Professional Documents
Culture Documents
Sample Archer Design Documentation
Sample Archer Design Documentation
ABC Company
Introduction .................................................................................................................................................. 3
Scope of Applications & Questionnaires for Initial Rollout...................................................................... 4
Solution Architecture Diagram ................................................................................................................ 5
Design: Application & Questionnaire Overview ....................................................................................... 6
Company ................................................................................................................................................. 6
Division.................................................................................................................................................... 7
Department ............................................................................................................................................. 8
Business Unit ........................................................................................................................................ 10
Findings................................................................................................................................................. 13
Corrective Action Plans (Remediation Plans) ....................................................................................... 15
Control Procedures ............................................................................................................................... 17
Risk Register ......................................................................................................................................... 18
Quarterly Risk Register Review ............................................................................................................ 22
Risk Hierarchy ....................................................................................................................................... 23
Enterprise Risk Assessment ................................................................................................................. 25
Third Party Profile ................................................................................................................................. 27
Third Party Profile Risk Assessments ................................................................................................... 30
Appendix A: Additional Supporting Design Documentation ................................................................ 32
Appendix B: RSA Contact Details ........................................................................................................... 34
2
Dell Customer Communication - Confidential
Introduction
Document History:
Document Version Date RSA Personnel
Version 1.0 12.20.2019 Brenna McLeod
Overview:
ABC Company engaged RSA Archer Professional Services for guidance on initial RSA Archer
implementation. With the common goal of remaining as close to out-of-box (OOB) Archer as possible,
ABC Co and RSA determined the appropriate scope and necessary changes for this initial rollout. This
document records the agreed-upon scope, as well as major changes away from OOB configuration. It
provides future RSA Archer Administrators the tools needed to maintain the environment and make any
additional updates required.
This document is not intended to be a complete end-to-end design of the solutions used within ABC
Co’s Archer instance. Rather, this is to help establish key baseline agreements and decisions made.
3
Dell Customer Communication - Confidential
4
Dell Customer Communication - Confidential
5
Dell Customer Communication - Confidential
Application Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• Admin Section for administrator reference
• Inherited Hierarchy Access field
• NAIC Group Number
• NAIC Company Number
Record Permissions:
Maximum of 1 selection
Chief Executive Officer Manual RU
All users are available for selection
Maximum of 1 selection
Chief Financial Officer Manual RU
All users are available for selection
Private Fields:
• Default Record Permissions – Only EM: Data Administrator may read and edit.
• Inherited Hierarchy Access – Only EM: Data Administrator may read.
• Record Status – Only System Administrators may read.
6
Dell Customer Communication - Confidential
Division
Application Overview: This is the second level of the Business Hierarchy, under the Company and
above the Department. This was formerly the Company application. The Division application stores
general, financial and compliance information for a department. This application was formerly the OOB
Company application.
Application Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• Admin Section for administrator reference
• Changed Company to Division
• Inherited Hierarchy Access field
• Inactivated fields that only applied to the Company
Record Permissions:
Inherited CEO
Inherited RU Company: Chief Executive Officer
Permissions
Inherited CFO
Inherited RU Company: Chief Financial Officer
Permissions
Private Fields:
• Company Net Income – Only System Administrators may read and edit.
• Company Total Assets – Only System Administrators may read and edit.
• Count of Controls – Only System Administrators may read.
• Count of Non-Compliant Controls – Only System Administrators may read.
• Default Record Permissions – Only EM: Data Administrator may read and edit.
• Inherited CEO Permissions – Only System Administrators may read.
• Inherited CFO Permissions – Only System Administrators may read.
• Inherited Hierarchy Access – Only EM: Data Administrator may read.
• Record Status – Only System Administrators may read.
7
Dell Customer Communication - Confidential
Department
Application Overview: This is the third level of the Business Hierarchy, under the Division and above
the Business Unit. The Department application presents an aggregation of the related Business Unit risk
and compliance information. This application was formerly the OOB Division application.
