Build a Culture Where Information Protection is Understood Through Effective Training and Awareness

To prevent the growing number of privacy breaches that result from human error, privacy leaders must
not only govern the organization, but also educate it. You need clear policies and practices for data security
and privacy, and you must train employees at all levels of the organization on their responsibilities.

See how Archer's solutions can help you change the way your employees think about protecting
personally indentifiable information.

Register today for this free webcast, and learn how you can:

• Manage the lifecycle of privacy policies, standards and procedures from creation through
  approval and publication.
• Communicate policies across your organization through web-based policy portal and
  email notifications that are relevant to specific roles, departments and business functions.
• Train and test employees on their responsibilities for security and privacy - with information
  that's relevant to their job responsibilities.
• Monitor results, and report up to senior management and regulators in real time.

Tuesday, March 16
1-2 p.m. US Central
2-3 p.m. US Eastern

Protect private information from the inside out. Register today to learn how.

March 5, 2010

Governance, risk and compliance professionals from across industries and around the globe will converge in April for the 2010 Archer GRC Summit, and you need to be there! Here's another snapshot of Summit educational sessions:

• Case Study: GRC Made Simple Using Audit as the Hub
• Panel Discussion: Risk and Compliance – From IT to the Enterprise
• GRC Roundtables: Technical, Business and Executive-Level Discussions
• Case Study: Baby Steps to Giant Leaps – Leveraging Software as a Service for GRC

Register today to take part in 20+ customer-led case studies, 7 hours of advanced training, 15+ hours of networking and more.

Need CPE Credits?
Earn up to 17 hours of Continuing Professional Education (CPE) credits from Summit educational sessions.

March 5, 2010

Bank Info Security featured a podcast this week with Archer’s Director of eGRC Solutions, David Walter. Live from the Expo floor at the RSA Conference 2010, David discusses three hot topics of discussion among visitors at the Archer GRC booth:

• Journey to the Cloud – How Archer, RSA and EMC are embedding security and compliance into cloud computing

• Platform Approach to GRC – Why organizations are selecting Archer’s platform approach to governance, risk and compliance in order to integrate data sources, correlate information and report to higher-level management

• GRC Strategy Roadmap – Why it’s essential take a strategic look at business processes and how they can be interrelated in order to form an overall picture of governance, risk and compliance

If you’d like to hear David’s commentary, follow these simple steps:

1. Visit http://www.bankinfosecurity.com/rsa2010.php.
2. Scroll down to the bottom of the page to the Security Vendor Interviews section.
3. Scroll through the list of podcasts, and click on David Walter, Senior Product Manager – Archer Technologies, as shown below.

by Steve Schlarman – March 4, 2010

We have all felt the peace and tranquility of lying on our back in the grass on a lazy day and watching the clouds roll by through a blue sky. For some of us, it may have been many years since we languished in such luxury.  For others, it may have been yesterday.  I have always been struck by the variety of clouds one could see – from the solitary cotton ball drifting across the sky to the massive jumble of rolling storm clouds. From my intro, I am sure you can see where this blog is going – cloud computing.

I am sure we will see new terms surrounding cloud computing and the candidates are obvious – from silver linings to rain clouds. As one who enjoys the good analogy, the options are endless. When dealing with a complex subject like cloud computing, it is always helpful to utilize simple examples to explore how a virtual topic can be represented in the physical world. 

At the RSA Conference, RSA’s own Art Coviello presented in the Keynote address a vision around cloud computing focused on the challenges and opportunities represented by this revolutionary epoch in the world of information technology. He was followed by Scott Charney from Microsoft expounding even more on the transformation of computing approaches available in today’s world. Both of these leaders in the world of technology framed the challenge of cloud computing clearly and articulately. Cloud computing represents a broad new horizon for companies to leverage technology in new and exciting ways. As I listened to the presentations with my IT GRC ears on, it was clear that fundamentally, the challenges we face as IT GRC professionals remain consistent with age-old concepts:
 
Who is out there? Identity has and will continue to be a core piece of managing risk and compliance processes. Companies have made significant strides over the years in this area and innovative technologies continue to offer many ways to address this complex challenge.

Where is my information? Cataloging and managing data is a major challenge for companies now and will become even more complicated as the elements of cloud computing are implemented. The good news is that technologies that identify and store data are becoming more sophisticated and will continue to evolve to assist companies to improve information asset understanding.

What is going on? Systems management tools and Security Information/Event Management technologies have become a staple of the modern day network and security operations center. The capability to gather event data and correlate what is going on in the environment will also be a key piece of managing the complexities of the “cloud”.

What am I doing about it? I have written many times about the absolute need for a company to be able to articulate and demonstrate the PROGRAM around managing governance, risk and compliance. As cloud computing becomes part of the fabric of a company’s business, it will be even more imperative for executives to tangibly demonstrate how the company is establishing governance, risk and compliance processes across the entire company.

