RSA Archer 6.2 Key Indicator Mgt Guide

RSA Archer Key Indicator Management
Use Case Guide

6.1 and 6.2
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers:
https://community.rsa.com/community/rsa-customer-support.
Trademarks
RSA, the RSA Logo, RSA Archer, RSA Archer Logo, and Dell are either registered trademarks or trademarks of Dell
Corporation ("Dell") in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.
License agreement
This software and the associated documentation are proprietary and confidential to Dell, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This
software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by Dell.
Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-
party software in this product may be viewed on RSA.com. By using this product, a user of this product agrees to be fully
bound by terms of the license agreements.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
For secure sites, Dell recommends that the software be installed onto encrypted storage for secure operations.
For customers in high security zones, Dell recommends that a full application sanitization and reinstallation from backup occur
when sensitive or classified information is spilled.
Note on Section 508 Compliance
The RSA Archer® Suite is built on web technologies which can be used with assistive technologies, such as screen readers,
magnifiers, and contrast tools. While these tools are not yet fully supported, RSA is committed to improving the experience of
users of these technologies as part of our ongoing product road map for RSA Archer.
The RSA Archer Mobile App can be used with assistive technologies built into iOS. While there remain some gaps in support,
RSA is committed to improving the experience of users of these technologies as part of our ongoing product road map for the
RSA Archer Mobile App.
Distribution
Use, copying, and distribution of any Dell software described in this publication requires an applicable software license.
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice. Use of the software described herein does not ensure compliance with any laws, rules, or regulations, including
privacy laws that apply to RSA’s customer’s businesses. Use of this software should not be a substitute for consultation with
professional advisors, including legal advisors. No contractual obligations are formed by publication of these documents.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." DELL INC. MAKES NO REPRESENTATIONS OR
WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY
DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright © 2010-2017 Dell Inc. or its subsidiaries. All Rights Reserved.

March 2016
RSA Archer Key Indicator Management Use Case Guide
Contents
Key Indicator Management Release Notes 5
Chapter 1: Key Indicator Management 7

RSA Archer Key Indicator Management 7
Get started 8
Chapter 2: Key Indicator Management Design 9

Architecture Diagram 9
Applications 11
Access Roles 11
Dashboards 12
Advanced Workflow 14
Chapter 3: Installing Key Indicator Management 15

Step 1: Prepare for the Installation 15
Step 2: Update the License Key 15
Step 3: Install the Package 16
Step 4: Perform Post-Installation Cleanup 16
Step 5: Set Up Data Feeds 16
Step 6: Test the Installation 16
Installing the Key Indicator Management Package 17
Step 1: Back Up Your Database 17
Step 2: Import the Package 17
Step 3: Map Objects in the Package 17
Step 4: Install the Package 20
Step 5: Review the Package Installation Log 21
Performing Post-Installation Cleanup for Key Indicator Management 21
Step 1: Review and Fix Dependencies on Other Use Cases 21
Step 2: Delete Obsolete Objects 34
Step 3: Validate Formulas and Calculation Orders 34
Step 4: Verify Key Fields 35
Step 5: Update Inherited Record Permissions Fields 35
3
Setting Up Key Indicator Management Data Feeds 35

Step 1: Import a Data Feed 36
Step 2: Schedule a Data Feed 36
Appendix A: Package Installation Log Message Examples 39
4
Key Indicator Management Release Notes

The following items have been changed or added in the 6.1 release.
Enhancement Description
Workspace The following changes have been made:

l The Operational Risk Management workspace was updated to include all
new sub-solutions and dashboards.
l The Key Risk Indicator Management sub-solution has been added to the
Operational Risk Management workspace.
DDE Added and updated DDEs in many of the Metrics layouts. This allows Metrics
of any type to target a Business Unit.
Dashboards The following dashboards have been removed:

l Enterprise Risk Management
l Business Unit Risk Overview
l Metric Owner
l Metric Tracking
l Operational Risk Management
l Operational Risk Management Program Administration
The following persona-based dashboards have been added:

l Executive Management
l Business Unit Manager
l Risk Manager
l Data Quality Administration
These dashboards include both new and existing iViews.

Enhancement Description
Data feeds Two new data feeds were created to support creating metrics from the Metrics
Library to associate to a Business Unit. The new data feeds are:
l Create Metrics from Metric Library for BU: creates Metric records based on
selected Metric Library records and associates them to appropriate Business
Unit.
l Clear Metrics Library Linkage from Business Unit: clears the cross-
reference to the Metrics Library and resets the Create Metrics from Library
option to 'NO'.
Report The report DFM_Create Metrics For BU From Metric Library was added to the
Business Unit application in order to support the two new data feeds (Create
Metrics From Metric Library For BU and Clear Metric Library Linkage From
Business Unit).

Chapter 1: Key Indicator Management

In many risk management programs, the use of key indicators is implemented sporadically at the
discretion of individual business units and division managers. Key indicator metrics may not be
properly designed to accurately measure the intended activity, and the collection of indicator data
may be accomplished in an unnecessarily costly and inefficient manner using spreadsheets and
email. With missing or inefficient key indicator reporting, the organization is unable to accurately
gauge or compare performance in terms of meeting strategic and operational goals, risk, and control
performance. It also limits the organization’s ability to respond to emerging problems as quickly as
possible.
RSA Archer Key Indicator Management

RSA Archer Key Indicator Management provides a means for organizations to establish and monitor
metrics related to each business unit within the organization. Depending on your overall
implementation, metrics could also be associated with other elements of your GRC program,
including risks, controls, strategies and objectives, products and services, and business processes to
monitor quality assurance and performance.
Key Features
l Holistic key indicator management program
l Association of key indicators with business units and named individuals, and establishment of key
indicators of risk, control, corporate objectives, business processes, and products and services,
depending on your program implementation
l Governance to ensure timely collection of indicator data
l Stakeholder notification when indicators exceed acceptable boundaries
l Consistent approach to calculating indicator boundaries and limits
l Consolidated list of indicators that are operating outside boundaries, and associated stakeholder
escalation and remediation plans
l Management of remediation plans action to bring indicators back within acceptable boundaries
l Visibility to key risk indicator metrics and remediation plans via predefined reports and
dashboards
Key Benefits
Key Indicator Management enables:

l Visibility to areas in your organization that have not established indicators or have not collected
data associated with established indicators
l Warning of adverse trends at the earliest point possible to provide quicker remediation
l Greater accountability for monitoring indicators that provide early warning of emerging problems
Get started
l Learn more about the use case design
l Install and set up the use case

Chapter 2: Key Indicator Management Design
Architecture Diagram
The following diagram shows the relationships between the applications in the Key Indicator
Management use case.


