Sample Archer Design Documentation

Dell Customer Communication - Confidential
ABC Company
Business Hierarchy, Risk, Third Party, and Issues

Management - Analysis & High-Level Design
RSA Archer Professional Services

Introduction .................................................................................................................................................. 3
Scope of Applications & Questionnaires for Initial Rollout...................................................................... 4
Solution Architecture Diagram ................................................................................................................ 5
Design: Application & Questionnaire Overview ....................................................................................... 6
Company ................................................................................................................................................. 6
Division.................................................................................................................................................... 7
Department ............................................................................................................................................. 8
Business Unit ........................................................................................................................................ 10
Findings................................................................................................................................................. 13
Corrective Action Plans (Remediation Plans) ....................................................................................... 15
Control Procedures ............................................................................................................................... 17
Risk Register ......................................................................................................................................... 18
Quarterly Risk Register Review ............................................................................................................ 22
Risk Hierarchy ....................................................................................................................................... 23
Enterprise Risk Assessment ................................................................................................................. 25
Third Party Profile ................................................................................................................................. 27
Third Party Profile Risk Assessments ................................................................................................... 30
Appendix A: Additional Supporting Design Documentation ................................................................ 32
Appendix B: RSA Contact Details ........................................................................................................... 34
2
Introduction
Document History:
Document Version Date RSA Personnel
Version 1.0 12.20.2019 Brenna McLeod
Overview:
ABC Company engaged RSA Archer Professional Services for guidance on initial RSA Archer
implementation. With the common goal of remaining as close to out-of-box (OOB) Archer as possible,
ABC Co and RSA determined the appropriate scope and necessary changes for this initial rollout. This
document records the agreed-upon scope, as well as major changes away from OOB configuration. It
provides future RSA Archer Administrators the tools needed to maintain the environment and make any
additional updates required.
This document is not intended to be a complete end-to-end design of the solutions used within ABC
Co’s Archer instance. Rather, this is to help establish key baseline agreements and decisions made.
3
Scope of Applications & Questionnaires for Initial Rollout

After initial discussions with stakeholders during the analysis phase, the following applications and
questionnaires have been agreed upon as the in-scope components for the initial deployment of the
Audit solution.
Responsible
Application/ Component
Use Case to Deploy Status
Questionnaire Classification
(original plan)
On-Demand RSA Completed
Company New
Application (deployed in Prod)
RSA Completed
Division Core Application RSA
Business (deployed in Prod)
Hierarchy RSA Completed
Department Core Application RSA
(deployed in Prod)
RSA Completed
Business Unit Core Application RSA
(deployed in Prod)
RSA Completed
Findings Core Application RSA
(deployed in Prod)
Issues RSA Completed
Remediation Plans Core Application New
Management (deployed in Prod)
Exception RSA Completed
Core Application RSA
Requests (deployed in Prod)
RSA Completed
Risk Register Core Application RSA
(deployed in Prod)
RSA Completed
Enterprise Risk Hierarchy Core Application RSA
(deployed in Prod)
Risk
Management Enterprise Risk Custom RSA Completed
New
Assessment Questionnaire (deployed in Prod)
Quarterly Risk Custom RSA Completed
New
Register Review Questionnaire (deployed in Prod)
RSA Completed
Third Party Profile Core Application RSA
Third Party (deployed in Prod)
Management Third Party Profile Custom RSA Completed
New
Risk Assessments Questionnaire (deployed in Prod)
Controls RSA Completed
Control Procedures Core Application RSA
Assurance (deployed in Prod)
4
Solution Architecture Diagram

The diagram below depicts the updated applications and questionnaires that have been built out as part
of the initial 2019 deployment at ABC Co.
5
Design: Application & Questionnaire Overview

Company
Application Overview: The Company application is the top-most application in the Business
Hierarchy. The Company application stores general, financial and compliance information for a
company. This is an on-demand application that was created based on a copy of the original Company
application (which is now Division).
Application Modifications:
• Data-Driven Events (DDEs) to hide unused sections and fields
• Admin Section for administrator reference
• Inherited Hierarchy Access field
• NAIC Group Number
• NAIC Company Number
Record Permissions:
RP Field Name RP Type Access Summary
Maximum of 1 selection
Chief Executive Officer Manual RU
All users are available for selection
Chief Financial Officer Manual RU
All users are available for selection
EM: Data Administrator: RUD

