eGRC Content Library
Take advantage of RSA’s comprehensive knowledgebase of enterprise governance, risk and compliance content.
The RSA Archer eGRC Content Library provides the industry’s most comprehensive knowledgebase of enterprise governance risk, and compliance (eGRC) content. The Library includes best-practice policies, control standards, control procedures, assessment questions and authoritative sources, which are pre-mapped to enable efficient compliance measurement and reporting. Developed in cooperation with Fortune 1000 clients and top-tier consulting partners, RSA’s Library puts your eGRC program on a solid foundation.
Policies
A policy is a broad statement of principle that presents management's position for a defined area. Policies are intended to be long term and guide the development of more specific rules to address particular situations. Policies are interpreted and supported by standards and procedures.
The RSA Archer eGRC Content Library includes a set of best-practice policies developed in cooperation with leading Fortune 1000 organizations and derived from multiple laws, regulatory requirements, industry frameworks and international codes of practice.
| Policies | |
| Access Control | Operations Management |
| Application Development | Personnel Security |
| Audit Management | Physical Security |
| Business Continuity Management | Privacy |
| Communications Management | Risk Management |
| IT Event, Incident and Problem Management | Security Management |
| IT Management | Security Monitoring and Response |
| Legal, Compliance and Regulatory | Third-Party Services |
| Network Security | |
Control Standards
Control standards specify a particular course of action or response to a given situation. Control standards are mandatory directives for carrying out management's policies and are used to measure policy compliance. They serve as specifications for the implementation of corporate policies.
The RSA Archer eGRC Content Library includes more than 960 best-practice control standards that are mapped to policies, control procedures, assessment questions and the specific authoritative sources from which they were derived. This out-of-the-box mapping allows your organization to:
- Understand which controls you need to implement to comply from a regulatory or corporate policy standpoint.
- Automate the process of implementing an industry standard and best practice across your organization.
- Create training and awareness campaigns to measure employee knowledge on corporate policies and good-practice standards.
Control Procedures
Technical control procedures provide step-by-step instructions on how to implement control standards on a specific technology. The RSA Archer eGRC Content Library includes thousands of control procedures mapped to various technologies. Where applicable, these procedures are written against control standards and are mapped to authoritative sources. This mapping allows you to demonstrate compliance at the technical configuration level as it pertains to specific regulatory requirements.
| Technologies with Supporting Control Procedures | ||
| ACF2 |
HP-UX | Netware 4.X |
| AIX | IBM DB2 8, 9 and 9.5 (Linux, Unix and Windows) | Netware 5.X |
| Apache Web Server 2.2 |
IBM WebSphere 6.x | Nokia IPSO |
| Apache Webserver 1.3.27 |
ISA Server 2006 |
Nortel Meridian 1 PBX |
| Apple iPhone 3.1.2 | Juniper NetScreen Firewall |
Nortel Meridian Mail |
| Bay Networks Router |
Lotus Domino R5 |
Oracle 11g |
| BEA WebLogic 10.x |
Lotus Domino R6 |
Oracle 9.x |
| BEA WebLogic 9.x |
Lotus Domino R7 and R8 |
Oracle E-Business Suite 11.5.10 |
| Blackberry Enterprise Server 4.1.4 | Lotus Quickplace 2.07 |
OS 390 |
| Checkpoint FW-1 NG |
Lotus Sametime |
OS/400 |
| Cisco Access Point |
Lucent PBX |
PeopleSoft Enterprise 8.9 |
| Cisco Catalyst Switch |
Mac OS X Server 10.5 |
RACF |
| Cisco IDS |
Microsoft Office 2007 | Raptor Firewall |
| Cisco PIX Firewall |
Microsoft SQL Server 2000 | Red Hat Linux |
| Cisco Router |
Microsoft SQL Server 2005 | SAP Basis |
