<Partner Name> RSA ARCHER GRC Platform Implementation Guide. RiskLens <Partner Product>

Transcription

1 <Partner Name> <Partner Product> RSA ARCHER GRC Platform Implementation Guide Wesley Loeffler, RSA Engineering Last Modified: April 25 th, 2018

2 2.4 Solution Summary The & Archer integration connects a Risk Issue in the RSA Archer GRC Platform s Risk Register to a Cyber Risk Quantification Analysis. The connection adds quantified analysis information directly to the Risk Issue. This allows the Risk Issue to be assessed alongside other issues with FAIR quantified outputs. Analyses can be updated over time and the changes can be sent back to the corresponding Risk Issue with the changes. This integration will allow for both requesting and sending data to/from the RSA Archer GRC Platform. This version of the integration acts as a conduit to coordinate the platforms. It integrates the two platforms for workflow purposes and data communication. Future versions will expand on the integration of FAIR and automatic updates. Partner Integration Overview GRC Solution Type Uses Out Of The Box Application Uses Custom Application Requires On-Demand License IT Security Risk Management & Enterprise & Operational Risk Risk Register Yes (Modified version of Risk Register) No

3 2.4 Partner Product Configuration Before You Begin This section provides instructions for configuring with the RSA Archer GRC Platform. This document is not intended to suggest optimum installation or configuration. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. *Customers with the Monte Carlo integration should not override the layout when installing the package. Doing so will result in Monte Carlo fields being removed from the layout. Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact RSA Professional Services for assistance. Configuration The steps provided below cover the changes and setup needed to provide access to the API for your RSA Archer GRC Platform Instance. Token Management 1. As a Admin, select Token Management from the Admin drop down

4 Click the New Token button to add a new API Token. 3. Set the Access Level for the new Token. Your RSA Archer GRC Platform Integration will require that the Token you create has Write level access or higher. 4. Make note of the Token Value. It will be used in the Risk Register Custom Object to communicate with the server

5 The Token Value will be inserted inside the Custom Object on the Risk Register layout. For instructions on locating the Custom Object please refer to steps 7 and 8 of the Updating the Custom Object inside Risk Register section. RSA Archer GRC Platform API User This section details the steps necessary for providing user and network credentials needed to communicate with. 1. Navigate to Admin -> Third Party Integrations -> Third Party Integration Settings. 2. Fill in the information for the RSA Archer GRC Platform API User and click Save

6 2.4 RSA Archer Risk Register/ Package Installation The following information details the steps necessary to import and install the Risk Register application. Step 1: Back Up Your Database There is no Undo function for a package installation. Packaging is a powerful feature that can make significant changes to an instance. It is strongly recommended to back up the instance database before installing a package. This process enables a full restoration if necessary. An alternate method for undoing a package installation is to create a package of the affected objects in the target instance before installing the new package. This package provides a snapshot of the instance before the new package is installed, which can be used to help undo the changes made by the package installation. New objects created by the package installation must be manually deleted. Step 2: Import the Package Procedure 1. Go to the Install Packages page. a. From the menu bar, click. b. Under Application Builder, click Install Packages. 2. In the Available Packages section, click Import. 3. Click Add New, then locate and select the package file that you want to import. 4. Click OK. The package file is displayed in the Available Packages section and is ready for installation. Step 3: Map Objects in the Package Procedure 1. In the Available Packages section, select the package you want to map. 2. In the Actions column, click for that package. The analyzer runs and examines the information in the package. The analyzer automatically matches the system IDs of the objects in the package with the objects in the target instances and identifies objects from the package that are successfully mapped to objects in the target instance, objects that are new or exist but are not mapped, and objects that do not exist (the object is in the target but not in the source). Note: This process can take several minutes or more, especially if the package is large, and may time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings set to less than 60 minutes. When the analyzer is complete, the Advanced Package Mapping page lists the objects in the package file and corresponding objects in the target instance. The objects are divided

