RSA Exchange Release R7 Offerings Now Available

EMC logo

Today, we’re pleased to announce availability of RSA Exchange Release R7, which introduces 10 new and two updated offerings, as well as new and updated content. We’re thrilled that our RSA Exchange Technology Partners continue to develop and deliver innovation for RSA Archer customers via the RSA Exchange, and look forward to much more in future releases.


  • App-Packs – pre-built applications addressing adjacent or supporting Integrated Risk Management processes (e.g. niche, industry, geo-specific)
    • Aujas Duplicate Findings Prevention avoids duplicate open findings for periodic assessments, reducing stakeholder overhead in managing duplicate findings
    • RSA Archer Due Diligence Management provides consistent due diligence scoping process, checklist, and recommendations that address multiple due diligence business processes such as mergers and acquisitions
    • RSA Archer FFIEC-Aligned Cybersecurity Framework offers the ability to apply the best practice principles from FFIEC to prioritize and scope business objectives and priorities, create risk profiles, risk assess the environment, analyze the results to identify gaps, and implement an action plan
    • RSA Archer Speak Up, introduced in November 2018, has been updated to enable anonymous whistleblower submissions.


  • Tools & Utilities – pre-built functions enabling administrators to more easily manage their RSA Archer implementations




For additional documentation, downloads, and alisting of all RSA Exchange offerings, check out theRSA Exchange for RSA Archer on RSA Link. Stay tuned for more new RSA Exchange offerings next quarter!

Update your feed preferences





submit to reddit


  • No Related Posts

The Californians Take the 10 to Mulholland to Privacy Drive

EMC logo

The California Consumer Privacy Act is the latest addition to the privacy regulatory world and it is stirring the conversation about protecting personal data even more.  I’ve been a huge fan of Saturday Night Live since the first time I saw it on TV.  One of its iconic reoccurring skits was “The Californians”, whose primary theme was explaining how to get from one place to another by using different California roads and highways.  As of last week, real Californians have a new topic to discuss that’s a lot more serious: Information Privacy!   And the route by which organizations may need to proceed could have as many twists and turns as those classic SNL Californian skits.


What is the California Consumer Privacy Act?

On June 28, “The California Consumer Privacy Act of 2018” was signed into law extending Californian’s right to privacy.  This law strengthens rights of California residents already in place.  In 1972, California voters amended the California Constitution to include the right of privacy among the “inalienable” rights of all people. According to the California Consumer Privacy Act, “fundamental to this right of privacy is the ability of individuals to control the use, including the sale, of their personal information.” 


Beginning January 1, 2020, the law provides for:

  • The right of Californians to know what personal information is being collected about them.
  • The right of Californians to know whether their personal information is sold or disclosed and to whom.
  • The right of Californians to say no to the sale of personal information.
  • The right of Californians to access their personal information.
  • The right of Californians to equal service and price, even if they exercise their privacy rights.
  • Businesses that collect consumer personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used and shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice.
  • A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer and the business shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.
  • Businesses that suffer a breach of security shall be deemed to have violated the Act and may be held liable if the business has failed to implement and maintain reasonable security procedures and practices, appropriate to the nature of the information, to protect the personal information from unauthorized disclosure.

What does the new California Privacy Law mean to businesses?

The first step, as with all new regulatory changes, is to engage with legal counsel to see how the law may affect your business.  According to the law, businesses that do not comply are subject to litigation and sanctions.  Any consumer whose nonencrypted or nonredacted personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of the business failing to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

  • To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
  • Injunctive or declaratory relief.
  • Any other relief the court deems proper.

In assessing damages, the court shall consider any one or more of the relevant circumstances, including, but not limited to, the nature and seriousness of the misconduct; the number of violations; the persistence of the misconduct; the length of time over which the misconduct occurred; the willfulness of the defendant’s misconduct; and the defendant’s assets, liabilities, and net worth.


In addition, any person, business, or service provider that intentionally violates the Act may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.


