Security Compass SD Elements

SD Elements is a Policy-to-Execution Platform that manages requirements for applications across the entire portfolio and the full application lifecycle, at the same time allowing users to build in privacy and compliance with support for stakeholders across the enterprise.

SD Elements accelerates the pace of engineering and increases collaboration between teams. It also enables faster SDLCs like Agile and DevOps and decreases risk. It is positioned to solve difficult security, privacy, and compliance challenges faced by many organizations.

On this page

Release history

Last updated: March 2021

Overview of the SD Elements integration with Archer

Benefits

With the integration, you will be able to:

Analyze SD Elements Tasks as Archer Findings.
Create Risk Projects with associated Findings curated for specific organizational teams.
Prioritize security and risk needs alongside business needs.
Provide a clear view of application and operational risk.
Provides completion status for coding, deployment, and process tasks.
Reduce reliance on manual processes to manage and monitor security across software stacks.

Prerequisites

Components	Prerequisites
Archer Solution	Archer Enterprise &Operational Risk Management Archer IT &Security Risk Management
Archer Use Case(s)	Archer Bottom-Up Risk Assessment Archer IT Risk Management Archer Issues Management
Archer Application(s)	Risk Project Findings
Uses Custom Application	No
Requires On-Demand License	No
Archer Requirements	Archer Version 6.9 SP1 P2
Security Compass Requirements	Valid SD Elements License is required

Compatible use cases and applications

Applications

Application	Use Case	Primary Purpose(s)
Risk Project	Bottom-Up Risk Assessment or IT Risk Management	Define the scope of the project, the type of risk assessment being performed and the affected company assets. Perform risk assessments to identify potential risk areas. Analyze findings from risk assessments, documenting threats, vulnerabilities, risk analysis discussions, and overall likelihood and impact. Document a risk treatment plan by defining remediation plans or exception requests based on the findings
Findings	Issues Management	Review findings that are auto generated through the results of assessments and control testing. Use automated workflow to route findings to appropriate personnel, and track tasks associated with findings resolution. Mitigate findings through remediation tasks or exception requests. The system calculates residual risk and compliance status based on the resolution of findings.

Application

Use Case

Primary Purpose(s)

Risk Project

Bottom-Up Risk Assessment

IT Risk Management

Define the scope of the project, the type of risk assessment being performed and the affected company assets.
Perform risk assessments to identify potential risk areas.
Analyze findings from risk assessments, documenting threats, vulnerabilities, risk analysis discussions, and overall likelihood and impact.
Document a risk treatment plan by defining remediation plans or exception requests based on the findings

Findings

Issues Management

Review findings that are auto generated through the results of assessments and control testing.
Use automated workflow to route findings to appropriate personnel, and track tasks associated with findings resolution.
Mitigate findings through remediation tasks or exception requests. The system calculates residual risk and compliance status based on the resolution of findings.

Impacted use case(s)

Archer Use Case(s)
Archer IT Risk Management
Archer Bottom-Up Risk Assessment
Archer Issues Management

Impacted fields

Archer Application	Archer Field	SD Elements Field
Findings	Target: Risk Project	NA
Findings	Overall Status	Status
Findings	Finding Workflow Stage	NA
Findings	Criticality	Priority
Findings	Year	Year
Findings	Description	Solution
Findings	Created By	NA
Risk Project	Project Name	NA

Architecture diagram

Additional resources

The following additional resources are available for this application:

SD Elements User Guide: https://docs.sdelements.com/

Configuring Archer

Retrieve the tracking ID for a risk project in Archer

A Risk Project needs to be available in Archer which associates to the Findings/SD Elements tasks that need to be addressed. Once a Risk Project record is created in Archer, a unique system ID will be generated (Tracking ID field). This Tracking ID will be needed when creating a project connection in SD Elements

Task 1: Create a risk project record

Go to the Risk Project application page.
Select the More Options ellipses in the right-hand corner and click New Record.
Fill in the required information and click Save

Task 2: Retrieve the tracking ID generated for the risk project

Go to the Risk Project application page.
Select the Risk Project you would like to sync with SD Elements.

Configuring SD Elements components

Security Compass Applications

Application	Description
SD Elements	SD Elements generates and tracks granular controls with a flexible, rule-based engine and integrates those controls into the Issue Tracking Systems of DevOps and Agile development teams across the entire Software Development Lifecycle (SDLC).
Remote Integration Agent	A Remote Integration Agent (RIA) must be used when SD Elements cannot access the servers to be integrated. If there are conditions that prevent direct communication, such as being in different networks, then the integration server is considered inaccessible to SD Elements. These restrictions often affect users of SD Elements SaaS instances.