Default Record
Manual Varied EM: Read Only: R
Permissions
Both groups above are selected by Default
Inherited Hierarchy Access Inherited Varied Division: Inherited Hierarchy Access
Private Fields:
• Default Record Permissions – Only EM: Data Administrator may read and edit.
• Inherited Hierarchy Access – Only EM: Data Administrator may read.
• Record Status – Only System Administrators may read.
6
Division
Application Overview: This is the second level of the Business Hierarchy, under the Company and
above the Department. This was formerly the Company application. The Division application stores
general, financial and compliance information for a department. This application was formerly the OOB
Company application.
• Changed Company to Division
• Inactivated fields that only applied to the Company
Record Permissions:

Default Record
Permissions
Inherited CEO
Inherited RU Company: Chief Executive Officer
Permissions
Inherited CFO
Inherited RU Company: Chief Financial Officer
Permissions
Inherited Department: Department Access

Inherited Varied
Hierarchy Access Department: Inherited Hierarchy Access
Private Fields:
• Company Net Income – Only System Administrators may read and edit.
• Company Total Assets – Only System Administrators may read and edit.
• Count of Controls – Only System Administrators may read.
• Count of Non-Compliant Controls – Only System Administrators may read.
• Inherited CEO Permissions – Only System Administrators may read.
• Inherited CFO Permissions – Only System Administrators may read.
• Inherited Hierarchy Access – Only EM: Data Administrator may read.
7
Department
Application Overview: This is the third level of the Business Hierarchy, under the Division and above
the Business Unit. The Department application presents an aggregation of the related Business Unit risk
and compliance information. This application was formerly the OOB Division application.
• Changed Division to Department
• Department Access field
Record Permissions:
Note: The fields listed here (and the fields listed in Inherited Record Permissions) are only for the
applications/questionnaires related to this deployment. For a full understanding of record permission
relationships, see the ABC Co Record Permissions Map Visio file.

Default Record
Permissions
Each Department access group is available for

Department Access Manual Varied selection here, with the maximum possible access
that can be assigned by their associated role
Inherited CEO Permissions Inherited RU Division: Inherited CEO Permissions
Inherited CFO Permissions Inherited RU Division: Inherited CFO Permissions

Business Unit: Business Unit Access, Business
Unit Coordinator, Business Unit Manager, Risk,
Inherited Hierarchy Access Inherited Varied Control, Compliance Champion, Audit
Engagement Contacts, Audit Entity Contact,
Compliance Manager, Controller, Executive Team
Inherited Record
Inherited Varied Business Unit: Business Unit Access
Permissions
8
Private Fields:
• Company Net Income – Only System Administrators may read and edit.
• Company Total Assets – Only System Administrators may read and edit.
• Count of Non-Compliant Controls – Only System Administrators may read.
• Inherited CEO Permissions – Only System Administrators may read.
• Inherited CFO Permissions – Only System Administrators may read.
• Inherited Record Permissions – Only EM: Data Administrator may read.
9
Business Unit
Application Overview: The Audit Finding application will capture all issues uncovered during the
audit process. Auditors may add an Audit Finding directly from a Workpaper record as it is identified. In
addition to details surrounding the Finding itself, the Audit Finding application also provides a link to the
Action Plans application. Audit Findings are automatically risk rated via a materiality and likelihood/
probability selection. Originally, this application was the (core) Expense Reports application.
Record Permissions:
applications/questionnaires related to this deployment. For a full understanding of record permission
relationships, see the ABC Co Record Permissions Map Visio file.
Each Business Unit access group is listed here so that

the appropriate groups are created as the configuration is
packaged across environments. This field is off-layout
BU Group Field for
Manual R and for admin use only. It is needed as the Business Unit
Packaging
Access field lists the Department groups, so the Business
Unit groups are not automatically created through
packaging.
Each Department access group is listed here with

Cascade selected so the appropriate Business Unit
Business Unit
Manual Varied access group can be selected, with the maximum
Access
possible access that can be assigned by their associated
role
No maximum number of selections

Business Unit Members of EM: Business 1st Line of Defense available
Manual RU
Coordinator for selection
This field is off layout and unused.
Business Unit No maximum number of selections