While the amounts involved may appear relatively immaterial, they will certainly be impactful in aggregate as the size of a breach grows.  Further, the ill will and reputation risk associated with breaches will be magnified due to press coverage around violating this Act.


Consumer Privacy

The concept that consumers own their information and have the right to control it is the front and center tenant of the California Consumer Privacy Act.  Businesses subject to this regulation have much work to do to ready themselves to accommodate consumer rights to receive notice; to inquire about the information; to refuse sharing; and to delete information.  At the same time, businesses handling consumer information must establish a program designed to ensure that reasonable security procedures and practices are implemented and maintained appropriate to the nature of the information to protect it from unauthorized disclosure.  As with most privacy-related regulations, the California Consumer Privacy Act will prompt businesses to adopt an on-going, risk-based information security program across their extended enterprise.


No, this Act isn’t funny like SNL’s “The Californians” but it is already being touted as groundbreaking, and the most sweeping privacy legislation passed in the U.S. to date.


Check out RSA Archer’s use cases that are designed to help organizations with privacy challenges:  Data Governance and Privacy Program Management in the RSA Archer Regulatory and Corporate Compliance solution

Update your feed preferences





submit to reddit


  • No Related Posts

Labor Shortages and the emerging Information Security Megatrend

EMC logo

The Labor Shortage

If you haven’t noticed yet, the U.S. Economy is booming!  The U.S. unemployment rate reported for May  stood at 3.8%.  Not too many years ago, 5% unemployment was considered by most economists as full employment. For information security teams, this translates into a huge labor shortage.  The Wall Street Journal recently reported the “…demand for cybersecurity workers is outpacing supply by so much that by 2022, North America will have 265,000 more data-security jobs than skilled workers”   And it’s not just in North America.  Australian press has reported there is a serious talent war over the shallow pool of risk managers in Australia. While in the EU and U.K., the rise of the data protection officer is the hottest tech ticket in town as a result of the EU General Data Protection Regulation.


Going up: Data Breaches and Vulnerabilities

All of this demand for information security professionals coincides with a massive information security workload.


(1) The Breach Level Index indicates that breaches are continuing to grow nearly 100% per year:



(2) According to the NIST National Vulnerability Database statistics, vulnerabilities continue to increase dramatically in number and severity.


Accelerated Change

Executive leadership is rabid to go digital fast, and information security teams have to figure out how to keep up in order to protect the organization.  According to the KMPG 2018 Global CEO Outlook Survey

  • Only 37% of companies, across all industries, have on average, converted to digital. That means there’s still 63% to go.
  • 91% of U.S. CEOs are personally ready to lead a radical operating model transformation
  • 59% believe agility is the new currency of business


Information Security Governance Changing

The information tech talent shortage coupled with increasing breaches, increasing vulnerabilities and accelerated change have largely undermined the confidence CEOs have in their organization’s information security programs.



These forces have led to greater scrutiny of information security by Executives and Boards of Directors, who are now mostly requiring that IT Security budgets be approved by them directly, while CTOs, CIOs, and CISOs appear to no longer have much autonomy over their budgets.


Not only is budget approval of information security programs being escalated higher in the organization but leaders and boards want to know that the money they are allocating is having a positive impact. A recent Deloitte poll of more than 1,130 C-suite and other executives indicated that 62.7% believe Board of Directors will expect better reporting on the effectiveness of their cyber security program.


Where are all of the Security Professionals?

All of these factors are congealing into what I would call a mega trend for information security professionals.  The technical and human resource challenges of information security must be countered with smarter and more efficient risk management.  Risk management teams must adopt business context-based information security risk management to prioritize initiatives and communicate with the C-Suite and Board (RSA calls this Business Driven Security); and they must implement tools across all aspects of information security risk management and governance that efficiently recaptures precious time from each team member so that it can be reallocated to more important problems.  It is only in this way that information security leaders stand a chance to survive this mega trend.

