Beruflich Dokumente
Kultur Dokumente
Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax
numbers:https://community.rsa.com/community/rsa-customer-support.
Trademarks
RSA, the RSA Logo, RSA Archer, RSA Archer Logo, and EMC are either registered trademarks or trademarks of EMC
Corporation ("EMC") in the United States and/or other countries. All other trademarks used herein are the property of their
respective owners. For a list of RSA trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may
be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This
software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Third-party licenses
This product may include software developed by parties other than RSA.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
2
RSA Archer GRC Business Impact Analysis
Contents
3
RSA Archer GRC Business Impact Analysis
4
RSA Archer GRC Business Impact Analysis
Key Features
l Includes the Business Process catalog and a pre-built Business Impact Analysis with workflow,
notifications and reference data to determine the criticality of all business processes.
l Business process owners or BCM teams can kick off a new or updated BIA depending on process
criticality rating, date of last BIA or other factors.
l BCM team can start a campaign to initiate BIAs for multiple business processes in a Business
Unit or that support certain Products or Services.
l Access roles are provided for business owners, BCM team and executives that easily drive their
BIA completion, review and approval workflow for each.
Key Benefits
With RSA Archer Business Impact Analysis, you will be able to:
l Use a single approach to complete BIAs with workflow, notifications, review and approval
processes
l Provide reports that show key metrics and reports to enable BCM teams, business unit managers,
and business process managers to manage their BIAs
Get Started
l Learn more about the use case design
Architecture Diagram
The following diagram shows the relationships between the applications that make up the Business
Impact Analysis use case.
Applications
Application Description
Business The Business Processes application captures the base data for a given process. A
Processes process may be assigned to a particular business unit or shared across multiple
business units. The application enables you to track the business processes
personnel, business impact, and ITIL category, and associate it with other aspects
of the enterprise infrastructure.
BIA The BIA Campaign application enables users to launch a campaign that first
Campaign searches the business process or business unit area to identify any area that does
not yet have a BIA. The system then creates a BIA for that business process.
Application Description
Business The Business Impact Analysis (BIA) application is designed to help organizations
Impact determine the criticality of processes with their Recovery Time Objective (RTO)
Analysis and Recovery Point Objective (RPO). The application allows you to share this
information with interdependent teams and enables business leaders to prioritize
BC/DR plans, recovery strategies and recovery tasks.
BIA Archive The BIA Archive application stores all completed and approved BIAs.
Company The Company application stores general, financial, and compliance information at
the company level. This application relates to the Division and Business Unit
application to support rollup reporting of governance, risk, and compliance
initiatives across the enterprise.
Business The Business Unit application provides a detailed view of all activities related to
Unit the specific business unit.
Division The Division application represents the intermediate unit within the business
hierarchy which is a layer below the high-level company and a layer above the
individual business unit. Utilizing this application, users can further document the
relationships within their business and measure the effectiveness and compliance
of individual divisions within the enterprise.
l My BIAs (Displays BIAs when the current user is either the BPM, Controller, or Compliance
Manager)
l BIAs by Status
Ac c e s s Ro le s
Access Roles
The following table describes the available access roles within the Business Impact Analysis use
case and any related permissions that the role requires.
Role Description
BIA: BCM l Creates BIAs campaigns for all business processes in organization, runs BIA
Program Lead campaigns, and initiates advanced workflows.
l Can approve or reject the completed BIA after the Controller and Compliance
Manger responds to and submits their part of the of BIA.
l Can view the status of all BIAs for their respective business processes.
Personas
The Business Impact Analysis use case provides the following personas:
BIA: BCM BCM l Can create BIA Campaign and initiate advanced
Program Lead Program workflow.
reviewer
l Can approve or reject completed BIAs that have
been approved by BUM
BIA: Participant Business Can create BIAs for business processes that they own
access role Process and initiate workflow on owned BP BIAs
Manager
BIA: Participant Controller l Can complete the Finance section of the BIA.
l Can see the status of all the BIAs for the business
processes in their Business Unit
Da ta fe e d s
Data Feeds
The use case provides the following data feeds.
Copy From When a BIA is initiated, the Copy From Business Process data feed populates
Business associated BIA records with Business Unit, GL Account, Information Assets, Loss
Process Events, and Product and Services information.