Application Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• Admin Section for administrator reference
• Changed Division to Department
• Department Access field
• Inherited Hierarchy Access field
Record Permissions:
Note: The fields listed here (and the fields listed in Inherited Record Permissions) are only for the
applications/questionnaires related to this deployment. For a full understanding of record permission
relationships, see the ABC Co Record Permissions Map Visio file.
Inherited Record
Inherited Varied Business Unit: Business Unit Access
Permissions
8
Dell Customer Communication - Confidential
Private Fields:
• Company Net Income – Only System Administrators may read and edit.
• Company Total Assets – Only System Administrators may read and edit.
• Count of Controls – Only System Administrators may read.
• Count of Non-Compliant Controls – Only System Administrators may read.
• Default Record Permissions – Only EM: Data Administrator may read and edit.
• Inherited CEO Permissions – Only System Administrators may read.
• Inherited CFO Permissions – Only System Administrators may read.
• Inherited Record Permissions – Only EM: Data Administrator may read.
• Record Status – Only System Administrators may read.
9
Dell Customer Communication - Confidential
Business Unit
Application Overview: The Audit Finding application will capture all issues uncovered during the
audit process. Auditors may add an Audit Finding directly from a Workpaper record as it is identified. In
addition to details surrounding the Finding itself, the Audit Finding application also provides a link to the
Action Plans application. Audit Findings are automatically risk rated via a materiality and likelihood/
probability selection. Originally, this application was the (core) Expense Reports application.
Application Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• Admin Section for administrator reference
Record Permissions:
Note: The fields listed here (and the fields listed in Inherited Record Permissions) are only for the
applications/questionnaires related to this deployment. For a full understanding of record permission
relationships, see the ABC Co Record Permissions Map Visio file.
10
Dell Customer Communication - Confidential
Maximum of 1 selection
Compliance
Manual Varied CM: Compliance 2nd Line of Defense: RU
Manager
This field is off layout and unused.
Maximum of 1 selection
Controller Manual RU
All users available for selection
Inherited CEO
Inherited RU Department: Inherited CEO Permissions
Permissions
Inherited CFO
Inherited RU Department: Inherited CFO Permissions
Permissions
Inherited
Inherited Varied Department: Department Access
Hierarchy Access
Private Fields:
• Business Unit Access – Only System Administrators may read and edit.
• Count of Controls – Only System Administrators may read.
• Count of Non-Compliant Controls
• Default Record Permissions for Procurement
• Default Record Permissions
11
Dell Customer Communication - Confidential
12
Dell Customer Communication - Confidential
Findings
Application Overview: The Findings application supports multiple solutions. It is used to document
issues, deficiencies or gaps found through assessments and control testing. Findings are auto
generated from questionnaires and include links back to the questionnaire, target and any applicable
control standards and authoritative sources. Findings may be resolved via remediation tasks or
exception requests.
Application Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• New fields to support ABC Co specific findings details
• Update and new fields to support 2nd LOD and 3rd/4th LOD review workflow
Record Permissions:
Note: The fields listed here (and the fields listed in Inherited Record Permissions) are only for the
applications/questionnaires related to this deployment.
Record Permissions:
Record Creator
RU when Finding Workflow Stage = New
Created By Manual Varied
R for all other statuses
13
Dell Customer Communication - Confidential
Private Fields:
Findings Workflow
Findings_Workflow_Fi
nal.vsdx
14
Dell Customer Communication - Confidential
Application Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• New fields to support ABC Co specific findings details
• Update and new fields to support 2nd LOD and 3rd/4th LOD review workflow
Record Permissions:
Record Creator
RU when Status = New
Created By Manual Varied
R for all other statuses
15
Dell Customer Communication - Confidential
Private Fields:
CAP Workflow.vsdx
16
Dell Customer Communication - Confidential
Control Procedures
Application Overview: The Control Procedures application supports the RSA Archer Policy and
Compliance Management solutions. It serves as a central repository for procedures, baselines and
activities that are mapped to corporate control standards, establishing the foundation for enterprise-wide
risk monitoring and compliance measurement. Control Procedures are categorized into two types:
Technical and Process. Based on the selected type, different pieces of information are captured and
different testing options are made available.