7 2.4 into tabs, depending on whether they are found within Applications, Solutions, Access Roles, Groups, Sub- forms, or Questionnaires. 3. On each tab of the Advanced Mapping Page, review the icons that are displayed next to each object name to determine which objects require you to map them manually. Icon Name Description Awaiting Mapping Review Indicates that the system could not automatically match the object or children of the object to a corresponding object in the target instance. Objects marked with this symbol must be mapped manually through the mapping process. Important: New objects should not be mapped. This icon should remain visible. The mapping process can proceed without mapping all the objects. Note: You can execute the mapping process without mapping Mapping Completed Do Not Map Undo all the objects. The icon is for informational purposes only. Indicates that the object and all child objects are mapped to an object in the target instance. Nothing more needs to be done with these objects in Advanced Package Mapping. Indicates that the object does not exist in the target instance or the object was not mapped through the Do Not Map option. These objects will not be mapped through Advanced Package Mapping, and must be remedied manually. Indicates that a mapped object can be unmapped. This icon is displayed in the Actions column of a mapped object or object flagged as Do Not Map. 4. For each object that requires remediation, do one of the following: To map each item individually, on the Target column, select the object in the target instance to which you want to map the source object. If an object is new or if you do not want to map an object, select Do Not Map from the drop-down list. Important: Ensure that you map all objects to their lowest level. When objects have child or related objects, a drill-down link is provided on the parent object. Child objects must be mapped before parent objects are mapped. For more details, see "Mapping Parent/Child Objects" in the RSA Archer Online Documentation. To automatically map all objects in a tab that have different system IDs but the same object name as an object in the target instance, do the following: a. In the toolbar, click Auto Map. b. Select an option for mapping objects by name

8

9 2.4 Option Ignore case Ignore space Description Select this option to match objects with similar names regardless of the case of the characters in the object names. Select this option to match objects with similar names regardless of whether spaces exist in the object names. c. Click OK. The Confirmation dialog box opens with the total number of mappings performed. These mappings have not been committed to the database yet and can be modified in the Advanced Package Mapping page. d. Click OK. To set all objects in the tab to Do Not Map, in the toolbar, click Do Not Map. Note: To undo the mapping settings for any individual object, click column. in the Actions When all objects are mapped, the icon is displayed in the tab title. The icon is displayed next to the object to indicate that the object will not be mapped. 5. Verify that all other objects are mapped correctly. 6. (Optional) To save your mapping settings so that you can resume working later, see "Exporting and Importing Mapping Settings" in the RSA Archer Online Documentation. 7. Once you have reviewed and mapped all objects, click. 8. Select I understand the implications of performing this operation and click OK. The Advanced Package Mapping process updates the system IDs of the objects in the target instance as defined on the Advanced Package Mapping page. When the mapping is complete, the Import and Install Packages page is displayed. Important: Advanced Package Mapping modifies the system IDs in the target instance. Any Data Feeds and Web Service APIs that use these objects will need to be updated with the new system IDs. Step 4: Install the Package All objects from the source instance are installed in the target instance unless the object cannot be found or is flagged to not be installed in the target instance. A list of conditions that may cause objects not to be installed is provided in the Log Messages section. A log entry is displayed in the Package Installation Log section. Procedure 1. Go to the Install Packages page. a. From the menu bar, click. b. Under Application Builder, click Install Packages. 2. In the Available Packages section, locate the package file that you want to install, and click Install

10 In the Configuration section, select the components of the package that you want to install. To select all components, select the top-level checkbox. To install only specific global reports in an already installed application, select the checkbox associated with each report that you want to install. Note: Items in the package that do not match an existing item in the target instance are selected by default. 4. In the Configuration section, under Install Method, select an option for each selected component. To use the same Install Method for all selected components, select a method from the top-level drop-down list. Note: If you have any existing components that you do not want to modify, select Create New Only. You may have to modify those components after installing the package to use the changes made by the package. 5. In the Configuration section, under Install Option, select an option for each selected component. To use the same Install Option for all selected components, select an option from the top-level drop-down list. Note: If you have any custom fields or formatting in a component that you do not want to lose, select Do Not Override Layout. You may have to modify the layout after installing the package to use the changes made by the package. 6. To deactivate target fields and data-driven events that are not in the package, in the Post- Install Actions section, select the Deactivate target fields and data-driven events that are not in the package checkbox. To rename the deactivated target fields and data-driven events with a user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a prefix. This can help you identify any fields or data-driven events that you may want to review for cleanup post-install. 7. Click Install. 8. Click OK. Step 5: Review the Package Installation Log 1. Go to the Package Installation Log tab of the Install Packages page. a. From the menu bar, click. b. Under Application Builder, click Install Packages. c. Click the Package Installation Log tab. 2. Click the package that you want to view. 3. In the Package Installation Log page, in the Object Details section, click View All Warnings

11 2.4 RSA Archer GRC Configuration These steps cover the changes required to your RSA Archer GRC Platform instance to support integration with the API. The Custom Object contains the script that will be required for Pre-Production and Production use. Updating the Custom Object inside Risk Register 1. Navigate to Applications by clicking the Admin Toolkit and selecting Applications under the Application Builder. 2. Select the Risk Register Application in Manage Applications. 3. Locate and document the following fields IDs from the Risk Register application: a. Risk (used to populate the RiskNameIDInForm field) b. Risk ID (used to populate the RiskIDInForm field) c. Level ID* d. Analysis Complete Date e. Analysis Request Date f. Loss Exposure Minimum g. Loss Exposure Maximum