Manual RU
Manager Members of EM: Manager available for selection
10
Compliance
Manual Varied CM: Compliance 2nd Line of Defense: RU
Manager
This field is off layout and unused.
Controller Manual RU
All users available for selection

Default Record
Permissions
Executive Team Manual R All Users available for selection
Inherited CEO
Inherited RU Department: Inherited CEO Permissions
Permissions
Inherited CFO
Inherited RU Department: Inherited CFO Permissions
Permissions
Inherited
Inherited Varied Department: Department Access
Hierarchy Access
Control Procedures: Testing Coordinator, Default Record

Permissions
Inherited Record Department: Department Access
Inherited Varied
Permissions
Findings: Assigned to, 2nd Line of Defense Reviewer
Risk Register: Default Record Permissions
Risk, Control, No maximum number of selections

Compliance Manual RU
Champion Members of RCC Champion available for selection
Private Fields:
• Business Unit Access – Only System Administrators may read and edit.
• Count of Non-Compliant Controls
• Default Record Permissions for Procurement
• Default Record Permissions
11
• Inherited CEO Permissions

• Inherited CFO Permissions
• Inherited From Engagements
• Inherited Metric Owner
• Inherited Permissions Engagement Stakeholders
• Inherited Permissions Supplier Request Form
• Inherited Record Permissions
• Link to Risk Library By Event Category
• Record Status
• Self-Assessment History
12
Findings
Application Overview: The Findings application supports multiple solutions. It is used to document
issues, deficiencies or gaps found through assessments and control testing. Findings are auto
generated from questionnaires and include links back to the questionnaire, target and any applicable
control standards and authoritative sources. Findings may be resolved via remediation tasks or
exception requests.
• New fields to support ABC Co specific findings details
• Update and new fields to support 2nd LOD and 3rd/4th LOD review workflow
Record Permissions:
applications/questionnaires related to this deployment.
Record Permissions:

Record Creator: R
Automatic Record RM: ERM Team: RU
Automatic Varied
Permissions RM: Risk 3rd Line of Defense: R
Record Creator
RU when Finding Workflow Stage = New
Created By Manual Varied
R for all other statuses
RCC Champion, RM: Risk 4th Line of

Defense
RU when Finding Workflow Stage =

Assigned To Manual Varied New, Rejected
R for all other statuses when assigned in

field
RM: Risk 2nd Line of Defense

2nd Line of Defense Awaiting 2nd LOD Review
Manual Varied
Reviewer
R for all other status when assigned in
field
13
RM: Risk 3rd Line of Defense, RM: Risk

4th Line of Defense:
3rd/4th Line of Defense Awaiting 3rd/4th LOD Review
Manual Varied
Reviewer
R for all other status where assigned in
field
Private Fields:
• Finding ID – visible to Everyone, editable by no one

• Date Closed – visible Everyone, editable by System Administrators (set via Advanced
Workflow)
• Created By – defaults to Record Creator, visible Everyone, editable by System
Administrators
• Submission Due Date – visible Everyone, editable by System Administrators (set via
Advanced Workflow)
• Submit Date – visible Everyone, editable by System Administrators (set via Advanced
Workflow)
• 2nd LOD Review Due Date – visible Everyone, editable by System Administrators (set via
Advanced Workflow)
• 2nd LOD Review Date – visible Everyone, editable by System Administrators (set via
Advanced Workflow)
• 2nd LOD Comments – visible to Everyone; editable by 2nd LOD Reviewer
• 3rd/4th LOD Review Due Date– visible Everyone, editable by System Administrators (set
via Advanced Workflow)
• 3rd/4th LOD Review Date– visible Everyone, editable by System Administrators (set via
Advanced Workflow)
• 3rd/4th LOD Comments – visible to Everyone; editable by 3rd/4th LOD Reviewer
Findings Workflow
Findings_Workflow_Fi
nal.vsdx
14
Corrective Action Plans (Remediation Plans)

Application Overview: The Corrective Action Plans application has been renamed from the OOB
Remediation Plans application. This application allows you to centrally manage multiple findings and
track actual and estimated remediation costs and timeframes. Relating multiple findings in the context of
remediation plans allows you to identify larger issues and support informed decision making. Integration
with the RSA Archer Threat Management solution and third-party scanning tools also enables you to
capture vulnerability and malicious code alerts and the results of automated configuration checks.
Record Permissions:

Record Creator: R
Automatic Record RM: ERM Team: RU
Automatic Varied RM: Risk 3rd Line of Defense: R
Permissions
Record Creator
RU when Status = New
Created By Manual Varied
R for all other statuses
RCC Champion, RM: Risk 4th Line of Defense
Corrective Action Plan RU when Status = New, Approved, Rejected

Manual Varied
Owner
R for all other statuses when assigned in field

2nd Line of Defense RU when Status = Awaiting 2nd LOD Review
Manual Varied
Reviewer
R for all other status when assigned in field
RM: Risk 3rd Line of Defense, RM: Risk 4th Line of

Defense:
3rd/4th Line of Defense RU when Status = Awaiting 3rd/4th LOD Review
Manual Varied
Reviewer
R for all other status where assigned in field
Automatic ERM Team

Automatic R RM: ERM Team
Permissions
15
Private Fields:
• Status – visible by Everyone, editable by System Administrators (set via Advanced

Workflow)
• Submit Date - visible by Everyone, editable by System Administrators (set via Advanced
Workflow)
• 2nd LOD Review Due Date – visible Everyone, editable by System Administrators (set via
Advanced Workflow)
• 2nd LOD Review Date – visible Everyone, editable by System Administrators (set via
Advanced Workflow)
• 2nd LOD Comments – visible to Everyone; editable by 2nd LOD Reviewer
• 3rd/4th LOD Review Due Date– visible Everyone, editable by System Administrators (set
via Advanced Workflow)
• 3rd/4th LOD Review Date– visible Everyone, editable by System Administrators (set via
Advanced Workflow)
• 3rd/4th LOD Comments – visible to Everyone; editable by 3rd/4th LOD Reviewer
Corrective Action Plan Workflow
CAP Workflow.vsdx
16
Control Procedures
Application Overview: The Control Procedures application supports the RSA Archer Policy and
Compliance Management solutions. It serves as a central repository for procedures, baselines and
activities that are mapped to corporate control standards, establishing the foundation for enterprise-wide
risk monitoring and compliance measurement. Control Procedures are categorized into two types:
Technical and Process. Based on the selected type, different pieces of information are captured and
different testing options are made available.
Record Permissions:
Risk, Control, Compliance Business Unit: Risk, Control, Compliance

Inherited Various
Champion Champion
Control Owner Manual RU All Users
Control
Manual RU All Users
Performer/Operator
Tester Manual RU All Users

Everyone
R access when Content Source=ABC Co
Automatic Record Record Creator

Automatic Various
Permissions R access when Content Source= ABC Co
RM: ERM Team

RU when Content Source <> ABC Co
17
Risk Register
Application Overview: The Risk Register application serves as the corporate controlled library of
risks used by the entire organization. It allows you to capture the base data for a given risk statement
and link risks to processes, objectives, key risk indicators, financial losses and mitigating control
procedures.
Record Permissions:
RP
RP Field Name Access Summary
Type
Business Units: Risk, Control, Compliance Champion

Risk, Control and
Compliance Inherited CRU RCC Champion: CRU
Champion
(Selected manually on BU record)
RM: Admin - CRU

Default Record CRU /
Manual RM: Read Only - R
Permissions (MRPF) R
RM: ERM Team - CRU
Risk Owner Manual RU RM: Risk 2nd Line of Defense
Risk Reviewer Manual R RM: Risk 2nd Line of Defense
Incidents: Incident Owner; Incidents: Incident Manager;

Incidents: Additional Access
Task Management: Assigned To; Task Management:
Delegates; Task Management: Created by
Inherited Record
Permissions Findings: Assigned to; Control Procedures: Testing
Inherited RU/R
Coordinator
Business Units: Default Record Permissions;
Findings:2nd Line of Defense Reviewer
Findings: zzDefault Record Permissions; Incidents:Default
Record Permissions
18
Control Procedures: Default Record Permissions (OOB);

Loss Events: Default Record Permissions
Metrics: Default Record Permissions; Metrics: Metric
Owner; Control Procedures: zzCompliance Manager
Specialist
Applications: Compliance Manager (Inherited Compliance