Note:
1. Feeds that create Metrics from a metric library (either the Business Process or Risk Register) do
not also create Risk Register records from the associated Risk Library records.
2. Business Asset Catalog objects and their associated assessments are not automatically scoped
into Risk Project and must each be scoped in manually.
Ap p lic a tio n s
Applications
Application Description
Metrics The Metrics application allows you to establish periodic measurements for
objectives, including Key Risk Indicators (KRIs), Key Performance Indicators
(KPIs), and Key Control Indicators (KCIs). Metrics can be tracked against
established expectations and forecasts and warning indicators generated when
metrics exceed thresholds.
Metrics The Metric Results application allows the metric owner to report individual
Results measurements of the Metric.
Metrics The Metrics Library is a list of generic metrics that you can import, maintain, and
Library add to. These metrics library records can be used in the Business Unit application
to quickly create new Metrics. Select Metric Library records in Business Unit
record and set the ready flag in the BU. This allows the Create Metrics from
Metric Library for BU feed to process it.
Business The Business Unit application provides a detailed view of all activities related to
Unit the specific business unit.
Company The Company application stores general, financial, and compliance information at
the company level. Combined with the Division and Business Unit applications,
this application supports roll-up reporting of governance, risk, and compliance
initiatives across the enterprise.
Division The Division application represents the intermediate unit within the business
hierarchy which is a layer below the high-level company and a layer above the
individual business unit. You can use this application to further document the
relationships within their business and measure the effectiveness and compliance
of individual divisions within the enterprise.
Ac c e s s r o le s
Access Roles
The use case provides the following access roles.

Access Role Description
RM: Admin This role serves as the administrator for the use case. (Risk Manager, Risk
Manager Specialist)
RM: Executives This role provides the appropriate access levels within the use case to the
executives team (CFO, CEO, Controller).
RM: Manager This role provides create, read, and update access to management stakeholders
within the use case.
RM: Owner This role provides create, read, and update access to business process owners
within the use case.
RM: Read Only This role provides read-only access for the use case.
Da s h b o a r d s
Dashboards
The use case provides the following dashboards.
Dashboard Description
Executive This persona-based dashboard is used by Controllers, CFOs, and CEOs to view
Management business unit/company risks, track risk exposure, and review loss events that
require executive sign-off.
Business This persona-based dashboard is used by Business Unit Managers and Business
Unit Unit Coordinators to create new loss events and to view active assessments,
Manager unapproved loss events, and loss events requiring executive review or sign-off.
Risk This persona-based dashboard is used by Risk Managers and Risk Specialists to
Manager view active assessments, loss events awaiting review, and open risk projects.
The following sections describe the reporting limitations for each dashboard in this use case.
Ex e c u tiv e Ma n a g e me n t
iView Use Case Reporting Limitations
Executive Risk Management All quick links are invalid.

Quick Links
Top Down Risk Assessment All reports are invalid.
Risk by Business Unit All reports are invalid.

Risk Exposure Enterprise Risks Financial Exposure (Typical and Worst

Case) is invalid.
Risk Metrics Managements All reports are invalid.
Loss Events All reports are invalid.
Bu s in e s s Un itMa n a g e r
Business Unit Manager Quick Links 4 of 5 quick links are invalid.
Risk Inventory for Business Unit Manager All reports are invalid.
My Loss Events Requiring Review or Sign-Off All reports are invalid.
Bottom-Up Risk Analysis All reports are invalid.
My Loss Events Summary All reports are invalid.
Risk Self-Assessment Summary All reports are invalid.
Ris k Ma n a g e r
Risk Manager Quick Links 5 of 6 quick links are invalid.
Risk Inventory for Risk Manager All reports are invalid.
Business Process By Rating Report is invalid.
Control Assessment Concerns All reports are invalid.
Self-Assessment Status and Change Tracking All reports are invalid.
Self-Assessments Awaiting Risk Manager Review All reports are invalid.
Bottom-UP Risk Analysis Report All reports are invalid.
Loss Event Management All reports are invalid.

Ad v a n c e d wo r k flo w
Advanced Workflow
Step 1: Evaluate Stage
Metrics can either be created from scratch or populated from the Metrics Library. When a user
creates or pulls in a metrics record, a Metric is created as inactive. It will not be activated until it is
approved by the process. When a new Metric is created, a notification is sent to the Metric Owner,
alerting them that a new record has been created. The Metric Owner can reassign the workflow to
another Metric Owner, or he can review the record and submit it to the Risk Manager. Once the
record is submitted, step 2: the Metric Review Stage begins. If you want to inactivate a metric, you
must edit an existing Active Metric. When you inactivate the existing Metric, it is re-enrolled into
the workflow, and moved to step 3: the Risk Manager Inactivation Review stage.
Step 2: Metric Review Stage
The Risk Manager then reviews the metrics record. If the Risk Manager does not agree with the
Metric Owner’s initial review, he can reject the record, and it is sent back to the Metric Owner to
update. If the Risk Manager agrees with the Metric Owner’s review, he can approve the record, and
is activated. At this point you can start collecting Metric Results against the Metric. Once it is
updated, the workflow is complete. The Risk Manager also has the ability to terminate the record. If
he chooses to do so, the status of the Metric is set to Terminated and the workflow is complete.
Step 3: Risk Manager Inactivation Review
The workflow sends a notification to the Risk Manager, alerting him that a user wants to set a
metric to the inactive state. The Risk Manager then reviews the metric and either approves or
rejects that it should be set to inactive. If the Risk Manager agrees that the metric should be
inactive, the status is set to Inactive, and the workflow is finished. If the Risk Manager disagrees
that the metric should be inactive, a notification is sent to the Metric Owner, indicating the request
was denied. The Metric remains Active, and the workflow is finished.

