to be actually helpful in

managing security risk

Poor handoff (if any) to IT operations to address security vulnerability

Limited to no visibility into remediation efforts to close security

vulnerabilities

Vulnerability scanning solely for compliance purposes and limited added

value for the effort

No prioritization of security vulnerabilities

Key Features

Central repository and taxonomy for vulnerability

Integration with multiple scanning technologies

Large data/high volume storage of vulnerability scanning results

IT asset catalog with business context

Reporting and researching platform

Rules based issues management

27

IT Risk Management

Before Scenarios

No consolidated definition of IT risk, e.g. taxonomy, catalog,

ownership, accountability relying on manual processes to

perform IT risk assessments

Limited to no visibility into a consolidated view of IT risks

Haphazard approach to managing Issues related to risk

identification

Key Features

Asset catalog for risk processes and reporting

IT Risk Register and Control repository and taxonomy

Consistent risk and threat assessment processes with pre-

built content

Integrated issues management to report and track

remediation of risks identified during risk assessments

28

Security Incident Management Before Scenarios

SIEM infrastructure producing too much data and

overwhelming security team with limited or no prioritization

of security events

Manual/ad-hoc documentation of security incident handling

Poor handoff (if any) to IT operations to address security

incident issues and limited to no visibility into remediation

efforts to close security incidents

Key Features

Central repository and taxonomy for security alerts w/

integration with SIEM/log/packet capture infrastructure with

an IT asset catalog with business context

Integrated incident management workflow with escalation,

investigation documentation and response procedures

29

Security Operations & Breach Management Before Scenarios

Security operations managed by spreadsheet, email,

SharePoint or other point solutions

No consistent operational procedures for handling security

incidents or breaches

Manual processes for managing shifts in the SOC,

emergency notifications and data breach handling

Key Features

Central repository and taxonomy for security alerts with

integration with SIEM/log/packet capture infrastructure

IT asset catalog with business context for reporting and

researching platform for incident rates

Shift and staffing management

30

PCI Management

Before Scenarios

Ad-hoc PCI compliance process

Inconsistent stakeholder accountability

Manual processes for gathering & reporting evidence

No consistent methods for handling compliance gaps and

ongoing assessment

Key Features

Project workflows to manage CDE (cardholder data

environment) scoping and ongoing assessments

Structured content libraries link the PCI-DSS to an extensive

control testing repository

Persona-driven dashboards and questionnaires

Centralized issues management

One-click reporting template for creating a properly

formatted Report on Compliance (ROC)

31

Information Security Management System (ISMS)

Before Scenarios

No consolidated repository of assets, risks, and security

controls

No workflow or defined process to perform IT risk

assessments

No systematic approach to map IT risks to IT controls

Key Features

Scope your ISMS and document your Statement of

Applicability

Catalog resources related to your ISMS, including

information assets, applications, business processes,

devices and facilities

Document and maintain an information security risk register

Establish policies and standards in support of your ISMS

Manage issues related to ISMS assessment processes

EMC, RSA, the EMC logo and the RSA logo are trademarks of EMC Corporation in the U.S. and other countries.