Manager from BU, Business Processes, Product and
Services // On BU Manual RPF- CM: Risk 2nd Line of
Defense – RU)
Compliance
Business Processes: Compliance Manager (Inherited
Manager Inherited RU Compliance Manager from BU, Product and Services)
Business Units: Compliance Manager (On BU Manual
RPF- CM: Risk 2nd Line of Defense – RU)
Corporate Objectives: Compliance Manager (Inherited
Compliance Manager from BU)
Loss Event: Risk Manager (Inherited Risk, Control,

Inherited Loss Event
Inherited RU Compliance Champion from BU // On BU Manual RPF -
Risk Manager
Risk, Control, Compliance Champion - RU)
Inherited Loss Event Inherited RU Loss Event: Risk Manager Specialist (On Loss Events
Risk Manager Manual RPF- RM: Risk 2nd Line of Defense – RU)
Specialist
Inherited Metric Inherited RU Metrics: Metric Owner (On Metrics Manual RPF- All Users
Owner – RU)
Inherited Loss Event Inherited RU Loss Event: Business Unit Manager (Inherited Business
Business Unit Unit Manager from BU // On BU Manual RPF- EM:
Manager Manager – RU)
Inherited from Risk Inherited R Intermediate Risk Owner /Subject Matter

Hierarchy Experts/Executive Lead
Intermediate
Loss Event: CEO (Inherited from CEO in BU through

Department then Division then Company// On Company
Manual RPF - Chief Executive Officer – All Users RU)
Executives Inherited RU
Loss Event: CFO (Inherited from CFO in BU through
Department then Division then Company// On Company
Manual RPF - Chief Financial Officer – All Users RU)
19
Loss Event: Controller (Inherited Controller from BU// On

BU Manual RPF- All Users – RU)

Business Unit Loss Event: Business Unit Coordinator (Inherited
Coordinator Inherited RU Business Unit Coordinator from BU // On BU Manual
RPF- EM: Business 1st Line of Defense – RU)
Private Fields:
• Created From Library - No access specified

• Default Record Permissions (MRPF) - Only RM: Admin has rights
• DFM_Risk_Key - Everyone Read Only
• H-H - No access specified
• H-L - No access specified
• H-M - No access specified
• H-MH - No access specified
• H-ML - No access specified
• Inherited Record Permissions - Only RM: Admin has rights
• L-H - No access specified
• L-L - No access specified
• L-M - No access specified
• L-MH - No access specified
• L-ML - No access specified
• M-H - No access specified
• MH-H - No access specified
• MH-L - No access specified
• MH-M - No access specified
• MH-MH - No access specified
• M-L - No access specified
• ML-H - No access specified
• ML-L - No access specified
• ML-M - No access specified
• ML-MH - No access specified
• ML-ML - No access specified
• M-M - No access specified
• M-MH - No access specified
• M-ML - No access specified
• Record Status - No access specified
• Source Record Date - Only System Administrators
20
• Source Version - Only System Administrators
21
Quarterly Risk Register Review

Questionnaire Overview: The Quarterly Risk Register Review questionnaire targets the Risk
Register and is intended to be sent out to risk owners for confirmation of, or updates to, risk information.
Questionnaire Modifications:
Record Permissions:

RU When record is not submitted, then Read and
Risk Owner Manual conditio Update
nal
When record is submitted or resubmitted, or
Overall is Approved, then Read Only

When Submission Status Does Not Contain In
Process and Review Status Contains Awaiting
RU Review, then Read and Update
Risk Reviewer Manual conditio
nal When Submission Status Contains In Process, or
Overall is Approved, then Read Only
(DDEs are keeping question fields read only at all
times)
Risk, Control, Compliance RU, (DDEs are keeping all fields but the Submitter
Inherited RU
Champion and Reviewer fields, read only at all times)
RU when Overall Status does not equal Approved.