Chapter 3: Installing Key Indicator Management

Complete the following tasks to install the Key Indicator Management use case.
Ste p 1 :P r e p a r e fo r th e in s ta la tio n
Step 1: Prepare for the Installation

1. Ensure that your RSA Archer system meets the following requirements:
l RSA Archer Platform version 6.1 or later.
l Valid license for Key Indicator Management 6.1 or later.
l A user account on the Platform with access rights to the Data Feed Manager.
l User account on RSA Link to download the use case files.
2. Download the use case file(s) from the Archer Customer/Partner Community on RSA Link on
the RSA Archer Solutions and Use Cases page
(https://community.rsa.com/community/products/archer-grc/archer-customer-partner-
community/solutions).
The following files are included in the RSA_Archer_Key_Indicator_6.2.zip file:
l Use case install package
l Data feed file
3. Obtain the Data Dictionary for the use case by contacting your RSA Archer Account
Representative or calling 1-888-539-EGRC. The Data Dictionary contains the configuration
information for the use case.
4. Read and understand the Packaging Data section of the RSA Archer Online Documentation.
5. Review the Release Notes to understand any known issues before installing and configuring the
use case.
Ste p 2 :Up d a te th e lic e n s e k e y
Step 2: Update the License Key

You must update the license key if you are installing a new application, questionnaire, workspace, or
dashboard.
Note: All customers who are upgrading from version 6.0 or earlier are required to get a new license
key for 6.1 or later. Ensure that you are using a valid 6.1 or later license key prior to installing
packages.

The administrator (a web or database administrator) on the server on which the Archer Control
Panel resides must update the license key in the Archer Control Panel before the application
package is imported in order for the new items to be available for use.
1. Open the RSA Archer Control Panel.
2. From the Instance Management list, click to expand the Instances list.
3. Right-click the instance that you want to update, and click Update License Key.
4. Update the applicable information: Serial Number, Contact Info, and Activation Method.
5. Click Activate.
Important: If you do not update your license key to 6.1 or later prior to installing the package, you
will not be able to access workspaces, dashboards and applications.
Ste p 3 :In s ta lth e p a c k a g e
Step 3: Install the Package

Installing a package requires that you import the package file, map the objects in the package to
objects in the target instance, and then install the package. See Installing the Key Indicator
Management Package.
Ste p 4 :P e r fo r mp o s t-in s ta la tio n c le a n u p
Step 4: Perform Post-Installation Cleanup

The package installation does not update some attributes of objects, or delete obsolete objects that
are not included in the current solution. RSA recommends that you compare the objects in your
database with the information in the Data Dictionary to determine which objects are obsolete or
have been updated. See Performing Post-Installation Cleanup for Key Indicator Management.
Ste p 5 :S e tu p d a ta fe e d s
Step 5: Set Up Data Feeds

You must import and schedule each use case data feed that you want to use. See Setting Up Key
Indicator Management Data Feeds.
Ste p 6 :T e s th e in s ta la tio n
Step 6: Test the Installation

Test the Key Indicator Management use case according to your company standards and procedures,
to ensure that the use case works with your existing processes.

Installing the Key Indicator Management Package

Ste p 1 :Ba c k u p y o u r d a ta b a s e
Step 1: Back Up Your Database

There is no Undo function for a package installation. Packaging is a powerful feature that can make
significant changes to an instance. RSA strongly recommends backing up the instance database
before installing a package. This process enables a full restoration if necessary.
An alternate method for undoing a package installation is to create a package of the affected objects
in the target instance before installing the new package. This package provides a snapshot of the
instance before the new package is installed, which can be used to help undo the changes made by
the package installation. New objects created by the package installation must be manually deleted.
Ste p 2 :Imp o r th e p a c k a g e
Step 2: Import the Package
1. Go to the Install Packages page.
a. From the menu bar, click .
b. Under Application Builder, click Install Packages.
2. In the Available Packages section, click Import.
3. Click Add New, then locate and select the package file that you want to import.
4. Click OK.
The package file is displayed in the Available Packages section and is ready for installation.
Ste p 3 :Ma p o b je c ts in th e p a c k a g e
Step 3: Map Objects in the Package
1. In the Available Packages section, select the package you want to map.
2. In the Actions column, click for that package.

The analyzer runs and examines the information in the package. The analyzer automatically
matches the system IDs of the objects in the package with the objects in the target instances and
identifies objects from the package that are successfully mapped to objects in the target instance,
objects that are new or exist but are not mapped, and objects that do not exist (the object is in the
target but not in the source).