| Cisco Secure ACS |
Microsoft SQL Server 2008 | SharePoint 2007 |
| Cisco VPN Concentrator |
Microsoft Windows 2000 Server | Opera Browser 10.51 |
| Citrix Metaframe XP |
Microsoft Windows 2003 Server | Oracle 10g |
| DB2 AS400 |
Microsoft Windows 2008 Server | Sun Java Web Server 6.x |
| DB2 LUW |
Microsoft Windows 7 | Sun Java Web Server 7.x |
| Exchange 2000 |
Microsoft Windows Embedded CE 6.0 | SUSE Linux 10 |
| Exchange 2003 |
Microsoft Windows Mobile 6 | Sybase ASE 15.10 |
| Exchange 2007 |
Microsoft Windows Vista | VMware ESX Server |
| Exchange 5.5 |
Microsoft Windows XP | VMware Server |
| General Controls |
Mozilla Firefox 3.5 | W2K - Encrypting File System |
| Generic PBX |
Netscape Enterprise Server | W2K - Unix Services for Windows |
Authoritative Sources
Authoritative sources include regulatory requirements, industry standards, common practices, contractual obligations and other mandates that impact your organization. The authoritative sources included* in the RSA Archer eGRC Content Library provide a way to measure compliance with corporate and regulatory policies in quantitative or qualitative terms. By using the extensive list of authoritative sources, you can demonstrate that your policies and objectives are in compliance with regulations and industry best-practices at every level.
* Please note that some of the authoritative sources listed below may require external licensing.
| Authoritative Sources | |
| Aircraft Situation Display to Industry (ASDI) |
HIPAA Privacy |
| Basel II |
HIPAA Security |
| British Standard 25999 (2006) |
HITECH Act, Subtitle D |
| Centers for Medicare and Medicaid Services (CMS-ARS) |
HITRUST Common Security Framework |
| CobIT |
Information Security Forum Standard of Good Practice |
| Comisión Nacional Bancaria y de Valores (CNBV) Chapter X | IIA International Standards for the Professional Practice of Internal Audit |
| European Union Privacy Directives |
ISO/IEC 27001: 2005 |
| FACTA – Red Flags Rule | ISO/IEC 27002: 2005 |
| FDA CFR Part 21 | Microsoft Security Development Lifecycle (SDL) |
| FFIEC Business Continuity Booklet (2008) | NERC Reliability Standards |
| FFIEC Development and Acquisition Booklet (2004) | NIST SP 800-53 (February 2005) and SP 800-26 (April 2005) |
| FFIEC Development and Acquisition Booklet (2004) | NIST SP 800-61 (March 2008) |
| FFIEC Information Systems Standards | PCI Data Security Standard |
| FFIEC Supervision of Technology Service Providers Booklet (2003) | PIPEDA |
| Federal Information Security Management Act (FISMA) | SafeHarbor Privacy Principles |
| France Data Protection Act | UK Data Protection Act of 1998 (Chapter 29) |
| German Federal Data Protection Act | US State Privacy Laws |
| GLBA | |
Assessments
The RSA Archer eGRC Content Library offers more than 10,000 questions grouped into pre-built assessments for evaluating risks in your environment and measuring compliance with authoritative sources, control standards and control procedures. Assessment questions are either based on industry-defined compliance questionnaires, such as Fraud (Red Flags), Standard Information Gathering (SIG) and PCI DSS, or on the RSA Archer control standards and procedures. These questions can streamline your process for defining appropriate compliance content, and they are easily tied back to your internal standards.
| Risk Management Pre-Built Assessments |
| Quarterly Risk Review |
| Fraud Assessment (FACTA Compliance) |
| Application Risk Assessment |
| Facility Risk Assessment |
| Information Asset Risk Assessment |
| Device Risk Assessment |
| Compliance Management Pre-Built Assessments |
| Control Self-Assessment |
| Design Test Results |
| Operating Test Results |
| Technical Control Manual Assessment |
| Vendor Management Pre-Built Assessments |
| Vendor Financial Assessment |
| Tier 1 Risk Assessment |
| Tier 2 Risk Assessment |
| Audit Management Pre-Built Assessments |
| Audit Universe Risk Assessment |
| Audit Customer Survey |
| Quality Assurance Review Checklist |