Cloud computing represents another stage in the constant evolution of the use of information technology. Risk and Security professionals have ridden the waves from the glass houses of mainframes to the “who’s on first?” world of distributed computing to the wild, wild west of the Internet age. We now face the same challenges with a new backdrop. Companies should start now looking for approaches and partners that blend together these important pieces – identity management, data management, event management and program management.

Interesting enough, these components are a profile of the combination of EMC, RSA and Archer Technologies. While it may sound as a shameless plug, it highlights the power and opportunity of our new extended family. As my product management colleagues and I explore these new opportunities, we are finding many exciting ways to leverage the power across the collective technologies to provide our customers with seamless approach for IT GRC. So while the sky may be clear now, cloudy days are ahead. And for once, that isn’t such a bad thing.

by Jason Rohlf – March 4, 2010 

Greetings from San Francisco, California! This fabulous city is the backdrop for RSA Conference 2010, which brings together vendors and professionals with a need to protect and manage information, often considered the most valuable resources companies possess. The theme of this year’s conference is “Security Decoded”, and everywhere I go I see images of the famous Rosetta Stone, perhaps the most famous encryption key ever created.

Until the Rosetta Stone’s discovery in 1798, Ancient Egypt’s society and culture was locked in the mystery of hieroglyphics. In the decades that followed the discovery of the Rosetta Stone, experts and scholars were able to unlock the secrets of the Egyptians language. While the stone itself is essentially a statement that certain Egyptian priests were exempt from tax (must be nice), the implications of decoding this ancient language were far more tremendous from an academic and historic perspective.

As I learned more about the Rosetta Stone, I realized its story fit well with the theme of RSA 2010 for a couple of reasons. On one hand, encrypting information is widely regarded as a best practice for protecting critical information from those who would seek to exploit it. Yet I also see this gathering of professionals who come together to exchange ideas information as a good analogy of the Rosetta Stone. When people of differing backgrounds, upbringings, career paths and perspectives come together to share thoughts and ideas on the issues they are dealing with, there is a very good chance that one person’s perspective can prove to be the spark that allows others to solve a problem previously thought unsolvable. This is the power of an event like RSA—pooling together individual bits of information to create a tapestry of knowledge that is greater than the sum of its parts.

This is my first time at the RSA Conference, and this experience has given me the opportunity to speak with numerous people who have been kind enough to share their perspectives and insights on the problems they are facing. Although RSA is primarily a security conference, many of the conversations that my colleagues and I have had about Archer’s solutions go beyond how we can help them track and manage their information security issues. They also want to know how this particular segment of their GRC program plays into their larger efforts to demonstrate enterprise-wide governance, risk and compliance. How can they integrate all of the pieces of their program into a uniform, consolidated view? How can they make senior executives care about the problems they are trying to manage? In these cases, Archer strives to become the key that these professionals can use to decode these issues.

I look forward to more lively conversations as the conference wraps up today, and I appreciate having the opportunity to meet so many talented people. Who knows, maybe I even played a part in helping decode some mysteries this week.

Protect Your Ongoing Operations with a 3-in-1 Business Continuity Management Solution

Register today for this webcast to discover how you can centralize your approach to business
continuity,disaster recovery and crisis management in a single solution. Learn how you can:

• Evaluate the criticality of business processses and supporting technologies through
  online assessments.
• Ensure rapid access to business continuity and disaster recovery plans in the event
  of a crisis or business disruption.
• Centralize reporting and management of crisis events that impact employees, customers,
  stakeholders and mission-critical operations.
• Tie BCM activities to your overall governance, risk and compliance program.

Tuesday, March 9
1-2 p.m. Central
2-3 p.m. Eastern

Don't miss this event. Register today!

by Steve Suther – February 25, 2010

As the March 1st deadline quickly approaches for compliance with the Massachusetts state laws designed to safeguard the personal information of its residents, several questions are rolling around in my mind. Have all businesses (regardless of their size) that either store or transmit those residents’ personal data developed written security plans? Do these plans take into account the identification of data, potential risks to it, and controls the organization has in place to minimize or eliminate identity theft? And does the state have enough resources in its ranks to begin proactively monitoring compliance? Surely time, and any publicized privacy data breaches, will tell.
 
As Massachusetts business owners have been preparing for this brave new world of regulatory compliance, I’ve read many statistics about incidents within the state related to a resident’s compromised sensitive information. As reported this week in the Boston Herald, out of more than 800 breaches reported to the state through October 2009, nearly 500 of them resulted from criminal acts (such as laptop thefts), but the remainder were the result of improper employee handling of a customer’s information. While that’s a lot of human error, think about how easy it could be for this to occur. Imagine data being incorrectly secured before physical transport, or one customer’s statement being mailed to a different customer during a month-end statement cycle, just to name a few scenarios.
 
What’s to be done about such a high percentage of human slip-ups? How about some employee education and awareness on a company’s privacy policies and practices? How about the ability to not only deliver training, but also to quiz employees on their comprehension of the material as part of their day-to-day job responsibilities? Training and awareness of this type is critical to effective privacy program management—and to establishing a culture in which employees understand privacy requirements and their responsibilities for protecting the personal information of customers, employees and business partners. 
 