Note: This process can take several minutes or more, especially if the package is large, and may
time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings
set to less than 60 minutes.
When the analyzer is complete, the Advanced Package Mapping page lists the objects in the
package file and corresponding objects in the target instance. The objects are divided into tabs,
depending on whether they are found within Applications, Solutions, Access Roles, Groups, Sub-
forms, or Questionnaires.
3. On each tab of the Advanced Mapping Page, review the icons that are displayed next to each
object name to determine which objects require you to map them manually.
Icon Name Description
Awaiting Indicates that the system could not automatically match the object or
Mapping children of the object to a corresponding object in the target instance.
Review Objects marked with this symbol must be mapped manually through the
mapping process.
Important: New objects should not be mapped. This icon should remain
visible. The mapping process can proceed without mapping all the objects.
Note: You can execute the mapping process without mapping all the
objects. The icon is for informational purposes only.
Mapping Indicates that the object and all child objects are mapped to an object in
Completed the target instance. Nothing more needs to be done with these objects in
Advanced Package Mapping.
Do Not Indicates that the object does not exist in the target instance or the object
Map was not mapped through the Do Not Map option. These objects will not be
mapped through Advanced Package Mapping, and must be remedied
manually.
Undo Indicates that a mapped object can be unmapped. This icon is displayed in
the Actions column of a mapped object or object flagged as Do Not Map.
4. For each object that requires remediation, do one of the following:
l To map each item individually, on the Target column, select the object in the target instance
to which you want to map the source object. If an object is new or if you do not want to map
an object, select Do Not Map from the drop-down list.

Important: Ensure that you map all objects to their lowest level. When objects have child or
related objects, a drill-down link is provided on the parent object. Child objects must be
mapped before parent objects are mapped. For more details, see "Mapping Parent/Child
Objects" in the RSA Archer Online Documentation.
l To map all objects in a tab automatically that have different system IDs but the same object
name as an object in the target instance, do the following:
a. In the toolbar, click Auto Map.
b. Select an option for mapping objects by name.
Option Description
Ignore Select this option to match objects with similar names regardless of the case
case of the characters in the object names.
Ignore Select this option to match objects with similar names regardless of whether
spaces spaces exist in the object names.
c. Click OK.
The Confirmation dialog box opens with the total number of mappings performed. These
mappings have not been committed to the database yet and can be modified in the
Advanced Package Mapping page.
d. Click OK.
l To set all objects in the tab to Do Not Map, in the toolbar, click Do Not Map.
Note: To undo the mapping settings for any individual object, click in the Actions column.
When all objects are mapped, the icon is displayed in the tab title. The icon is displayed
next to the object to indicate that the object will not be mapped.
5. Verify that all other objects are mapped correctly.
6. (Optional) To save your mapping settings so that you can resume working later, see "Exporting
and Importing Mapping Settings" in the RSA Archer Online Documentation.
7. Once you have reviewed and mapped all objects, click .
8. Select I understand the implications of performing this operation, and then click OK.
The Advanced Package Mapping process updates the system IDs of the objects in the target
instance as defined on the Advanced Package Mapping page. When the mapping is complete, the
Import and Install Packages page is displayed.

Important: Advanced Package Mapping modifies the system IDs in the target instance. Any
Data Feeds and Web Service APIs that use these objects will need to be updated with the new
system IDs.
Ste p 4 :In s ta lth e p a c k a g e
Step 4: Install the Package

All objects from the source instance are installed in the target instance unless the object cannot be
found or is flagged to not be installed in the target instance. A list of conditions that may cause
objects not to be installed is provided in the Log Messages section. A log entry is displayed in the
Package Installation Log section.
1. Go to the Install Packages page.
2. In the Available Packages section, locate the package file that you want to install, and click
Install.
3. In the Configuration section, select the components of the package that you want to install.
l To select all components, select the top-level checkbox.
l To install only specific global reports in an already installed application, select the checkbox
associated with each report that you want to install.
Note: Items in the package that do not match an existing item in the target instance are selected
by default.
4. In the Configuration section, under Install Method, select an option for each selected component.
To use the same Install Method for all selected components, select a method from the top-level
drop-down list.
Note: If you have any existing components that you do not want to modify, select Create New
Only. You may have to modify those components after installing the package to use the changes
made by the package.
5. In the Configuration section, under Install Option, select an option for each selected component.
To use the same Install Option for all selected components, select an option from the top-level
drop-down list.

Note: If you have any custom fields or formatting in a component that you do not want to lose,
select Do not Override Layout. You may have to modify the layout after installing the package to
use the changes made by the package.
6. To deactivate target fields and data-driven events that are not in the package, in the Post-
Install Actions section, select the Deactivate target fields and data-driven events that are not in
the package checkbox. To rename the deactivated target fields and data-driven events with a
user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a
prefix. This can help you identify any fields or data-driven events that you may want to review
for cleanup post-install.
7. Click Install.
8. Click OK.
Ste p 5 :Re v ie wth e p a c k a g e in s ta la tio n lo g
Step 5: Review the Package Installation Log
1. Go to the Package Installation Log tab of the Install Packages page.
c. Click the Package Installation Log tab.
2. Click the package that you want to view.
3. In the Package Installation Log page, in the Object Details section, click View All Warnings.
For a list of packaging installation log messages and remediation information for common
messages, see Package Installation Log Messages.
Performing Post-Installation Cleanup for Key Indicator Management

Ste p 1 :Re v ie wa n d fix d e p e n d e n c ie s o n o th e r u s e c a s e s
Step 1: Review and Fix Dependencies on Other Use Cases

After you have installed the use case, certain items may not appear or function as designed because
they are dependent on use cases that you have not licensed. For example, a calculated field that
references an application outside of this use case will not validate unless you have also licensed
another use case that contains that application. The following sections list the most common
dependencies and provide steps to resolve the dependencies. In each section, the Related Use Case
column lists the use case(s) that you may or may not have licensed. If you have licensed any of the
listed use cases, you can skip that row. If you have not licensed any of the listed use cases, then the
dependencies apply to your installation and you may want to resolve them.
Note: Resolving these dependencies is not required. You may opt to skip this step, but leaving these
fields as they are may cause confusion or generate calculation errors.
Review the following sections and resolve any dependencies that apply to your installation. You only
need to resolve any dependencies that apply to use cases you have not licensed.
Note: In the calculation dependency scenarios, some of the formulas do not validate because of
unlicensed fields. Some validate, but not function because they are dependent on other fields that are
not valid.
Company
Related Use Case Dependency Resolution
Top-Down Risk Assessment The following calculations do not Drag off

validate: layout or
Count of Controls delete.
l
l Inherent Risk Value
l Residual Risk Value
l Operational Risk Value
l Inherent Risk
l Residual Risk
l Calculated Residual Risk