Update your feed preferences





submit to reddit


Securing your Information Assets with RSA Archer Information Security Management System (ISMS)

EMC logo

With data breaches increasing at a record pace, an Information Security Management System (ISMS) has transformed from an IT buzzword into a necessity for most organizations. According to a report recently released by the Identify Theft Resource Center, there were nearly 1,600 data breaches reported in the United States in 2017. This represents an increase of 44% from figures reported in 2016.  More alarming is the average cost of a breach, estimated to be roughly $3.6 million per incident, according to a report conducted by Ponemon Institute. These numbers are only expected to increase in 2018, necessitating a proactive approach to cybersecurity.


To address the increasing occurrence of data breaches, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) published an updated version of ISO 27001 in 2013. Part of the ISO 27000 family of standards, ISO 27001 outlines the policies, processes, and procedures required to implement an ISMS. Regardless of organizational size or type, ISMS can be applied to secure information assets and manage information in all its forms. Organizations that meet these standards may pursue ISO 27001 certification following a successful audit. Not only is certification useful for protecting valuable data and information assets, but ISO 27001 covers many of the requirements necessary to adhere to the new General Data Protection Regulation (GDPR) that will be in effect May 25, 2018.


ISMS Dashboard

ISMS Dashboard


To account for updates to ISO 27001, we have released an enhancement to our Information Security Management System offering in version 6.4, released last week. Features new to the release include:

  • Automatic risk scoping that allows for the simultaneous generation of ISMS risk and control records.
  • ISMS Risks application that generates a snapshot of each risk facing ISMS assets at a point in time.
  • ISMS Controls application that catalogs all control procedures applied to risks.
  • ISMS Audit application that provides a taxonomy for reviewing risks and controls, generating findings, and applying exception requests.
  • ISO 27001 questionnaire that identifies key gaps in the organization’s risk posture.
  • Ability to apply ISO 27002 control procedures to mitigate inherent risks.
  • Personas and record permissions necessary to managing an ISMS and enforcing role-based access control.
  • Generation of a Statement of Applicability that can be provided to external auditors for ISO 27001 certification.

 General Information

ISMS General Information Section


There are three components crucial to managing an ISMS:   

  • Determining key organizational assets                               
  • Identifying potential risks
  • Applying mitigating controls                        


As an organizational ISMS continues to evolve, these components must be regularly evaluated and refined to ensure risks facing crucial assets are properly mitigated. The RSA Archer ISMS use case sits at the convergence of these components, allowing users to seamlessly scope assets and stakeholders, manage inherent risk, and apply mitigating controls from a library of ISO 27002 content.


With RSA Archer ISMS users can:

  • Protect the confidentiality, availability, and integrity of data
  • Reduce costs associated with information security
  • Provide a centrally managed framework for information security
  • Ensure that information in all forms are secured


Interested in learning more? Join us for our Free Friday Tech Huddle this Friday, April 27 to hear more about the offering and see a live demo. The Free Friday Tech Huddles are available to existing RSA Archer customers. If you are not yet a customer but interested in learning more, please contact your local representative or authorized reseller—or visit us at

Update your feed preferences





submit to reddit


Organizations Count on Dell EMC Unity to Address Data Center Security Requirements

EMC logo

One of the top concerns for IT operations today is ensuring the proper security measures are in place for storage systems.  At Dell EMC, we take these requirements seriously, and have invested in industry certifications, dedicated security engineering resources and labs to address security compliance across a variety of government and private sector entities.  We know your business depends on protecting your data, and it’s important for our customers to know that their investments in Dell EMC storage systems can help them address their own security requirements. Research firm Enterprise Strategy Group (ESG) validates the importance of cybersecurity, as shown in the following technology spending report:

Source: ESG Research Report, 2018 IT Spending Intentions Survey, Dec 2018We are proud to announce our security achievements to date for the Dell EMC Unity midrange storage platform, including the completion of the Authorized Products List (APL) listing from DISA (Defense Information Systems Agency).  Dell EMC Unity is one of just a handful of midrange storage systems that has been engineered to meet 10 major security compliance requirements, thereby helping to secure sensitive data.