ERM Team (ARPF) Automatic RU
If Approved, then Read Only.
Private Fields:
• Inherent Score – Only seen by Archer System Administrator

• Progress Status – Only seen by Archer System Administrator
22
Risk Hierarchy
Application Overview: This Risk Hierarchy application coupled with the Risk Register application
creates a 3 level risk roll-up solution. This application enables an organization to roll-up their risks from
the risk register to an intermediate summary level, and then to an enterprise summary level. This
application stores a company's risk hierarchy in the form of two levels - Enterprise Summary Level and
Intermediate Summary Level. Enterprise Risks (the top level) are risks that are described very broadly at
the highest level of an organization; they represent an accumulation of all of the intermediate summary
risks. Intermediate summary risks are summary level risks that lie between the Risk Register and
Enterprise Risk. Intermediate summary risks are then associated with Risk Register records to track
risks via Metrics, Control Compliance, and Risk Assessments.
Record Permissions:
(Enterprise Level)
Enterprise Risk Manual R RM: Risk 2nd Line of Defense
Assessment Reviewer
(Enterprise Level)
Enterprise Risk Manual R RM: Risk 2nd Line of Defense
Assessment Submitter
(Enterprise Level)
Manual R RM: Risk 2nd Line of Defense
Executive Lead
(Enterprise Level)
Subject Matter Experts
(Enterprise Level)
Default Permissions ERM Automatic RU RM: ERM Team
Team Ent Level (ARPF)
(Enterprise Level)
RM: Read Only
Default Permissions RCCC Automatic R
and Read Only Ent Level RCC Champion
(ARPF)
23
RM: Admin
RM: Owner
(Enterprise Level)
Automatic R RM: Manager
Default Permissions Risk
Groups Ent Level (ARPF) RM: Risk 2nd Line of Defense
RM: Risk 3rd Line of Defense
RM: Owner
(Intermediate Level)
Intermediate Risk Owner
RM: ERM Team
Default Permissions ERM Automatic RU RM: ERM Team
Team Int Level (ARPF)
Executive Lead
Inherited SME and Inherited R
Executive Lead
Default Permissions RCCC Automatic R RM: Read Only
and Read Only Int Level
(ARPF) RCC Champion
RM: Admin
RM: Owner
Default Permissions Automatic R
SME/Exec Leads Int Level RM: Manager
(ARPF)
Private Fields:
• There are no private fields in Risk Hierarchy
24
Enterprise Risk Assessment

Questionnaire Overview: The Enterprise Risk Assessment questionnaire targets the Risk Hierarchy
and is intended to collect risk information and how it impacts the organization over time.
Questionnaire Modifications:
Record Permissions:

RU when Sub Status Not in Process and Rev
Status= Awaiting Review - RU
Submission Status Does Not Contain In Process
Enterprise Risk and Review Status Contains Awaiting Review -
Manual R/RU
Assessment Reviewer RU
Overall Status = Approved, or Submission Status=
In Process, then RO - R
Overall Status Contains Approved or Submission
Status Contains In Process -R

Submission Status = Submitted or Re-Submitted,
or Overall Status=Approved - R
Enterprise Risk
Manual R/RU Submission Status Contains Submitted, Re-
Assessment Submitter
Submitted or Overall Status Contains Approved -R
When record is not submitted, RU
Submission Status Contains In Process - RU
Executive Lead (IRPF) Inherited R Executive Lead

Inherited R Subject Matter Experts
(IRPF)
Default Permissions ERM

Automatic RU RM: ERM Team
Team (ARPF)
Private Fields:
25
• There are no private fields in Enterprise Risk Assessment
Enterprise Risk Management Workflows
BSCA Enterprise Risk

Assessment Flowchart_Dec-2019.xlsx
Enterprise Risk Management Record Permissions
BSCA ERM Record

Permissions Map.xlsx
26
Third Party Profile

Application Overview: The Third Party Profile application is used to document all of the third party
relationships used by an organization. In this application, the organizational structure of the third party
relationship is established, third party contacts documented, and relationship manager, risk analyst, and
procurement / legal officer accountabilities are created. This application is the hub for navigation
throughout the solution and contains summary metrics and reporting.
• Customized Advanced Workflow replaced out of the box DDE workflow (NOT currently Active)
• Replacement of address fields with Third Party Addresses sub form to allow for multiple
addresses
• Multiple Relationship Contacts made required (making new record creation/import more
involved). ABC Co is utilizing a test account until the required contacts are identified and
provisioned.
• DDEs used to hide unneeded sections
Record Permissions:
TP: Business Owner: R

TP: Administrator: RUD
TP: Executive Management: R
TP: Governance Manager: RUD
Default Record TP: Operations Specialist: R