Application Modifications:
• New fields to support ABC Co specific findings details
Record Permissions:
Control
Manual RU All Users
Performer/Operator
17
Dell Customer Communication - Confidential
Risk Register
Application Overview: The Risk Register application serves as the corporate controlled library of
risks used by the entire organization. It allows you to capture the base data for a given risk statement
and link risks to processes, objectives, key risk indicators, financial losses and mitigating control
procedures.
Application Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• New fields to support ABC Co specific findings details
• Update and new fields to support 2nd LOD and 3rd/4th LOD review workflow
Record Permissions:
RP
RP Field Name Access Summary
Type
18
Dell Customer Communication - Confidential
Inherited Loss Event Inherited RU Loss Event: Risk Manager Specialist (On Loss Events
Risk Manager Manual RPF- RM: Risk 2nd Line of Defense – RU)
Specialist
Inherited Metric Inherited RU Metrics: Metric Owner (On Metrics Manual RPF- All Users
Owner – RU)
Inherited Loss Event Inherited RU Loss Event: Business Unit Manager (Inherited Business
Business Unit Unit Manager from BU // On BU Manual RPF- EM:
Manager Manager – RU)
19
Dell Customer Communication - Confidential
Private Fields:
20
Dell Customer Communication - Confidential
21
Dell Customer Communication - Confidential
Questionnaire Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• New fields to support ABC Co specific findings details
Record Permissions:
Risk, Control, Compliance RU, (DDEs are keeping all fields but the Submitter
Inherited RU
Champion and Reviewer fields, read only at all times)
Private Fields:
22
Dell Customer Communication - Confidential
Risk Hierarchy
Application Overview: This Risk Hierarchy application coupled with the Risk Register application
creates a 3 level risk roll-up solution. This application enables an organization to roll-up their risks from
the risk register to an intermediate summary level, and then to an enterprise summary level. This
application stores a company's risk hierarchy in the form of two levels - Enterprise Summary Level and
Intermediate Summary Level. Enterprise Risks (the top level) are risks that are described very broadly at
the highest level of an organization; they represent an accumulation of all of the intermediate summary
risks. Intermediate summary risks are summary level risks that lie between the Risk Register and
Enterprise Risk. Intermediate summary risks are then associated with Risk Register records to track
risks via Metrics, Control Compliance, and Risk Assessments.
Application Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• New fields to support ABC Co specific findings details
Record Permissions:
(Enterprise Level)
Enterprise Risk Manual R RM: Risk 2nd Line of Defense
Assessment Reviewer
(Enterprise Level)
Enterprise Risk Manual R RM: Risk 2nd Line of Defense
Assessment Submitter
(Enterprise Level)
Manual R RM: Risk 2nd Line of Defense
Executive Lead
(Enterprise Level)
Manual R RM: Risk 2nd Line of Defense
Subject Matter Experts
(Enterprise Level)
Default Permissions ERM Automatic RU RM: ERM Team
Team Ent Level (ARPF)
(Enterprise Level)
RM: Read Only
Default Permissions RCCC Automatic R
and Read Only Ent Level RCC Champion
(ARPF)
23
Dell Customer Communication - Confidential
RM: Admin
RM: Owner
(Enterprise Level)
Automatic R RM: Manager
Default Permissions Risk
Groups Ent Level (ARPF) RM: Risk 2nd Line of Defense
RM: Owner
(Intermediate Level)
Manual R RM: Risk 2nd Line of Defense
Intermediate Risk Owner
RM: ERM Team
(Intermediate Level)
Default Permissions ERM Automatic RU RM: ERM Team
Team Int Level (ARPF)
(Intermediate Level)
Executive Lead
Inherited SME and Inherited R
Subject Matter Experts
Executive Lead
(Intermediate Level)
Default Permissions RCCC Automatic R RM: Read Only
and Read Only Int Level
(ARPF) RCC Champion
RM: Admin
(Intermediate Level)
RM: Owner
Default Permissions Automatic R
SME/Exec Leads Int Level RM: Manager
(ARPF)
RM: Risk 2nd Line of Defense
Private Fields:
24
Dell Customer Communication - Confidential
Questionnaire Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• New fields to support ABC Co specific findings details
Record Permissions:
Private Fields:
25
Dell Customer Communication - Confidential
26
Dell Customer Communication - Confidential
Application Modifications:
• Customized Advanced Workflow replaced out of the box DDE workflow (NOT currently Active)
• Replacement of address fields with Third Party Addresses sub form to allow for multiple
addresses
• Multiple Relationship Contacts made required (making new record creation/import more
involved). ABC Co is utilizing a test account until the required contacts are identified and
provisioned.