Business After all BIA records associated with a campaign have been approved by the BCM
Impact Program Lead, The Business Impact Analysis Archive data feed copies all
Analysis associated BIA records into the BIA Archive application.
Archive
BIA Ca mp a ig n Ad v a n c e d Wo r k flo w
record may be tied to more than one campaign at a time, but can only be tied to a single business
process. If a business process already has a BIA created, the system links the existing BIA record to
the new BIA campaign after the campaign starts. To start the campaign, users click Run Campaign.
This action enrolls the campaign record in advanced workflow. The system is prompted to create
new BIAs for business processes that do not have one, and link existing BIAs to the campaign. All
BIAs associated with a BIA campaign are listed in the Related Business Impact Analysis section of
the campaign record.
Note: There is no automatic enrollment option for a BIA campaign. All campaigns are created
manually.
Note: The BIA use case does not currently support automatic re-enrollment. To re-enroll an existing
BIA in advanced workflow, a user with the BCM Business Process Role must select Run Campaign
from the BIA Campaign Record.
Note: A campaign is complete after all associated BIA records are archived.
l A user account on the Platform with access rights to the Data Feed Manager.
2. Download the use case file(s) from the Archer Customer/Partner Community on RSA Link on
the "Archer GRC 6.1 Software and Documentation" page
(https://community.rsa.com/community/products/archer-grc/archer-61/downloads). The zip file
contains the install package and the data feeds.
3. Obtain the Data Dictionary for the use case by contacting your RSA Archer Account
Representative or calling 1-888-539-EGRC. The Data Dictionary contains the configuration
information for the use case.
4. Read and understand the Packaging Data section of the RSA Archer GRC Online
Documentation.
5. Review the Release Notes to understand any known issues before installing and configuring the
use case.
Ste p 2 :Up d a te th e lic e n s e k e y
Note: All customers are required to get a new license key for 6.1. Ensure that you are using a valid
6.1 license key prior to installing packages.
The administrator (a web or database administrator) on the server on which the Archer Control
Panel resides must update the license key in the Archer Control Panel before the application
package is imported in order for the new items to be available for use.
2. From the Instance Management list, click to expand the Instances list.
3. Right-click the instance that you want to update, and click Update License Key.
4. Update the applicable information: Serial Number, Contact Info, and Activation Method.
5. Click Activate.
Important: If you do not update the license key prior to installing the package, you will not be able
to access workspaces, dashboards and applications in 6.1.
Ste p 2 :Imp o r th e p a c k a g e
3. Click Add New, then locate and select the package file that you want to import.
4. Click OK.
The package file is displayed in the Available Packages section and is ready for installation.
Ste p 3 :Ma p o b je c ts in th e p a c k a g e
1. In the Available Packages section, select the package you want to map.
Note: This process can take several minutes or more, especially if the package is large, and may
time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings
set to less than 60 minutes.
When the analyzer is complete, the Advanced Package Mapping page lists the objects in the
package file and corresponding objects in the target instance. The objects are divided into tabs,
depending on whether they are found within Applications, Solutions, Access Roles, Groups, Sub-
forms, or Questionnaires.
3. On each tab of the Advanced Mapping Page, review the icons that are displayed next to each
object name to determine which objects require you to map them manually.
Awaiting Indicates that the system could not automatically match the object or
Mapping children of the object to a corresponding object in the target instance.
Review Objects marked with this symbol must be mapped manually through the
mapping process.
Important: New objects should not be mapped. This icon should remain
visible. The mapping process can proceed without mapping all the objects.
Note: You can execute the mapping process without mapping all the
Mapping Indicates that the object and all child objects are mapped to an object in
Completed the target instance. Nothing more needs to be done with these objects in
Advanced Package Mapping.
Do Not Indicates that the object does not exist in the target instance or the object
Map was not mapped through the Do Not Map option. These objects will not be
mapped through Advanced Package Mapping, and must be remedied
manually.
Undo Indicates that a mapped object can be unmapped. This icon is displayed in
the Actions column of a mapped object or object flagged as Do Not Map.
l To map each item individually, on the Target column, select the object in the target instance
to which you want to map the source object. If an object is new or if you do not want to map
an object, select Do Not Map from the drop-down list.