Manual Varied
Permissions TP: Read Only: R
TP: Relationship Manager: RU
TP: Risk Analyst: RUD
TP: Sourcing Specialist: R
All groups above are selected by Default
Restricted:
4th Parties
Inherited Permissions Business Unit Financial Due Diligence
Inherited Varied
Engagement Stakeholders Questionnaire
Certificates of Insurance
Contacts
27
Department
Engagements
Facilities
Findings
Incidents
Master Service Agreement
Supplier Request Form
Task Management
Third Party Financial Viability Assessments
Third Party Profile
Third Party Profile Risk Assessments
Restricted:
4th Parties
Business Unit Financial Due Diligence
Questionnaire
Contacts
Contracts
Department
Engagements
Inherited Permissions
Inherited Varied
Supplier Request Form Facilities
Findings
Incidents
Task Management
Third Party Profile
Inherited Record Unrestricted:

Inherited Varied
Permissions 4th Parties
28
Business Unit Financial Due Diligence

Questionnaire
Contacts
Contracts
Department
Engagements
Facilities
Findings
Incidents
Task Management
Third Party Profile
Private Fields:
• There are no private fields
Note: The Third Party Profile is inactive.
29

Questionnaire Overview: The Third Party Profile Risk Assessment is a copy of the OOTB
Engagement Risk Assessments questionnaire and allows you to assess the percentage of compliance
of Third Party Profiles based on the following question categories:
• Facility
• Human Resources and Training
• IT Infrastructure and Security
• Operations
• Privacy and Compliance
Questionnaire Modifications: The Third Party Profile Risk Assessment is a custom On-demand
Application (ODA) based on the OOTB Engagement Risk Assessments questionnaire. All questions are
customized vs. modified core questionnaire functionality.
• Customized Advanced Workflow replaced out of the box DDE workflow

• Added Manual Campaign based on Third Party Profile Assessment Group value
• Customized Quantitative Summery calculations modified to represent new question categories
• Overall Status calculation modified to allow for Overdue status
• Added Workflow Comments sub-form to allow for workflow comments upon rejection and re-
submission
• Removed Document Library references as ABC Co decided the out of the box question
comments fields were a better match to their business processes
Record Permissions:
Record Creator: RUD

TP: Administrator: RUD
Default Record TP: Governance Manager: RUD

Manual Varied
Permissions TP: Administrator: RUD
TP: Risk Analyst: RUD
All groups above are selected by Default
Unrestricted:
Inherited Permissions Findings

Inherited Varied
Engagement Stakeholders Task Management
Third Party Document Repository
30
Third Party Profile
Unrestricted:
Findings
Inherited Permissions
Inherited Varied Task Management
Third Party Profile
Unrestricted:
Findings
Inherited Third Party Profile
Inherited Varied Task Management
Permissions
Third Party Profile
Private Fields:
• Due Date – Everyone: Read, Third Party Administrator: Full Access

• Submission Status – Everyone: Read, Third Party Administrator: Full Access
• Submit Date – Everyone: Read, Third Party Administrator: Full Access
• Review Status – Everyone: Read, Third Party Administrator: Full Access
• Review Date – Everyone: Read, Third Party Administrator: Full Access
Third Party Profile Risk Assessment Workflow:
31
Appendix A: Additional Supporting Design Documentation

In addition to the items provided in the previous pages, additional documentation pertinent to the initial
build is provided below within the embedded documents.
Notification Details: Email notifications are a critical part of the RSA Archer platform and help to add
automation to the overall process. For the initial rollout, ABC Co will have a number of notifications sent
automatically for various activities. The embedded documents provide details for all notifications to be
used for the initial rollout of the platform including subject, body, recipient and other key build-related
details.
Findings Notifications
Findings_Notifications
.docx
Corrective Action Plan Notifications
CAP_Notifications.doc
x
Enterprise Risk Management Notifications
BSCA
Notifications_ERM Solution.xlsx
Third Party Notifications
BSCA
Notifications_Third Party.xlsx
Access Rights: Access control is another key element to understanding how users can see and do
what they need to see and do in Archer. These documents record the current configuration of major
access roles.
Overall CRUD Rights (includes the CRUD rights granted to the main OOB access roles –
updates to be made to this in 2020 to include all access roles)
Access Control CRUD