Control Assurance Program The following calculations do not Drag off

Management validate: layout or
Count of Non-Compliant Controls delete.
l
l % of Non-Compliant Controls
l Compliance Rating
Control Monitoring Program The following calculations do not Drag off

Last Quarterly Certification Date delete.
l
l Last Quarterly Certification Quarter
l Last Quarterly Certification Year
l Current Financial Certification Status
l Count of Certified Divisions
l % of Certified Divisions
l Subsidiary Financial Certification

Status
l Overall Financial Certification Status
Controls Assurance Program The Quarterly Financial Certifications No action

Management and Controls Monitoring reference field is not available. needed.
Program Management

Not all Enterprise applications licensed The following calculations do not Drag off
validate: layout or
Total Products & Services delete.
l
l Total Processes
l Total Applications
l Total Devices
l Total Information Assets
l Total Facilities
Corporate Obligations Management The Regulatory Intelligence Review No action

(Impacted Divisions) reference field is needed.
not available.
Any use case that contains the Findings The Findings reference field is not No action
application available. needed.
Any use case that contains the Contacts The Management Team Contacts No action
application reference field is not available. needed.

Division

validate: layout or
delete.
l Count of Controls
l Average Risk Level Status
l Maximum Risk Level Status
l Business Unit Scorecard (Averages)
l Business Unit Scorecard

(Maximums)
l Count of Warning Indicators
l Risk Warning Level
l Inherent Risk
l Residual Risk
l Calculated Risk
l Maximum Inherent Risk Level
l Maximum Residual Risk Level
l Maximum Calculated Risk Level


Count of Non-Compliant Controls delete.
l
l Compliance Rating

l
l Last Quarterly Certification Quarter
l Current Financial Certification Status
l Count of Certified Business Units
l % of Certified Business Units
l Subsidary Financial Certification

Status
l Overall Financial Certification Status
Not all Enterprise applications licensed The following calculations do not Drag off
validate: layout or
l
l Total Devices
l Total Processes
l Total Facilities

Corporate Obligations Management The Regulatory Intelligence Review No action

(Impacted Divisions) reference field is needed.
not available.
Controls Assurance Program The Quarterly Financial Certifications No action

Management and Controls Monitoring reference field is not available. needed.
Program Management
Any use case that contains the Products The Products and Services reference No action
and Services application field is not available. needed.
Any use case that contains the Loss The Loss Events reference field is not No action
Events application available. needed.

Business Unit


validate: layout or
delete.
l Heat Map
l Count of Controls
l Residual Risk
l Inherent Risk
l Calculated Risk
l Maximum Inherent Risk Level
l Maximum Residual Risk Level
l Maximum Calculated Risk Level
l Risk Response Overview
l Risk Scorecard
l Average % of Failed KRIs
l Maximum % of Failed KRIs
l Average Risk Level Status
l Maximum Risk Level Status
l KRI Tolerance Status
l Count of Warning Indicators
l Risk Warning Level
l Warning Indicator
l Risk Register

l Risk Register Library

delete.
l Count of Non-Compliant Controls
l Compliance Rating

l
l Last Quarterly Certification

Quarter
l Current Financial Certification

Status
Not all Enterprise applications The following calculations do not Drag off
licensed validate: layout or
l
l Total Processes
l Total Devices
l Total Facilities
Federal Continuous Monitoring The Vulnerability Scans reference No action

field is not available. needed.

IT Security Vulnerability Program The following reference fields are No action

not available: needed.
l Vulnerability Trending
l Vulnerability Scans
l Vulnerability Scans Results
Crisis Management The Crisis Events reference field is No action

not available. needed.
BC/DR Planning The Activated Plans reference field No action

is not available. needed.
IT Risk Management The Threat Project reference field is No action

Security Incident Management The following reference fields are No action

l Incident Investigations
l Security Incidents (Affected

Business Unit)
Operational Risk Management The following reference fields are No action

l Self-Assessment History
l Business Process Assessment

Data.
l Assessment Campaign
l Assessment Campaign (Previously

Processed Business Units)
Security Operations & Breach Management The Data Breach (Business Unit(s) No action
Impacted) reference field is not needed.
available.

Audit Engagement The Audit Engagement reference No action

Audit Planning The following reference fields are No action

l Audit Entity
l Audit Engagement
Controls Assurance Program Management The Quarterly Financial No action

and Controls Monitoring Program Certifications reference field is not needed.
Management available.
Issues Management The following reference field are not No action

available: needed.
l Exceptions Request
l Findings
Third Party Catalog and Third Party The Engagements reference field is No action
Engagement not available. needed.
Incident Management The following reference fields are No action

l Incidents
l Investigations
Loss Events Management The Loss Events reference field is No action

Bottom-Up Risk Assessment The Red Flag Rules Assessment No action

reference field is not available. needed.
Any use case that contains the Business The Business Processes reference No action
Processes application field is not available. needed.
Any use case that contains the Control The Control Procedures reference No action
Procedures application field is not available. needed.

Any use case that contains the Applications The Applications reference field is No action
application not available. needed.
Any use case that contains the Devices The Devices reference field is not No action
Any use case that contains the Products and The Products and Services reference No action
Services application field is not available. needed.
Any use case that contains the Corporate The Corporate Objectives reference No action
Objectives application field is not available. needed.
Any use case that contains the Information The Information reference field is not No action
Any use case that contains the Facilities The Facilities reference field is not No action
Any use case that contains the Risk Project The Risk Project reference field is No action
application not available. needed.
Metrics
Operational Risk Management The Risk Assessment Data reference No action

Any use case that contains the Corporate The Corporate Objectives reference No action
Objectives application field is not available. needed.
Any use case that contains the Products The Product- Service reference field is No action
and Services application not available. needed.
Any use case that contains the Business The Business Processes reference No action
Processes application field is not available. needed.
Any use case that contains the Control The Control Procedures reference No action
Procedures application field is not available. needed.
Any use case that contains the Risk The Risk reference field is not No action
Register application available. needed.

