THE RSA ARCHER

®SUITE

The Proven Path to Take

Command of Risk

2@RSAsecurity

@RSA_Archer

THE RISK CHALLENGE

EXECUTIVE PRIORITIES

4

Technology

initiatives are

second priority

Growth

is the highest

priority

From Gartner’s report “The 2017 CEO Survey: ‘CIOs Must Scale Up Digital Business’, March 2017 (Graphic created by

RSA based on Figure 1. CEOs’ Top Business Priorities for 2017 and 2018.)

31%58%

Risk

Complexity increasing

Velocity of risk

increasing

Magnitude of risk

increasing

6

MANAGING RISK IS A

BUSINESSAND A

TECHNOLOGYCHALLENGE

Technology risk

The Technology

perspective…

The Business

perspective…

Business risk

• What is the important data?

• Where is the important data?

• What are the most critical applications?

• How important is this part of the infrastructure?

• What does this security event impact?

• Where are we vulnerable?

• Who are the 3rd parties the business rely on?

• What happens if IT services are disrupted?

• What part of the business strategy is

the most critical?

• Where are our biggest risk areas?

• What is our risk appetite and tolerance?

• What are our regulatory obligations?

• What are the most valuable pieces

of our business?

• How bad could it be?

• Are we effectively managing our risks to

achieve our objectives?

7

THE WEDGES IN THE GAP…

Lack of ownership

Outdated reporting

Manual processes

Inconsistent controls

Information silos

Limited risk visibility

8

…LEAD TO RISK IN THE BUSINESS

Unresolved issues

Inaccurate insights &

misinformation

High costs & inefficiency

Holes & gaps

Disconnected data & lack of

context

Poor business decisions& missed

opportunities

9

WHAT’S NEEDED TO CLOSE THE GAP?

INSPIREEVERYONE

TO OWNRISK

11

Cross business lines &

organizational boundaries for

Collaboration

A STRATEGY TO MANAGE BUSINESS RISK

12

Define & enforce risk

ownership through

Accountability

Automate processes for

Efficiencies

Consolidate data and

enable risk Analytics

& Visibility

INTRODUCING THE RSA ARCHER ® SUITE

13

Breadth

Depth

Adaptability

Ecosystem

Track record

Strategic value

BREADTH TO ADDRESS ALL DIMENSIONS OF RISK

15

DEPTH TO IMPLEMENT BEST PRACTICES

16Use Case list as of August 2017 (subject to change)

• IT and Security Policy Program Management

• IT Controls Assurance

• IT Risk Management

• Security Incident Management

• Security Operations & Breach Management

• IT Security Vulnerabilities Program

• IT Regulatory Management

• PCI Management

• Information Security Management System (ISMS)

• Risk Catalog

• Bottom-up Risk Assessment

• Key Indicator Management

• Loss Event Management

• Top-down Risk Assessment

• Operational Risk Management

• Third party Catalog

• Third party Risk Assessment

• Third party Engagement

• Third party Governance

• Issues Management

• Audit Engagement & Work Papers

• Audit Planning & Quality

• Plan of Action & Milestones (POA&MS)

• Assessment & Authorization (A&A)

• Continuous Monitoring

• Business Impact Analysis

• Incident Management

• Business Continuity and IT Disaster

Recovery Planning

• Crisis Management

• Corporate Obligations Management

• Policy Program Management

• Controls Assurance Program Management

• Controls Monitoring Program Management

ADAPTABILITY TO EVOLVE

17

Maturity-driven approach

Flexible &

configurable platform

Multiple integration capabilities

ECOSYSTEM TO SUCCEED

20

Vibrant practitioner community &

RSA Link

Certified RSA Archer experts & a

broad partner network

RSA University

TRACK RECORD IN ANALYST REPORTS

22

A Leader in Gartner Magic Quadrant reports for:• Operational Risk Management Solutions in 2014,

2015 and 2016

• IT Risk Management Solutions in 2015, 2016 and 2017

• IT Vendor Risk Management in 2014, 2016 and 2017• Business Continuity Management Program Software,

Worldwide in 2012, 2014, 2016 and 2017• Enterprise Governance, Risk and Compliance

Platforms in 2012 and 2013

A Leader in Forrester GRC Wave in 2012, 2014

and 2016

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology user to select only those vendors with the highest ratings or other designation. Gartner

research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research,

including any warranties of merchantability or fitness for a particular purpose.