Task 1: Create a new issue tracker connection for Archer

Prerequisites

The user has the permission Global Roles→Integration→Edit Issue Tracker connections
The username/password or API token needed to connect with the Issue Tracker tool. This credential is typically a provisioned service account in the Issue Tracker tool that can create issues in any anticipated projects. The admin team responsible for the Issue Tracker tool can help you create one or identify a service account.
Knowledge of which tasks to integrate with the Issue Tracker tool. Select tasks based on status, phase, priority and so on.

Steps

From the gear icon menu, select Integration.
To add a connection, click plus button for a New Issue Tracker Connection.
1. To edit an existing connection, hover your mouse over the row on the far right and select Edit.
Enter the following information:
- System: Select Archer.
- Name: Enter a name for the connection.
Enter the requested configuration for Archer.
- Client-side certificate: Optionally, upload a client-side certificate and an encrypted or decrypted private key for use in synchronization.
- See Appendix B for more detail on setting up the SD Elements Issue Tracker Connection.

Click Create at the bottom of the form.

The connector changes take effect in the system immediately, and projects can use the new settings in new or existing connections.

For more information, please see System Issue Tracker connectorsin the official SD Elements user guide.

Note: Most errors during an Archer setup and execution are due to insufficient permissions. Archer expires sessions per user if another session is active. Only one active Archer connection per user is supported. This includes the "Test Connection" button.

Task 2: Create a new project connection

Prerequisites

The user must satisfy one of the following:
- Is a member of the project’s business unit and has the permission Global Roles→Administration→Edit all projects.
- Is a member of the project and has the permission Project Roles→Project Management→Sync with Issue Tracker tools.
- Is a member of the project and has the permission Global Roles→Integration→Edit Issue Tracker connections.

Steps

Under Business Units → Applications → Projects select a project, then select the Integration tab.
Select the Issue Tracker tab.

To add a connection, click the plus button on the right. To edit an existing connection, click the connection name.

Enter the following information:
- Parent: Select the system integration connection for Archer. If you do not see the appropriate system connector in the Parent list, contact your administrator to request a new system connector.
- Connection Name: Enter a name for the connection.

Additional configuration fields appear.
- Sync Frequency: Select how frequently SD elements should check for updates.
- Archer Risk Project Tracking ID: Enter the Tracking ID of the Risk Project you would like to associate SD elements tasks with – see Chapter 2: Configuring Archer on how to create a Risk Project record in Archer and obtain the Tracking ID.

Click Test Connection at the bottom-left of the dialog.
Click Done at the bottom of the page.The connection is ready to sync.

For more information, please see Project Issue Tracker connectors in the official SD Elements user guide.

Using the SD Elements Integration with Archer

Synchronize Archer findings with SD elements tasks

After creating a connection between your SD Elements project and Archer Risk Project, SD Elements tasks will synchronize to the Risk Project according to your selection.

For example, if you selected an automatic synchronization frequency (such as hourly or daily), synchronization will occur at the scheduled time.

If you selected manual synchronization, you must click the Sync button on the Issue Tracker Integrations page to synchronize the SD Elements Tasks with Archer Findings.

Prerequisites:

The user has the permission Project Roles→Integration→Sync with Issue Tracker tools

Steps:

Navigate to your project and click on the Integrations tab to open the project’s list of Archer connections.
Search for the desired connection from the list.
Click the connections synchronize button.

The synchronization process is initiated. It may take a few minutes or more, depending on the number of tasks in scope for integration and the latency between SD Elements and the Issue Tracker server.

During synchronization, SD Elements will attempt to add tasks to the Archer Risk Project as Findings if they do not already exist. SD Elements will add a note to each synchronized task with a reference to the new item created in Archer.

Analyze Archer findings

The Risk Project application provides a repository for all risk-related projects. Project records follow a comprehensive, start-to-finish approach and include sections for project staffing and scoping, risk identification, risk analysis and risk treatment. The stages of the Risk Project are based on internationally recognized Risk Management methodologies, including COSO ERM, ISO:31000, NIST800-30 and others.

Archer users with proper access can view the synced Risk Project in Archer along with its associated Findings. Once a user becomes the "Assigned to" stakeholder, they will be able to add a remediation plan or exception request to the finding. The status of the finding will change according to the status of your response.

On the next sync, the Overall status will be reflected in SD Elements when changed.

Certification environment

Date Tested: August 2021

Product Name	Version Information	Operating System
Archer	6.9 SP1 P2	Virtual Appliance
SD Elements	NA	NA

SD Elements Issue Tracker Configuration

Configuration

The following configuration fields are available when creating a connection. Fields are available for both system and project connections unless otherwise specified. Fields will only be available for project connections if allowed by the system connection.

To ensure a successful integration, be sure to enter the correct values for the configuration fields instead of using the default values. Review the remaining fields as well and change the default values as required.

Connection details

Enter the details SD Elements will use to connect to the Archer server.