Metrics Library
Any use case that contains the Risk The Risk reference field is not available. No action
Register application needed.
Top-Down Risk Assessment The Risk Register Library reference No action

Ste p 2 :De le te o b s o le te o b je c ts
Step 2: Delete Obsolete Objects

Packaging does not delete obsolete objects. RSA recommends that you delete these objects because
they may affect how the applications function. For the following examples, follow these guidelines:
l If you select Override Layout when you install the package, the package installation process
removes old fields from the layout, if those fields do not also exist on the Source Package layout.
All fields removed from the layout are in the Available Fields list.
l Evaluate your need for certain data driven events (DDE), pre-existing rules, and actions that were
not updated through Packaging. Delete any obsolete rules and actions.
l Verify the DDE and calculation order and update it if necessary.
l Evaluate pre-existing notifications and reports that Packaging did not update. Delete obsolete
notifications and reports.
To ensure that all obsolete objects are deleted, compare the Data Dictionary to your environment.
For more information about objects, see "Packaging" in the RSA Archer Online Documentation.
Ste p 3 :V a lid a te fo r mu la s a n d c a lc u la tio n o r d e r s
Step 3: Validate Formulas and Calculation Orders

Follow these guidelines on validating formulas and calculation orders:
l The packaging process logs an error if a formula does not validate. This error may be caused by a
formula that references applications or fields that do not exist in the instance and were not part of
the package (for example, fields in applications that are part of a different use case). Review
those fields to determine if they are needed.

o If a field is needed, modify the formula to remove references to applications or fields that do
not exist in your instance. Fields that do not exist in your instance are identified with an
exclamation mark.
o If a field is not needed, delete the field or remove it from the layout. If the field is not deleted,
removing the formula prevents errors from being written in the log files when records are
saved.
l Verify the order of calculations for each application and sub-form in the use case. See the Data
Dictionary for calculation orders for each individual application or sub-form.
l Update the order of calculations as needed for each application and subform in the use case.
For more information about deleting objects, see "Deleting Fields" in the RSA Archer Online
Documentation.
Ste p 4 :V e r ify k e y fie ld s
Step 4: Verify Key Fields

Packaging does not change key fields. To verify the key fields in each application, see the Data
Dictionary.
Ste p 5 :Up d a te in h e r ite d r e c o r d p e r mis s io n s fie ld s
Step 5: Update Inherited Record Permissions Fields

Packaging does not remove inherited record permissions fields or user/groups populated in a record
permissions field. To verify the record permissions fields in each application, see the Data
Dictionary.
Setting Up Key Indicator Management Data Feeds

Import the data feeds in the following order:
1. Create Metrics from Metric Library for Business Unit
2. Clear Metric Library Linkage From Business Unit
3. Risk Register Library

Ste p 1 .Imp o r ta d a ta fe e d
Step 1: Import a Data Feed
1. Go to the Manage Data Feeds page.
b. Under Integration, click Data Feeds.
2. In the Manage Data Feeds section, click Import.
3. Locate and select the .dfx5 file for the data feed.
4. From the General tab in the General Information section, in the Status field, select Active.
5. Click the Transport tab. Complete the fields in the Transport Configuration section as follows:
a. In the URL field, type: YourServerName/VirtualDirectoryName/ws/search.asmx
b. In the User Name and Password fields, type the username and password of a Platform user
that has API access and access to all of the records on the Platform instance (from which the
data feed is coming).
c. In the Instance field, type the name of the Platform instance from which the data feed is
coming (this is the instance name as you enter it on the Login window).
6. Verify that key field values are not missing from the data feed setup window.
7. Click Save.
Ste p 2 .S c h e d u le a d a ta fe e d
Step 2: Schedule a Data Feed
Important: A data feed must be active and valid to successfully run.
As you schedule your data feed, the Data Feed Manager validates the information. If any
information is invalid, an error message is displayed. You can save the data feed and correct the
errors later; but the data feed does not process until you make corrections.
1. Go to the Schedule tab of the data feed that you want to modify.
b. Under Integration, click Data Feeds.

c. Select the data feed.
d. Click the Schedule tab.
2. Go to the Recurrences section and complete frequency, start and stop times, and time zone.
Field Description
Frequency Specifies the interval in which the data feed runs, for example, Minutely, Hourly,
Daily, Weekly, Monthly, or Reference.
Minutely Runs the data feed by the interval set.

For example, if you specify 45 in the Every list, the data feed
executes every 45 minutes.
Hourly Runs the data feed by the interval set, for example, every hour (1),
every other hour (2) and so forth.
Daily Runs the data feed by the interval set, for example, every day (1),
every other day (2) and, so forth.
Weekly Runs the data feed based on a specified day of the week, for
example, every Monday of the first week (1), every other Monday
(2), and so forth.
Monthly Runs the data feed based on a specified week of the month, for
example, 1st, 2nd, 3rd, 4th, or Last.
Reference Runs a specified data feed as runs before the current one. This
option indicates to the Data Feed Service that this data feed starts
as soon as the referenced data feed completes successfully.
For example, you can select to have a Threats data feed run
immediately after your Assets data feed finishes. From the
Reference Feed list, select after which existing data feed the
current data feed starts.
A reference data feed will not run when immediately running a data
feed. The Run Data Feed Now option only runs the current data
feed.
Every Specifies the interval of the frequency in which the data feed runs.
Start Specifies the time the data feed starts running.

Time

Field Description
Start Date Specifies the date on which the data feed schedule begins.
Time Specifies the time zone in of the server that runs the data feed.
Zone
3. (Optional) To override the data feed schedule and immediately run your data feed, in the Run
Data Feed Now section, click Start.
4. Click Save.