Important: Ensure that you map all objects to their lowest level. When objects have child or
related objects, a drill-down link is provided on the parent object. Child objects must be
mapped before parent objects are mapped. For more details, see "Mapping Parent/Child
Objects" in the RSA Archer Online Documentation.
l To automatically map all objects in a tab that have different system IDs but the same object
name as an object in the target instance, do the following:
Option Description
Ignore Select this option to match objects with similar names regardless of the case
case of the characters in the object names.
Ignore Select this option to match objects with similar names regardless of whether
spaces spaces exist in the object names.
c. Click OK.
The Confirmation dialog box opens with the total number of mappings performed. These
mappings have not been committed to the database yet and can be modified in the
Advanced Package Mapping page.
d. Click OK.
l To set all objects in the tab to Do Not Map, in the toolbar, click Do Not Map.
Note: To undo the mapping settings for any individual object, click in the Actions column.
When all objects are mapped, the icon is displayed in the tab title. The icon is displayed
next to the object to indicate that the object will not be mapped.
6. (Optional) To save your mapping settings so that you can resume working later, see "Exporting
and Importing Mapping Settings" in the RSA Archer Online Documentation.
8. Select I understand the implications of performing this operation and click OK.
The Advanced Package Mapping process updates the system IDs of the objects in the target
instance as defined on the Advanced Package Mapping page. When the mapping is complete, the
Import and Install Packages page is displayed.
Important: Advanced Package Mapping modifies the system IDs in the target instance. Any
Data Feeds and Web Service APIs that use these objects will need to be updated with the new
system IDs.
2. In the Available Packages section, locate the package file that you want to install, and click
Install.
3. In the Configuration section, select the components of the package that you want to install.
l To install only specific global reports in an already installed application, select the checkbox
associated with each report that you want to install.
Note: Items in the package that do not match an existing item in the target instance are selected
by default.
4. In the Configuration section, under Install Method, select an option for each selected component.
To use the same Install Method for all selected components, select a method from the top-level
drop-down list.
Note: If you have any existing components that you do not want to modify, select Create New
Only. You may have to modify those components after installing the package to use the changes
made by the package.
5. In the Configuration section, under Install Option, select an option for each selected component.
To use the same Install Option for all selected components, select an option from the top-level
drop-down list.
Note: If you have any custom fields or formatting in a component that you do not want to lose,
select Do not Override Layout. You may have to modify the layout after installing the package to
use the changes made by the package.
6. To deactivate target fields and data-driven events that are not in the package, in the Post-
Install Actions section, select the Deactivate target fields and data-driven events that are not in
the package checkbox. To rename the deactivated target fields and data-driven events with a
user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a
prefix. This can help you identify any fields or data-driven events that you may want to review
for cleanup post-install.
7. Click Install.
8. Click OK.
Ste p 5 :Re v ie wth e p a c k a g e in s ta la tio n lo g
3. In the Package Installation Log page, in the Object Details section, click View All Warnings.
For a list of packaging installation log messages and remediation information for common
messages, see Package Installation Log Messages.
2. Business_Impact_Analysis_-_Archive_Feed.dxf5
Da ta fe e d d e p e n d e n c ie s
3. Locate and select the .dfx5 file for the data feed.
4. From the General tab in the General Information section, in the Status field, select Active.
5. Click the Transport tab. Complete the fields in the Transport Configuration section as follows:
b. In the User Name and Password fields, type the username and password of the Platform user
that has API access and access to all of the records on the Platform instance (from which the
data feed is coming).
c. In the Instance field, type the name of the Platform instance from which the data feed is
coming (this is the instance name as you enter it on the Login window).
6. Verify that key field values are not missing from the data feed setup window.
7. Navigate to the Data Mapping tab to resolve any dependencies that you do not have licensed
8. Click Save.
Ste p 2 :S c h e d u le a d a ta fe e d
As you schedule your data feed, the Data Feed Manager validates the information. If any
information is invalid, an error message is displayed. You can save the data feed and correct the
errors later; but the data feed does not process until you make corrections.