Most recent reports:• Gartner Magic Quadrant for Operational

Risk Management Solutions (13 December

2016)

• Gartner Magic Quadrant for IT Risk

Management Solutions (29 June 2017)

• Gartner Magic Quadrant for Business

Continuity Management Program Software,

Worldwide (12 July 2017)

• Gartner Magic Quadrant for IT Vendor Risk

Management (29 June 2017)

• The Forrester Wave™: Governance, Risk,

And Compliance Platforms, Q1 2016 (22

January 2016)

STRATEGIC VALUE FOR OUR CUSTOMERS

28

‘With one tool and one central location, now we can maximize efficiencies.’

– Melissa Taylor, Berkshire Bank

‘As other people in our department learn about the Archer tool and its ease of use and flexibility,

they are asking us to undertake other use cases. It’s been extremely successful.’

– Nancy Rainosek, Texas Dept of Information Resources

‘Without RSA Archer, it would have required more expenditure to reach the [ISO 22301

–Business Continuity] certification level.’

– Thorsten Scheilbel, DZ Bank

‘…the strategy that we now have around GRC [after implementing Archer] really does make a

difference in terms of Shell getting into new organizations, new adventures and new joint

ventures.’

–Keith Herndon, Shell

Quotes taken from RSA Leader’s Program.

See https://w ww.rsa.com/en-us/customers for full videos and testimonials

STRATEGIC VALUE FOR OUR CUSTOMERS

29

‘The users rated Archer higher than every other solution.’

– Jan Jans, Rabobank

‘RSA Archer has helped us evolve from an organization where we're constantly trying to chase

data and information and the resulting frustration and inefficiency that stems from that. Now we

have a source of record where employees can access data and more quickly consume it and

make decisions based on it.’

– Reid Stephan, St. Luke’s Health System

‘…it doesn't matter whether it's incident response, cyber operations, or operational risk

management: all the information and business processes flow through Archer.’

– Roland Cloutier, ADP

‘With Archer… the risk analysis [is] being performed in a much faster and more efficient way

than we could previously have done.’

– Kreshnik Halili, Raiffesisen Bank

Quotes taken from RSA Leader’s Program.

See https://w ww.rsa.com/en-us/customers for full videos and testimonials

THE PROVEN PATHTO TAKE COMMAND OF RISK

TAKE COMMAND OF YOUR JOURNEY

31

SiloedStreamline compliance, Build business context & reporting

MeetCompliance requirements

Transition

Risk

ManagedExpand risk focus, Improve

analysis & metrics

Addressknown & unknown Risks

RiskBusiness

AdvantagedConnect risk and the business with cross functional processes

Enablenew business Opportunities

Transform

The Maturity Journey

Ma

turi

ty

Time

IDC REPORT ON RSA ARCHER ROI

34

These graphics were published by International Data Corporation (IDC) in February 2017. as part of a larger research document

and should be evaluated in the context of the entire document. The IDC document is available upon request from RSA.

ROI of 496% was uncovered

after IDC conducted independent, in-

depth interviews with organizations that

have implemented RSA Archer and

found the ROI resulted by:

Reduction of organizational risk

More efficient and effective GRC

operations

Operational efficiencies

Reduction of staff time

THE RSA ARCHER®

SUITE GIVES YOU…

36

DEPTH

A single, unified solution to manage business risk

BREADTH

Integrated best practices to streamline implementation

ADAPTABILITY

Implement and adjust your risk processes to meet business needs

ECOSYSTEM

Resources to get on the right path–the first time

TRACK RECORD

Confidence in your business risk management direction

STRATEGIC VALUE

Demonstrable customer successes

RSA Archer customers

1,300+ GRC deployments

9 of the Fortune 10

38 of the Fortune 50

69 of the Fortune 100

10 out of 10 biggest U.S. banks*

Global operations

RSA Archer analyst

recognitionA Leader in:

• Gartner Magic Quadrant for Operational Risk

Management Solutions (13 December 2016)

• Gartner Magic Quadrant for IT Risk

Management Solutions (29 June 2017)

• Gartner Magic Quadrant for Business

Continuity Management Planning Software,

Worldwide (12 July 2017)

• Gartner Magic Quadrant for IT Vendor Risk

Management (29 June 2017)

• The Forrester Wave™: Governance, Risk,

And Compliance Platforms, Q1 2016 (22

January 2016)

~$1B revenue

2,700+ employees

1,000+ technology partners

30+ years of cybersecurity expertise

15+ years of risk expertise

* bankrate.com

37

AT A GLANCE

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology user to select only those vendors with the highest ratings or other designation.

Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as state ments of fact. Gartner disclaims all warranties, expressed or implied, with

respect to this research, including any warranties of merchantability or fitness for a particular purpose.

@RSAsecurity

@RSA_Archer

RSA PORTFOLIO

Training

Customer Support

Customer Satisfaction

Design & Implementation

Health Checks

Residency

METHODOLOGY

BUSINESS

OBJECTIVES

GAP

ANALYSIS

RISK

ANALYSIS

RESOURCE

ANALYSIS

PLANNING OPERATIONSEXECUTION

PROGRAM

STRATEGY

TRAINING &

ENABLMENT

DESIGN & IMPLEMENTATION CONTINUED

LEARNING

CONTINUED

GROWTH

ENABLING YOUR PROGRAM

Planning“Yes, I have a

plan”

Execution“Yes, I know what to do”

Optimization“Yes, I can do what needs to be done”

Knowledge Base“Yes, I do

understand”

Advanced Knowledge “Yes, I can do more with what I have”

Customer Maturity Curve

Strategy & Design Implement Operate

Business Objectives

GAP Analysis

Risk Analysis

Resource Analysis

Planning

Risk & Archer Strategy Archer Training

Planning“Yes, I have a plan”

Execution“Yes, I know what to do”

Optimization“Yes, I can do what needs to be done”

Archer Strategy & Roadmap (Blueprint)

Risk Mgmt Program Strategy

Archer Solutions

Overview & Solution Specifics

Archer Expert On Demand / Residency

Archer Use Case

Quick Launch

Archer full Implementation

Archer Application Design Best

Practices

Archer Solution Use Case Deep

Dive

Archer 6 Reporting & Navigation

ENABLING YOUR PROGRAM TEAMS

Archer Design & Implementation Continued Learning Continued Archer Growth

Archer Use Case

Minor Configuration

Customer Success

Manager

Archer Adv. Implementation

& Integration

Archer Optimization Assessment

Archer Upgrade Strategy

Knowledge Base“Yes, I do

understand”

Advanced Knowledge “Yes, I can do more with what I have”

Archer Platform

Fundamentals

Customer Support

RSA Risk & Cybersecurity Practice

RSA University

Professional Services

42

Archer Strategy Planning Archer Training

Planning“Yes, I have a plan”

Execution“Yes, I know what to do”

Optimization“Yes, I can do what needs to be done”

Archer Platform Installation

HW Sizing & Performance Guidelines

Archer GRC 6 Administration I

Archer Expert On Demand

Archer Use Case

Quick Launch Archer Full Implementation

Archer GRC 6 Adv. Workflow &

Navigation

Archer GRC 6 Administration II

Archer 6 Application Design Best

Practices

ENABLING YOUR TECHNICAL RESOURCES

Archer Design & Implementation Continued Learning Continued Archer Growth

Archer Use Case

Minor Configuration

Technical Account Manager

Archer Adv. Implementation

& Integration

Archer HW Sizing & Performance Health Check

Archer Upgrade

Knowledge Base“Yes, I do

understand”

Advanced Knowledge “Yes, I can do more with what I have”

Archer Designated

Support Engineer

Archer Infrastructure &

Maintenance Best Practices

Customer Support

RSA University

Professional Services

43RSA Risk &

Cybersecurity Practice