Appendix A: Package Installation Log Message

Examples
When you install a use case package, certain error messages are expected, depending on which
other use cases you have licensed in your system. The following sections describe some of the most
common error messages that you may see. You may use these as guidelines, but you should review
your package installation log and determine any actions you need to take.
For information on the dependencies for each solution, see the Data Dictionary.
Object
Message Explanation Remediation
Type
Alias Object Name This message is an informational warning This message is only
Alias was indicating that the Alias was updated on the potentially an issue if
changed from object. There are two reasons for an alias in the change occurs on
Original Alias the Target Instance to have been updated: a field that is utilized
to New Alias. in a Mail Merge
l Update was in the Source Package.
Template or Data
l Alias has to be unique in the Target Publication Service.
Instance. If the alias already exists in In that scenario,
update the DPS or the
Target, packaging adds a unique
mail merge template
identifier to the end. with the new alias.
Field Field Name in This message is an informational warning Change the field to
the notifying you that packaging does not public manually
application change a private field in the target instance (optional).
Application to a public field.
Name cannot
be changed
from a private
field to a
public field.

Object
Type
Field Field Field This message is seen when a cross- If the use case is not
Name could reference or related record field could not licensed, no action is
not be saved be created because the related application necessary.
due to does not exist in the target instance. This
inability to message usually occurs because the field is Note: If you later
identify the part of a related use case that is not license a use case
related licensed or has not been updated in the that contains that
module. target instance. application, you may
re-install the Use
Case Name package
in order to resolve this
warning.
If the use case has not

been updated, do the
following:
1. Install the
package for the
use case
containing the
related
application. You
must have a
license for the
related
application.
2. Reapply the
original package
to resolve the
warning.
See the Data
Dictionary.

Object
Type
Field The The formula in the calculated field is Do either of the

calculated incorrect. Most often, this message occurs following:
field Field when the formula references a field in a
l Modify the formula
Name in the related application and either the field or the
application application does not exist in the target to remove the
Application instance or is not licensed. This may be reference to the
Name cannot because the application is in a related use unavailable field.
be verified. case that has not been updated.
l Install the package
for the use case

containing the
related application.
(You must have a
license for the
related
application), then
reapply the original
package to resolve
the warning.
See the Data

Dictionary.

Object
Type
Field Field Field This warning may be seen on Inherited 1. Install the
Name was not Record Permission fields, cross- package for the
found and reference/related record fields (record
use case
removed from lookup and grid display), or as a display
a collection. field in a report. The warning means that containing the
the field could not be found in the target related application
instance and was not included in the (to obtain the
package. This is usually because the field is missing field).
part of an application in a related core
You must have a
solution that has not been updated in the
target instance or is not licensed. license for the
related
application.
2. Reapply the
original package
to resolve the
warning.
See the Data
Dictionary.
If you do not have a
license for the related
application, you may
ignore this message,
and the field remains
omitted from the
object.
Advanced The advanced All advanced workflows are installed as Go to the Advanced
Workflow workflow was inactive. You must review and activate the Workflow tab in the
installed, but workflow. application or
is inactive. questionnaire, review
Please review the workflow, then
and activate. click Activate.

Object
Type
Advanced Minor failure: This failure message may appear if certain 1. Verify that the
Workflow Advanced services were not running when you Advanced
workflow installed the package.
Workflow Service
HTTP request
error: 404 not and the Job
found. Service are
running.
2. Reapply the
package.
Access Access rights The Module Name application or None.

Role to the questionnaire belongs to a use case that you If you later license a
following have not licensed or does not exist in the use case that contains
page could instance. that application, you
not be may re-install the Use
configured Case Name package
due to missing in order to resolve this
module warning.
Module
Name.
Access The following Page Name belongs to an application in a None.

Role page use case that you have not licensed. If you later license a
referenced in use case that contains
a link cannot that application, you
be resolved: may re-install the Use
Page Name. Case Name package
warning.

Object
Type
Event Module Name This warning usually occurs when a cross- Review the DDE and
Action DDE Name reference or related record field is on the the layout and
was updated layout in the package but is not licensed or determine if any
but has page does not exist in the target instance. Occurs modifications should
layout on Apply Conditional Layout actions. be made to the layout.
discrepancies. If you later license a
use case that contains
that application, you
may re-install the Use
Case Name package
warning.
Field Contained Field Name 1 references an application that None.

Reference does not exist in the target instance or is not If you later license a
field :Field licensed. use case that contains
Name 1 was that application, you
not found in may re-install the Use
the target Case Name package
instance and in order to resolve this
was removed warning.
from multi-
reference
field : Field
Name 2.
Field Cross Field Name 1, configured to display in the No action is

Reference reference field grid, is missing from the necessary. You can
View/Edit application it belongs to. also add the field to
Display field : the other application
Field Name 1 by installing the
was not found package that the
in the target related application
instance and belongs to.
was removed
from field :
Field Name 2.

Object
Type
Field Related Field Name 1, configured to display in the No action is

Record reference field grid, is missing from the necessary. You can
View/Edit application it belongs to. also add the field to
Display field the other application
:Field Name by installing the
1 was not package that the
found in the related application
target belongs to.
instance and
was removed
from field :
Field Name 2.
Field History Log This message usually occurs when a history None.
Field log field includes a cross-reference or If you later license a
Selection related record as a tracked field, but that use case that contains
field : Field cross-reference or related record could not that application, you
Name was not be created because the related application may re-install the Use
found in the either does not exist in the target or is not Case Name package
target licensed. in order to resolve this
instance and warning.
was removed
from history
log field :
History Log.
Field Inherited Field Name 1 belongs to an application in a None.

User/Group use case that does not exist in the target or If you later license a
field : Field is not licensed. use case that contains
Name 1 was that application, you
not found in may re-install the Use
the target Case Name package
instance and in order to resolve this
was removed warning.
from field :
Field Name 2.