If you’re interested in talking more about the role of training and awareness in a global privacy program, I invite you to join me for an upcoming webcast, where I’ll share with you Archer’s ability to help with such matters. The webcast is Tuesday, March 16 at 1pm Central, and you can register online at no cost. In the meantime, I’ll keep my eye on how things are panning out in Massachusetts, and I’ll post any interesting news for you here on the Archer GRC Blog.

February 16, 2010

The agenda for the 2010 Archer GRC Summit is heating up. Here are just a few of the educational sessions you can take advantage of:

• Customer Case Study: Business Benefits of an Archer Enterprise GRC Implementation

• Strategy Session: Evaluating Your GRC Maturity and Defining Your Roadmap for Growth

• GRC Best Practices: An Enterprise Approach to Privacy Program Management

• Technical Training: Integrating GRC Intelligence with the Archer Data Feed Manager

Register today to take part in 20+ customer-led case studies, keynotes from GRC visionaries, 7 hours of advanced training, 15+ hours of networking and more. View the high-level agenda on the Archer web site, and start planning your GRC Summit experience.

Need to Convince Your Manager?
Download the Justification Toolkit to show your manager that the Archer GRC Summit is a value-rich event. You’ll find Word templates for requesting trip funding, taking productive notes on-site and documenting your Summit ROI.

by Jason Rohlf – February 15, 2010

“The only constant is change.”

— Isaac Asimov

Many studies have shown that resistance to change is simply part of being human. Granted, some people are far more adaptable than others, making the prospect of change easier to swallow. But if I’ve learned anything in my career thus far, Isaac Asimov was indeed correct: “The only constant is change.” 

As an eGRC Solution Manager for Archer and a former auditor, I do a lot of research around the challenges facing internal audit professionals, and it’s clear to me that internal audit is staring change squarely in its ambiguous face. In reading the latest set of analyses, white papers and opinions about the profession, most notably from the Institute of Internal Auditors (IIA) and Big Four services firms (see specific research below), I’ve noted several mandates facing internal auditors that carry the prospect of significant change. These mandates include:

Expanded Risk Focus
Internal Audit’s key stakeholders, including the Board of Directors, Audit Committee and C-Suite Management, are calling for the profession to move beyond a compliance focus, which has been its primary driver in the Sarbanes-Oxley era, to a more strategic, operational and business-risk focus. Internal audit’s chief professional mandate is to evaluate the entire governance, risk and compliance landscape, which will require auditors to improve and expand their risk knowledgebase and skill sets.

Dynamic Audit Planning and Integrated Assurance
Internal auditors must be able to effectively demonstrate that they are actively monitoring the organization’s risk landscape and that they have the flexibility to adjust course when new and emerging risks arise. In addition, effective coordination with other assurance functions will address gaps and overlaps in the process, helping internal audit provide their assurance in a more efficient and effective manner.

Doing More with Less
The financial crisis of the last two years has far-reaching effects, including the internal audit departments that were previously considered untouchable. The profession needs to meet increasing expectations with static or decreasing resource levels. Further, as businesses become more reliant on information systems, leveraging technology tools for assurance purposes (CCM, Continuous Auditing, Data Analytics, CAATs) becomes increasingly important.

Attracting and Retaining Top Talent
Obtaining the right mix of talent continues to be a major challenge for internal audit departments. While the latest generation of internal auditors has been trained with a primary focus on compliance, they have proven to be very adaptable and adept with new technology. Providing auditors with the opportunity to participate in interesting, high-profile activities with increased flexibility in how they work is essential to acquiring and keeping the best and brightest professionals.

Evolving mandates facing the internal audit profession are squarely in Archer’s focus as we continue to develop and improve our Audit Management solution. This solution enables its users to remain focused on the organization’s most critical risks, to share information with other members of the assurance community, to leverage technology to drive workflow efficiencies and to provide personnel with a wider view of the organization. Sounds like change in the right direction to me.

Research Sources
“A World in Economic Crisis: Key Themes for Refocusing Internal Audit Strategy.” The Institute for Internal Auditors (IIA) Global Audit Information Network Study: http://www.theiia.org/theiia/newsroom/news-releases/?search=refocusing internal audit strategy&C=3069&I=9461

PricewaterhouseCoopers 2009 State of the Internal Audit Profession Study: http://www.pwc.com/us/en/internal-audit/publications/2009-study-internal-audit-profession.jhtml

Ernst & Young 2008 Global Internal Audit Survey: http://www.ey.com/Publication/vwLUAssets/Escalating_the_role_of_internal_audit_-_survey_2008/$FILE/AABS_RAS_Global_internal_audit_survey_2008.pdf

February 11, 2010

Archer President Jon Darbyshire and RSA President Art Coviello recently sat down to share their perspective on EMC’s January 2010 acquisition of Archer Technologies. We invite you to view their brief video conversation to understand the value of the acquisition to Archer and RSA customers—and the impact for the broader industry.

You can also learn more about benefits to Archer’s user community as we join with RSA, The Security Division of EMC, in Jon’s most recent blog post.