CUSTOMER Q & A

TEXAS DEPARTMENT OF INFORMATION RESOURCES

CENTRALIZES AND OPTIMIZES GRC ACTIVITIES

WITH RSA ARCHER

2

CUSTOMER Q & A

AT A GLANCECHALLENGES

• As a technology provider for state and local governments, the Department of Information Resources manages large amounts of information for many different state agencies and higher education institutions

• systems and processes were out-of-date and cumbersome, creating inefficiencies across the organization

RESULTS

• With RSA Archer all risk assess-ments and security incident reporting are now in one tool, giving the department the ability to see where the key risks are on a state-wide basis

• With the implementation of RSA Archer, all Texas state agencies and higher education institutions now have access to the same tools, regardless of their size or budget

WHAT DROVE YOUR DECISION TO IMPLEMENT RSA ARCHER?

When we began looking for a GRC solution, we had three required use cases:

optimizing incident response, improving our risk assessments and enhancing

our framework for security planning and maturity level reporting.

CAN YOU GO INTO FURTHER DETAIL ON THE USE CASES?

Optimizing incident response: We had an ageing system that was developed

in the early 2000s where organizations had to report their security incidents

on a monthly basis. They put numbers in every month and never got anything

back out of it. So we wanted to have a system where organizations could

report their monthly incidents but also see how they stack up against other

organizations of similar size or the state as a whole. We also require

organizations to report to us any incident that meets one of three criteria: if it

involves the loss of protected information, if law enforcement has to be

contacted or if it can propagate to other state systems. We weren’t always

made aware of these incidents in a timely manner and had no way to track

what was going on. We didn’t have a way to keep all the information in one

standard format either. So we looked at this tool as a way to gather that

information as well. We wanted to give organizations a method for tracking

all their incidents and the beauty of this tool is if they do that, then their

monthly report is automatically generated for them, saving a large amount of

time at the end of each month.

Improving risk assessments: The tool that state organizations used for risk

assessments was about to be discontinued, so the agencies were looking for a

replacement. We wanted a GRC solution that could help organizations

perform their information security risk assessments, since we had a tool that

was not being supported anymore. Our goal was to build in workflow for

approval processes and reduce duplication of labor.

Enhancing our framework for security planning and maturity level reporting: In 2013 it became a legal requirement for state organizations to submit a

security plan to the department every two years. In addition the department

had to develop a cybersecurity framework, so we needed a solution which

combined both of these requirements. We were developing the Texas

Cybersecurity framework at the same time that NIST was developing their

framework. Unfortunately our legislated time line would not allow us to

“As other people in our department learn about the Archer tool and its ease of use and flexibility, they are asking us to undertake other use cases. It’s been extremely successful.”

NANCY RAINOSEK, GOVERNANCE, RISK AND COMPLIANCE PROGRAM MANAGER,

TEXAS DEPARTMENT OF INFORMATION RESOURCES

3

CUSTOMER Q & A

simply adopt the NIST framework due to timing differences. So we adopted

their high-level functional areas of identify, protect, detect, respond, and re-

cover. We defined 40 key control areas under the functional areas. We needed

a tool that provided organizations with the ability to assess and record their

maturity level for each of the 40 key control areas and then develop a road map

for improving their controls.

HOW DID YOU SELECT RSA ARCHER?

We went through a competitive process to select RSA Archer, whereby we

outlined each of the use cases and sent questionnaires to a number of leading

GRC providers and then had them go through demonstrations of how they

could meet our needs. Ultimately we chose RSA Archer and we are using the

enterprise, policy risk, compliance and incident modules. It met our three key

use cases as well as the objective of having a system where organizations

could see how they compared to other organizations of similar size or the

state as a whole.

HOW LONG DID IT TAKE TO IMPLEMENT? We started implementing this tool about a year ago and in that time we have

implemented all three use cases in addition to a couple of other applications

to assist other departments in our agency. The work we have done has been

relatively quick and the response from customers has been positive.

HOW DO YOU MEASURE THE EFFECTIVENESS OF YOUR PROGRAM?

We report to our Board of Directors on a quarterly basis, giving updates on

how many organizations are using the tool and what our adoption rates are.

This is extremely valuable in helping us determine what we need to do to

improve, and making sure that our customers’ needs are being met. It’s always

rewarding to see organizations adopt the incident reporting system because it

is not a mandatory requirement. When they are voluntarily adopting a new tool

we know that we’re on the right track and doing good things for our customers.

Previously, maturity levels were estimated, but now because we have the risk

assessments as part of the tool, we’ve been able to integrate the two so that

he 40 key controls in the Texas Cybersecurity Framework are linked to the

NIST controls, which enables organizations to view the findings they have in

each of those key controls. It gives them a better method for establishing or

rating their maturity levels and this is particularly useful.

WHAT IS YOUR KEY TO SUCCESS?

I think about it as a three step process of walk, run, fly. We started small with

something that organizations were used to doing. We got them to use the

new tool to do their monthly reporting and they found this made things

easier. So much so that when people first started using the tool they felt like

they were cheating because it wasn’t as cumbersome as what they were doing

in the past. After this introduction to make them feel at ease with the tool, we

then began introducing more complex processes for them to use.

The Department of Information Resources is a technology provider for state and local governments in the state of Texas. Its mission is to provide technology leadership, solutions, and value to state government, education, and local government entities, and to enable and facilitate the fulfilment of their core missions. It works with over 140 state agencies and institutions of higher education.

4

CUSTOMER Q & A

WHAT’S NEXT IN YOUR SECURITY JOURNEY?

To As other people in our department learn about the Archer tool and its ease

of use and flexibility, they are asking us to undertake other use cases; for

example, creating an application to help DIR create a prioritized list of funding

requests for security and legacy system modernization projects for the next

legislative session. The workflow and the way that we can get information to

and from our customers is of particular interest. The implementation has been

extremely successful and we are looking to build on that.

CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller–or visit us at rsa.com ©2018 Dell Inc. or its subsidiaries. All rights reserved. RSA and the RSA logo, are registered

trademarks or trademarks of Dell Inc. or its subsidiaries in the United States and other countries. All other trademarks are the property of their respective owners. RSA believes the information in this document is accurate. The information is subject to change without notice. 03/18, Customer Q&A, HXXXXXX