Object
Type
iView The following Page Name belongs to an application in a Modify the iView to
page use case that does not exist in the target or remove the
referenced in is not licensed. unresolved link or
a link cannot delete the iView
be resolved: If you later license a
Page Name. use case that contains
Case Name package
warning.
Navigation Unable to Application Name belongs to an use case None.

Menu update that does not exist or is not licensed. If you later license a
Navigation use case that contains
Menu that application, you
Application may re-install the Use
Name. Field Case Name package
Field Name in order to resolve this
not found. warning.
Report Report Name Occurs when no display fields could be None.

report could included in the report because the fields do
not be not exist in the target or are not licensed.
created. This error is most common on statistics
There are no reports.
display fields
for this report.

Object
Type
Report Display field : Field Name belongs to an application in a If the report functions
Field Name use case that does not exist or that is not without that field,
was not found licensed. then no action is
in the target needed. Otherwise,
instance and modify the report or
was removed remove it.
from report: If you later license a
Report Name. use case that contains
Case Name package
warning.
Report Field : Field Field Name belongs to an application in a If the report functions
Name use case that does not exist or is not without that field,
referenced by licensed. then no action is
a statistic step needed. Otherwise,
was not found modify the report or
in the target remove it.
instance and If you later license a
was removed use case that contains
from report : that application, you
Report Name. may re-install the Use
Case Name package
warning.

Object
Type
Report Field : Field Field Name belongs to an application in a If the report functions
Name used use case that does not exist or is not without that field,
for charting licensed. then no action is
was not found needed. Otherwise,
in the target modify the report or
instance and remove it.
was removed If you later license a
from report : use case that contains
Report Name. that application, you
Case Name package
warning.
Report Field : Field Occurs when a filter condition in a report is If the report functions
Name was not referencing an application that does not without that field,
found in the exist or is not licensed. then no action is
target needed. Otherwise,
instance and modify the report or
the condition remove it.
was removed If you later license a
from the use case that contains
filter. that application, you
Case Name package
warning.

Object
Type
Report Module The Module Name application or If the report functions

Module Name questionnaire belongs to a use case that you without that field,
was not found have not licensed. then no action is
and removed needed. Otherwise,
from a search modify the report or
report. remove it.
If you later license a
use case that contains
Case Name package
warning.
Report Module Occurs with n-tier reports when the report If the report functions
Module Name includes display fields from a related without that field,
was not application that does not exist or is not then no action is
found. The licensed. needed. Otherwise,
relationship modify the report or
and remove it.
associated If you later license a
display fields use case that contains
were removed that application, you
from a search may re-install the Use
report. Case Name package
warning.
Workspace The following The Module Name application or None.

module questionnaire belongs to a use case that If you later license a
referenced in does not exist or is not licensed. use case that contains
the that application, you
Navigation may re-install the Use
menu could Case Name package
not be in order to resolve this
resolved: warning.
Module
Name.

RSA Archer 6.2 Key Indicator Mgt Guide

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

RSA Archer 6.2 Key Indicator Mgt Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RSA Archer 6.2 Key Indicator Mgt Guide

Uploaded by

Copyright:

Available Formats

RSA Archer Key Indicator Management

Use Case Guide

Copyright © 2010-2017 Dell Inc. or its subsidiaries. All Rights Reserved.

Key Indicator Management Release Notes 5

Chapter 1: Key Indicator Management 7

Chapter 2: Key Indicator Management Design 9

Chapter 3: Installing Key Indicator Management 15

Setting Up Key Indicator Management Data Feeds 35

Appendix A: Package Installation Log Message Examples 39

Key Indicator Management Release Notes

Workspace The following changes have been made:

Dashboards The following dashboards have been removed:

l Business Unit Risk Overview

l Operational Risk Management

l Operational Risk Management Program Administration

The following persona-based dashboards have been added:

l Business Unit Manager

l Data Quality Administration

These dashboards include both new and existing iViews.

Key Indicator Management Release Notes 5

Key Indicator Management Release Notes 6

Chapter 1: Key Indicator Management

RSA Archer Key Indicator Management

l Governance to ensure timely collection of indicator data

l Stakeholder notification when indicators exceed acceptable boundaries

l Consistent approach to calculating indicator boundaries and limits

Chapter 1: Key Indicator Management 7

l Install and set up the use case

Chapter 1: Key Indicator Management 8

Chapter 2: Key Indicator Management Design

Chapter 2: Key Indicator Management Design 9

Chapter 2: Key Indicator Management Design 10

Chapter 2: Key Indicator Management Design 11

Access Role Description

iView Use Case Reporting Limitations

Executive Risk Management All quick links are invalid.

Top Down Risk Assessment All reports are invalid.

Risk by Business Unit All reports are invalid.

Chapter 2: Key Indicator Management Design 12

iView Use Case Reporting Limitations

Risk Exposure Enterprise Risks Financial Exposure (Typical and Worst

Risk Metrics Managements All reports are invalid.

Loss Events All reports are invalid.

iView Use Case Reporting Limitations

Business Unit Manager Quick Links 4 of 5 quick links are invalid.

My Loss Events Requiring Review or Sign-Off All reports are invalid.

Bottom-Up Risk Analysis All reports are invalid.

My Loss Events Summary All reports are invalid.

Risk Self-Assessment Summary All reports are invalid.

iView Use Case Reporting Limitations

Risk Manager Quick Links 5 of 6 quick links are invalid.

Risk Inventory for Risk Manager All reports are invalid.

Business Process By Rating Report is invalid.

Control Assessment Concerns All reports are invalid.

Self-Assessment Status and Change Tracking All reports are invalid.

Self-Assessments Awaiting Risk Manager Review All reports are invalid.

Bottom-UP Risk Analysis Report All reports are invalid.

Loss Event Management All reports are invalid.

Chapter 2: Key Indicator Management Design 13