2. In the Name column, click the data feed that you want to edit.
Note: The Schedule tab is available for both Standard and Transport-Only data feed types.
4. In the Frequency drop-down list, set the frequency for the data feed. For example, if you select
Minutely and specify 3 in the Every field, the data feed runs every 3 minutes.
5. (Optional) To configure a data feed to run immediately after another data feed, follow these
steps:
b. In the Reference Feed drop-down list, select the first data feed. Your current data feed
would run after this selected one.
6. (Optional) To override the data feed schedule and immediately run your data feed, in the Run
Data Feed Now section, click Start.
7. Click Save.
2. Click .
l In the Response Period - Days field. enter a value for the number of days that participants
have to complete their responses.
Note: The Response Period Due Date field is populated in the BIA record based on the
value entered in the Response Period - Days field.
l In the Review Period - Days field, enter the number of days reviewers have to complete
their reviews.
Note: The Review Period Due Date field is populated in the BIA record based on the
value entered in the Review Period - Days field.
l The Campaign Actual Completion Date populates only after all associated BIAs are
approved and the campaign is complete.
l Business Process. Selects all business processes, beginning at the parent process, and
continuing until all sub-processes are selected.
l Business Unit. Selects the business unit, directly related business processes, and all
related sub-processes.
l Products & Services. Selects products and services, directly related business processes,
and sub-business processes.
Note: In order to select products and services, you must have a license for a use case that
contains the Products & Services application.
Note: You can select Run Campaign only after all the required fields have been completed.
Note: You cannot check out a BIA record if another user already has it checked out.
5. Click Submit.
3. (Optional) Update your sections. You can update the sections you answered without clicking
Reject.
l Reject to Compliance.
l Reject to Controller.
l Reject to Both.
Rejecting a BIA sends a notification to the appropriate stakeholder and allows them to update
and resubmit the record.
3. (Optional) Update your sections. You can update the sections you answered without clicking
Reject.
l Reject to BU Manager
l Approve
Rejecting a BIA sends notification to the appropriate Business Unit Manager and allows him or
her to update and resubmit the record.
3. If updates need to be made to any sections, click Reject to Business Unit Manager.
Rejecting a BIA sends notification to the appropriate Business Process Manager and allows him
or her to update and resubmit the record.
3. Click OK.
4. Click .
4. Under the Process Name row, select the business process to which you want to add a BIA.
5. Click Edit.
d. In the Business Stakeholders section, from the BCM Program Lead dropdown, select a
reviewer.
2. Select the BIA you want to view from the list of BIA archives.
Object
Message Explanation Remediation
Type
Alias Object Name This message is an informational warning This message is only
Alias was indicating that the Alias was updated on potentially an issue if
changed from the object. There are two reasons for an the change occurs on a
Original Alias alias in the Target Instance to have been field that is utilized in
to New Alias updated: a Mail Merge
Template or Data
l Update was in the Source Package.
Publication Service. In
l Alias has to be unique in the Target that scenario, update
Instance. If the alias already exists in the DPS or the mail
merge template with
Target, packaging adds a unique
the new alias.
identifier to the end.
Field Field Name in This message is an informational warning Change the field to
the application notifying you that packaging does not public manually
Application change a private field in the target (optional).
Name cannot instance to a public field.
be changed
from a private
field to a
public field.
Object
Message Explanation Remediation
Type
Field Field Field This message is seen when a cross- If the use case is not
Name could reference or related record field could not licensed, no action is
not be saved be created because the related application necessary.
due to inability does not exist in the target instance. This
to identify the message usually occurs because the field Note: If you later
related is part of a related use case that is not license a use case that
module. licensed or has not been updated in the contains that
target instance. application, you may
re-install the Use Case
Name package in order
to resolve this
warning.
2. Reapply the
original package to
resolve the
warning.
See the Data
Dictionary.
Object
Message Explanation Remediation
Type
Field The calculated The formula in the calculated field is Do either of the
field Field incorrect. Most often, this message occurs following:
Name in the when the formula references a field in a
l Modify the formula
application related application and either the field or
Application the application does not exist in the target to remove the
Name cannot instance or is not licensed. This may be reference to the
be verified. because the application is in a related use unavailable field.
case that has not been updated.
l Install the package
for the use case
containing the
related application.