12 2.4 h. Loss Exposure 10th i. Loss Exposure 90 th j. Loss Exposure Average k. Quantitative Analysis (used to populate the SubformIDInRiskIssue field) *To determine the Level ID of the Risk Register application click the General tab and select the Leveled (Outline) option in the Structure dropdown box. *Hover your mouse cursor over the Risk Register Name under the Levels section. The Level ID will appear in the bottom right corner of the window

13 Navigate to Sub-Forms by clicking the Admin Toolkit and selecting Sub-Forms located under the Application Builder. 5. Select the Sub-Form located under Manage Sub-Forms. 6. Locate and document the following fields IDs from the Sub-Form: a. Level ID* b. Analysis Complete Date c. Loss Exposure Minimum d. Loss Exposure Maximum e. Loss Exposure 10th f. Loss Exposure 90 th g. Loss Exposure Average

14 2.4 *The Level ID of the Sub-Form can be obtained by either searching the database of your Archer instance or making a Postman Request. The steps for performing a Postman Request have been outlined at the end of this section. 7. Navigate to the Risk Register application. Once inside, click the layout tab and scroll down until you locate the Custom Object

15 Click the down arrow next to the Object and select Edit Custom Object Properties. 9. The documented field IDs will be inserted into the Code section of the Custom Object

16 Insert the Risk Register IDs documented in step 3 into the fields under var riskissueids in the Custom Object. 11. Insert the Sub-Form IDs documented in step 6 into the fields under var subformids in the Custom Object. 12. Insert the Analysis Request Date ID into the var fldid under the success:function() near the bottom of the Custom Object code. 13. Update the baseurl near the top of the Custom Object code. If are you communicating directly with use either the or URL. Communication through middleware uses the URL

17 Create a new RSA Archer GRC Platform user and provide them with permissions to update Risk Register entries. Performing a Postman Request to Obtain the Sub-Form Level ID Postman is an API development tool that can be downloaded free of charge from API calls will be made in Postman to determine the Level ID of the Sub-Form. 1. Navigate to Sub-Forms under the Application Builder. From the Manage Sub-Forms window locate the Sub-Form and hover the mouse cursor over the name. Document the Module ID that appears in the bottom right, as it will be used in a Postman call. 2. Open the Postman application and select POST in the top left dropdown box. Enter the URL of your RSA Archer application followed by /api/core/security/login. Select the Headers tab and enter the values shown below under Key and Value. 3. Click the Body tab to the right of Headers. Enter your Instance, Username, and Password credentials, as shown below. Click the Send button in the top right of the window. Document or copy the SessionToken value shown in the bottom box onto your clipboard

18 Open a new tab and select Get in the dropdown box in the top left. Enter the URL of your RSA Archer application followed by /api/core/system/level/module/moduleid (enter the value of the module ID we documented in step 1 above). Select the Headers tab and input the key and values shown below. Either input or copy and paste the SessionToken obtained in step 3 into the Authorization field and click Send. The Level ID for the Sub-Form will be shown in the bottom box next to the Id field. This value will be input into the Custom Object under the var subformids section

19

20 2.4 RSA Archer / Integration Middleware In order to facilitate improved security with an Archer and integration, middleware is used to provided two-way communication between an Archer instance (via the Archer REST API) and the instance (via the REST API). Infrastructure Requirements The API Middleware project was designed to run inside a corporate network with limited and controlled access to the local (in network) Archer instance and to an external instance. recommends running the middleware project on the following environment: Windows Server 2008 R2 + IIS NET Framework v Installation Requirements middleware cannot be installed as a child application of RSA Archer. Doing so results in an error caused by IIS web application inheritance. In the event that RSA Archer is installed at the root directory, the Middleware must be installed as a second website at the root level. Security Considerations The middleware can operate as a network intermediary so that firewalls do not have to be opened from Archer to out of network IP addresses. The middleware handles authentication to the Archer API. Archer credentials never leave your network (Unless you wish to pass them to the middleware for verification purposes). The middleware is configured by the Archer instance owner, so only the required API calls are mapped. Allowing vary narrow access to the Archer API. The middleware s source is available and can be compiled by the installing agency

21 2.4 Publishing Middleware Web API on IIS 1. Open the Internet Information Services (IIS) Manager application. 2. Navigate to the Default Web Site dropdown and right click the icon. Select the Deploy option then choose Import Application. *Please note that the Middleware should not be installed as a child application of Archer

22 Locate and select the.api.middleware zip file then click the Next button. *Please note that you will not need to import the.api.middleware_source.zip file, but the data contained within is required by.api.middleware.zip. 4. Leave all options checked and click the Next button at the bottom of the window