Now Available on the DISA Authorized Product List

Many of these security compliance objectives are driven by the United States Federal Government and these strict security requirements apply to a variety of public sector environments.

Other industries, including but not limited to, banking and retail directly benefit from these security capabilities designed to meet the highly secure Payment Card Industry (PCI) requirements for securing financial transactions. These security features can offer added peace of mind when deploying the full Dell EMC Unity portfolio. In addition, all of our security features are provided at no charge and with no additional costs or licenses. The following is a list of Dell EMC Unity security capabilities available in the product family today, some of which have achieved specific industry or government security compliance certification for data storage systems.

Dell EMC Unity Security Compliance Features

  •  United States of America DoD Approved Products List (APL) CertificationThis is a major certification milestone for the Dell EMC Unity storage platform that demonstrates the portfolio’s compliance with the DoD interoperability and Cybersecurity requirements.
  • STIG Compliance CAT 1, CAT2 – The Security Technical Implementation Guide (STIG) standardizes security protocols within networks, servers, computers and logical designs to enhance overall security.
  • Controller-based Data at-Rest Encryption or D@RE – D@RE Protects against unauthorized access to user data on lost or stolen drives or systems. This is a required capability for meeting multiple industry and government security compliance objectives.
  • FIPS 140-2 Level 1 Certification – Specifies security requirements for the D@RE cryptographic module.
  • KMIP – OASIS Key Management Interoperability Protocol (KMIP) – Dell EMC Unity supports KMIP Specification v1.3 and v1.4 compliant external key managers designed to facilitate data encryption by simplifying encryption key management.
  • HIPAA – The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Dell EMC Unity includes the necessary security features that can help organizations meet HIPAA privacy requirements for data storage systems.
  • Common Criteria Certification Developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments.
  • Native SHA-2 certificate support – This 256 bit cryptographic hashing standard is used to ensure that data has not been modified.
  • TLS 1.2 support and TLS 1.0 disablement – Cipher suites that provide enhanced security and ability to disable prior generation.
  • USGv6 Device IPv6/IPv4 dual stack certification – Dual stack technology allows ISPs to process IPv4 and IPv6 data traffic simultaneously.

Customer Spotlight – Defense Health Agency

Meeting the needs of government and federal customers that require compliance to regulations is very important to Dell EMC.  One of our federal customers includes the Defense Health Agency (DHA) which provides the Department of Defense and Department of Veterans Affairs health care providers global visibility and access to artifacts and images generated during the health care delivery process.

When a vendor changes or upgrades their hardware or software, DHA undergoes intense security vulnerability hardening, systems testing, scanning, and remediation to determine its IA (Information Assurance) compliance with the Department of Defense (DoD) Risk Management Framework (RMF) security controls and security requirements. Currently, DHA is pursuing STIG (Security Technical Implementation Guide) compliance for the new Dell EMC hardware it purchased as part of an overall refresh of its enterprise-wide storage footprint.

“With some vendors, the deployment, installation, and hardening of a SAN can be a complex project,” said Brian Reese, DHA Project Lead, SPAWAR Systems Center Atlantic. “We value our partnership with Dell EMC as we deploy the Dell EMC hardware together. Dell EMC has been critical in supporting the IA compliancy efforts required to get the systems and hardware ready. With the Common Criteria Certification, user-enabled STIG mode now available on the Dell EMC Unity series and many other product improvements that are ideal for federal customers, the deployment process is much shorter and easier.”

Quite simply, Dell EMC has done the hard work for our customers to help them better protect their most critical data assets that reside on Dell EMC Unity storage systems. This work helps facilitate compliance with strict IA requirements while ensuring data and the applications that depend on that data can operate seamlessly with world-class security in place.


For additional security details in Dell EMC Unity, please visit the following links:


Update your feed preferences





submit to reddit