(You must have a
license for the
related application),
then reapply the
original package to
resolve the warning.
Object
Message Explanation Remediation
Type
Field Field Field This warning may be seen on Inherited 1. Install the package
Name was not Record Permission fields, cross- for the use case
found and reference/related record fields (record
containing the
removed from lookup and grid display), or as a display
a collection. field in a report. The warning means that related application
the field could not be found in the target (to obtain the
instance and was not included in the missing field). You
package. This is usually because the field must have a
is part of an application in a related core
license for the
solution that has not been updated in the
target instance or is not licensed. related application.
2. Reapply the
original package to
resolve the
warning.
See the Data
Dictionary.
If you do not have a
license for the related
application, you may
ignore this message,
and the field remains
omitted from the
object.
Advanced The advanced All advanced workflows are installed as Go to the Advanced
Workflow workflow was inactive. You must review and activate the Workflow tab in the
installed, but is workflow. application or
inactive. questionnaire, review
Please review the workflow, then
and activate. click Activate.
Object
Message Explanation Remediation
Type
Advanced Minor failure: This failure message may appear if certain 1. Verify that the
Workflow Advanced services were not running when you Advanced
workflow installed the package.
Workflow Service
HTTP request
error: 404 not and the Job Service
found. are running.
2. Reapply the
package.
Event Module This warning usually occurs when a cross- Review the DDE and
Action NameDDE reference or related record field is on the the layout and
Name was layout in the package but is not licensed or determine if any
updated but does not exist in the target instance. modifications should
has page Occurs on Apply Conditional Layout be made to the layout.
layout actions. If you later license a
discrepancies. use case that contains
that application, you
may re-install the Use
Case Name package in
order to resolve this
warning.
Object
Message Explanation Remediation
Type
Object
Message Explanation Remediation
Type
iView The following Page Name belongs to an application in a Modify the iView to
page use case that does not exist in the target or remove the unresolved
referenced in a is not licensed. link or delete the
link cannot be iView
resolved: Page If you later license a
Name use case that contains
that application, you
may re-install the Use
Case Name package in
order to resolve this
warning.
Object
Message Explanation Remediation
Type
Report Report Name Occurs when no display fields could be Need more
report could included in the report because the fields do information.
not be created. not exist in the target or are not licensed.
There are no This error is most common on statistics
display fields reports.
for this report.
Report Display field : Field Name belongs to an application in a If the report functions
Field Name use case that does not exist or that is not without that field, then
was not found licensed. no action is needed.
in the target Otherwise, modify the
instance and report or remove it.
was removed If you later license a
from report: use case that contains
Report Name. that application, you
may re-install the Use
Case Name package in
order to resolve this
warning.
Object
Message Explanation Remediation
Type
Report Field : Field Field Name belongs to an application in a If the report functions
Name use case that does not exist or is not without that field, then
referenced by licensed. no action is needed.
a statistic step Otherwise, modify the
was not found report or remove it.
in the target If you later license a
instance and use case that contains
was removed that application, you
from report : may re-install the Use
Report Name. Case Name package in
order to resolve this
warning.
Report Field : Field Field Name belongs to an application in a If the report functions
Name used for use case that does not exist or is not without that field, then
charting was licensed. no action is needed.
not found in Otherwise, modify the
the target report or remove it.
instance and If you later license a
was removed use case that contains
from report : that application, you
Report Name. may re-install the Use
Case Name package in
order to resolve this
warning.
Report Field : Field Occurs when a filter condition in a report If the report functions
Name was not is referencing an application that does not without that field, then
found in the exist or is not licensed. no action is needed.
target instance Otherwise, modify the
and the report or remove it.
condition was If you later license a
removed from use case that contains
the filter. that application, you
may re-install the Use
Case Name package in
order to resolve this
warning.
Object
Message Explanation Remediation
Type
Report Module Occurs with n-tier reports when the report If the report functions
Module Name includes display fields from a related without that field, then
was not found. application that does not exist or is not no action is needed.
The licensed. Otherwise, modify the
relationship report or remove it.
and associated If you later license a
display fields use case that contains
were removed that application, you
from a search may re-install the Use
report. Case Name package in
order to resolve this
warning.