• DDEs used to hide unneeded sections
Record Permissions:
Restricted:
4th Parties
Inherited Permissions Business Unit Financial Due Diligence
Inherited Varied
Engagement Stakeholders Questionnaire
Certificates of Insurance
Contacts
27
Dell Customer Communication - Confidential
Department
Engagements
Facilities
Findings
Incidents
Master Service Agreement
Supplier Request Form
Task Management
Third Party Financial Viability Assessments
Third Party Profile
Third Party Profile Risk Assessments
Restricted:
4th Parties
Business Unit Financial Due Diligence
Questionnaire
Certificates of Insurance
Contacts
Contracts
Department
Engagements
Inherited Permissions
Inherited Varied
Supplier Request Form Facilities
Findings
Incidents
Master Service Agreement
Supplier Request Form
Task Management
Third Party Financial Viability Assessments
Third Party Profile
Third Party Profile Risk Assessments
28
Dell Customer Communication - Confidential
Private Fields:
29
Dell Customer Communication - Confidential
Questionnaire Modifications: The Third Party Profile Risk Assessment is a custom On-demand
Application (ODA) based on the OOTB Engagement Risk Assessments questionnaire. All questions are
customized vs. modified core questionnaire functionality.
Record Permissions:
Unrestricted:
30
Dell Customer Communication - Confidential
Unrestricted:
Findings
Inherited Permissions
Inherited Varied Task Management
Supplier Request Form
Third Party Document Repository
Third Party Profile
Unrestricted:
Findings
Inherited Third Party Profile
Inherited Varied Task Management
Permissions
Third Party Document Repository
Third Party Profile
Private Fields:
31
Dell Customer Communication - Confidential
Notification Details: Email notifications are a critical part of the RSA Archer platform and help to add
automation to the overall process. For the initial rollout, ABC Co will have a number of notifications sent
automatically for various activities. The embedded documents provide details for all notifications to be
used for the initial rollout of the platform including subject, body, recipient and other key build-related
details.
Findings Notifications
Findings_Notifications
.docx
CAP_Notifications.doc
x
BSCA
Notifications_ERM Solution.xlsx
BSCA
Notifications_Third Party.xlsx
Access Rights: Access control is another key element to understanding how users can see and do
what they need to see and do in Archer. These documents record the current configuration of major
access roles.
Overall CRUD Rights (includes the CRUD rights granted to the main OOB access roles –
updates to be made to this in 2020 to include all access roles)
32
Dell Customer Communication - Confidential
BSCA
ERM_Access_Permissions Matrix_Dec-2019.xlsx
BSC Record
Permissions Map.vsdx
How-to Documents: The files below contain additional how-to walkthroughs around importing and other
common administrative duties.
How to Update
Business Hierarchy.docx
How to Update
Session Timeout Duration.docx
33
Dell Customer Communication - Confidential
34