23 Select the Application Path for the Middleware and click Next. 6. (Optional) If you are updating the Middleware select the No, just append the files in the application package to the destination option and click Next

24 The Installation Progress and Summary box will detail the status of the Middleware integration. Setup Summary 1.) Create an API Token in your instance of 2.) Add a reference to that API token in your custom object code. 3.) Add the necessary fields in your Archer instance to hold analysis data, and reference the IDs in your custom object code. 4.) Update the baseurl variable in the Custom Object to enable communication with. 5.) Enter the credentials and URL for your Archer instance API user into the Admin => Third Party Integrations section of. Once these steps are complete, setup for the middleware itself consists of: 6.) Ensuring that the Middleware application publish package has been imported and is running on your instance of IIS within the desired network. 7.) Ensure that your network (firewall/dmz) has access to port 443 on your Archer Instance as well as to ( or 8.) The Middleware will require the API token (2), and the Archer instance credentials (4) to be placed in the Web.config file, as shown below

25 2.4 Web.config Configuration The following information details the steps necessary for configuring the Web.config file to enable communication through the middleware. 1. Navigate to the web.config file located in the Middleware directory. 2. Input your network credentials into the highlighted fields in the web.config file. ArcherAPIBaseUrl: The address (within your network) at which Archer API endpoints may be accessed. ArcherInstanceName: Name of the Archer instance which you wish to allow communication with your instance of

26 2.4 ArcherDomain: Domain in which the Archer instance resides. ArcherUserName: Name of the User which has Archer API access, used for validation purposes. ArcherPassword: Password for the User which has Archer API access, used for validation purposes. APIBaseURL: The address (external from your network) at which the API endpoints may be accessed. ( APIVersionNumber: Current API version number to access. Currently, only version 1 is available. APIBearerToken: API token created in your instance. The data in appsettings can be protected by using the built in ASP.Net Registration Tool. This will replace the plaintext credentials and addresses with and encrypted section that will be automatically decrypted when needed by IIS. The following article from Microsoft describes the encryption process: Internally, tested this process with the following command to the Registration Tool: PS C:\.\aspnet_regiis -pe "appsettings" -app "/" -prov "RsaProtectedConfigurationProvider" - -pe is the command to encrypt the config file. - appsettings is the target element in the config file to be encrypted. - -app and the forward slash represent the current IIS application in which the target config file exists. - -prov and the following string represent the encryption provider to be used. Note that RsaProtectedConfigurationProvider may not be the provider available or desired in your environment

27 2.4 Requesting a Analysis The following steps can be used to request a analysis after populating a Risk Register record. 1. Populate the Risk Register record with data relevant to your risk. Select the dropdown box next to Assessment Approach and choose Quantitative Analysis. Inherent and Residual Risk will not calculate until the Status is Active. This prevents Under Development risks from being included in the risk rollups. After selecting Quantitative Analysis, the Analysis section will be displayed near the bottom of the window. Note that Inherent Risk is still established Qualitatively

28 Scroll down to the Analysis section and click the Request a New Analysis button. This will send a request to. The Analysis Request Date will display the date of the request and the Request Status will indicate a pending request. A text box at the bottom of the window will indicate the state of the request

29 Navigate to the application and input your credentials to begin the analysis process

30 Select Analysis Process Queue from the Quantification drop down menu. 5. Click the Attach Analysis link to the right of the Analysis Process Queue item. 6. Select the Quantification Analysis to be performed for the Risk Register record. Click the Attach button to finish the request. *For more information on how analyses are facilitated please visit 7. A popup box in the bottom right of the window will indicate that the analysis has been attached to your Risk Register record

31 Return to your Risk Register record in RSA Archer and scroll down to the Analysis section. The values in the left column have been populated based on the results of the analysis, and the text box indicates the analysis is complete. The loss Exposure 90 th field is used to calculate the value of the Residual Risk field. This indicates the level of residual risk remaining after controls are applied. The level of Residual Risk is based on the values shown below: Loss Exposure 90 th Greater than $25 million Greater than $10 million Greater than $5 million Greater than $999 thousand Greater than $0 Residual Risk High Medium High Medium Medium Low Low The values of Residual Risk and Calculated Residual Risk in the Overall Risk section are populated based on the value of Residual Risk in the Analysis section, as shown below. Future requests will replace the existing request in the Analysis, and historical analysis results will be shown in the Quantitative Analysis sub-form, as shown below

32 2.4 Certification Environment for RSA Archer GRC Date Tested: August 11, 2017 Certification Environment Product Name Version Information Operating System RSA Archer GRC 6.2 P3 Virtual Appliance Virtual Appliance