Protocol	Select the protocol for the connection (HTTPS or HTTP) (Default: HTTPS)
Server	The domain name or IP address of the server (Example: rsa.com)
Context Root	Top-level location where Archer is installed on a server. The value for this may be dependent on the configuration of an internal corporate proxy, or where an administrator has installed Archer.
Archer Instance	Instance name for the Archer server.
Archer User Domain (Optional)	Domain name for User of the Archer Instance.

Credentials

Enter the credentials needed to authenticate to the server.

Username	Username authorized to connect with the server.
Password	The password used to authenticate to the server.

Tasks to synchronize

Select tasks to synchronize.

Sync all tasks	Synchronize all tasks from SD Elements.
Sync Risk Policy tasks	Synchronize only tasks that fall under the risk policy.

Project details

Enter the project-level details.

Archer Risk Project Tracking ID	The Tracking ID of the Risk Project where findings should be created.

Advanced Archer configuration

States that map to DONE in SD Elements:	Comma-separated list of states in Archer that will be mapped to DONE in SD Elements. (Default: Closed)

Synchronization

Enter settings for synchronizing the SD Elements and Archer projects.

Authoritative Source	Select the tool that will be the authoritative system of record: Archer or SD Elements. This field is used in case of conflicting statuses between the Archer issue and the SD Elements task. When you first synchronize a TODO task in SD Elements with an issue in Archer, they will have the same status. If you then change the status in one tool, such as by closing the issue in Archer, they will have conflicting statuses. This conflict is resolved when the projects are synchronized. ALM (default): The SD Elements task will be updated to match the status in Archer. This is relevant to most workflows. Two-way status sync is not presently supported.
Include code sample How-To’s in task descriptions	Whether or not to include detailed code samples and How-To’s in the Archer issue.
This ALM server is hosted within a private network and cannot be reached directly by SD Elements.	Select this option if SD Elements does not have direct network access to the Archer server. For example, if you are using a hosted SD Elements instance but you want to integrate with an internal/protected Archer system, choose this option and run the Remote Integration Agent to perform integration.

Authoritative Source

Select the tool that will be the authoritative system of record: Archer or SD Elements. This field is used in case of conflicting statuses between the Archer issue and the SD Elements task. When you first synchronize a TODO task in SD Elements with an issue in Archer, they will have the same status. If you then change the status in one tool, such as by closing the issue in Archer, they will have conflicting statuses. This conflict is resolved when the projects are synchronized.

ALM (default): The SD Elements task will be updated to match the status in Archer. This is relevant to most workflows. Two-way status sync is not presently supported.

Include code sample How-To’s in task descriptions

Whether or not to include detailed code samples and How-To’s in the Archer issue.

This ALM server is hosted within a private network and cannot be reached directly by SD Elements.

Select this option if SD Elements does not have direct network access to the Archer server.

For example, if you are using a hosted SD Elements instance but you want to integrate with an internal/protected Archer system, choose this option and run the Remote Integration Agent to perform integration.

Filter tasks

Select SD Elements tasks to synchronize to Archer.

Tasks having a minimum priority	Only synchronize tasks with a minimum priority, such as 7 or above. This is useful if you want to limit the amount of work for users. (Default: 1)
Tasks with status meaning	Only synchronize tasks with certain statuses, such as TODO or DONE. (Default: TODO)
Limit to tasks having these phases	Only synchronize tasks in certain phases, such as Requirements or Development. (Default: none selected, meaning tasks from all phases will be synchronized)
Tasks having all the following tags	Only synchronize tasks containing certain SD Elements task tags. (Optional)
Tasks with verification status	Only synchronize tasks with a specific verification status, such as Pass or Fail. (Default: none selected, meaning tasks with any verification status will be synchronized)

Advanced ALM options

Enter advanced configuration options for the connector.

ALM Title Format	Customize the issue titles created in the ALM by choosing one of the templates below. (Default: "T21: Task title")
Bypass server certificate validation for HTTPS (insecure, only for testing purposes)
ALM context	Provide a specific identifier to this project integration that can be used in an issue’s generated title format. This is applicable only when the ALM Title Format option contains 'Context'
Custom Priority Mapping	If the standard Archer priorities have been customized, you must map the customized priority names in Archer to their corresponding SD Elements numeric priorities. By default, SD Elements maps the SDE priorities 7-10 to High, 4-6 to Medium, 1-3 to Low.
ALM Title Format	Customize the issue titles created in the ALM by choosing one of the templates below. (Default: "T21: Task title")

Sync frequency

Select how frequently the SD Elements and Archer projects are synchronized. You can choose from the following options. The more frequently you run synchronization, the greater the performance impact on both the SD Elements and Archer servers. This is generally only a concern for large organizations running many synchronizations at once.

Hourly, Daily, Weekly, or Monthly	The projects will synchronize automatically every hour, day, week, or month. Daily synchronization is typically sufficient. However, you may want to select a more frequent interval if development moves quickly in your organization.
Manually	You must click the Sync button on the ALM Integrations page to synchronize the projects. This is the default value.