Matrix v2.xlsx
32
Enterprise Risk Management CRUD Rights
BSCA
ERM_Access_Permissions Matrix_Dec-2019.xlsx
Record Permissions Map
BSC Record
Permissions Map.vsdx
How-to Documents: The files below contain additional how-to walkthroughs around importing and other
common administrative duties.
How to Import Third Party Profiles
Third Party Profile Import_Third Party Import_Third Party

Profile_Addresses.csv
Data Imports.docx Profile_Required Fields.csv
How to Import Third Party Profile Risk Assessments
Third Party Profile Vendor_Third Party Import_Third Party

Risk Assesments Import.docx Profile_Risk Assessments.csv
ProfileRisk Assessments.xlsx
How to Make Business Hierarchy Updates
How to Update
Business Hierarchy.docx
How to Update Session Timeout Duration
How to Update
Session Timeout Duration.docx
33
Appendix B: RSA Contact Details

Name Role Contact Email
RSA Archer Professional Services Practice
Michael Jolley Michael.Jolley@rsa.com
Manager
Brenna McLeod RSA Archer Professional Services Sr. Consultant Brenna.McLeod@rsa.com
RSA Archer Available to Sprint throughout their lifecycle of

ArcherSupport@rsa.com
Customer Support usage of the RSA Archer platform
34

Sample Archer Design Documentation

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sample Archer Design Documentation

Uploaded by

Copyright:

Available Formats

Dell Customer Communication - Confidential

Business Hierarchy, Risk, Third Party, and Issues

RSA Archer Professional Services

Scope of Applications & Questionnaires for Initial Rollout

Solution Architecture Diagram

Design: Application & Questionnaire Overview

RP Field Name RP Type Access Summary

EM: Data Administrator: RUD

Inherited Hierarchy Access Inherited Varied Division: Inherited Hierarchy Access

RP Field Name RP Type Access Summary

EM: Data Administrator: RUD

Inherited Department: Department Access

RP Field Name RP Type Access Summary

EM: Data Administrator: RUD

Each Department access group is available for

Inherited CEO Permissions Inherited RU Division: Inherited CEO Permissions

Inherited CFO Permissions Inherited RU Division: Inherited CFO Permissions

RP Field Name RP Type Access Summary

Each Business Unit access group is listed here so that

Each Department access group is listed here with

No maximum number of selections

Business Unit No maximum number of selections

RP Field Name RP Type Access Summary

EM: Data Administrator: RUD

Executive Team Manual R All Users available for selection

Control Procedures: Testing Coordinator, Default Record

Risk, Control, No maximum number of selections

• Inherited CEO Permissions

RP Field Name RP Type Access Summary

RCC Champion, RM: Risk 4th Line of

RU when Finding Workflow Stage =

R for all other statuses when assigned in

RM: Risk 2nd Line of Defense

RM: Risk 3rd Line of Defense, RM: Risk

• Finding ID – visible to Everyone, editable by no one

Corrective Action Plans (Remediation Plans)

RP Field Name RP Type Access Summary

RCC Champion, RM: Risk 4th Line of Defense

Corrective Action Plan RU when Status = New, Approved, Rejected

RM: Risk 2nd Line of Defense

RM: Risk 3rd Line of Defense, RM: Risk 4th Line of

Automatic ERM Team

• Status – visible by Everyone, editable by System Administrators (set via Advanced

Corrective Action Plan Workflow

RP Field Name RP Type Access Summary

Risk, Control, Compliance Business Unit: Risk, Control, Compliance

Control Owner Manual RU All Users

Tester Manual RU All Users

Automatic Record Record Creator

RM: ERM Team

Business Units: Risk, Control, Compliance Champion

RM: Admin - CRU

Risk Owner Manual RU RM: Risk 2nd Line of Defense

Risk Reviewer Manual R RM: Risk 2nd Line of Defense

Incidents: Incident Owner; Incidents: Incident Manager;

Control Procedures: Default Record Permissions (OOB);

Applications: Compliance Manager (Inherited Compliance

Loss Event: Risk Manager (Inherited Risk, Control,

Inherited from Risk Inherited R Intermediate Risk Owner /Subject Matter

Loss Event: CEO (Inherited from CEO in BU through

Loss Event: Controller (Inherited Controller from BU// On

Inherited Loss Event