SecurityScorecard

SecurityScorecard’s integrated solution with Archer helps enterprises manage vendor risk and institutional security. The integrated solution allows organizations to leverage use cases available in Archer and the SecurityScorecard platform, to have a more comprehensive view of vendor risk specific to individual vendors and across their entire organization.

With this data Archer clients will be able to create alerts and rich reports to inform on the security of various third-party dimensions, such as business units, InfoSec tiers, geographies, and more.

Release notes

Release Version	Published Date	Notes
Version 6.14	July 2024	Resigned expired JS file
Version 6.14	February 2024	Resigned JS file by Archer to support Archer SaaS customers
Archer 6.9 SP1	November 2023	Resigned JS file
Archer 6.9 SP1	November 2022	Archer has removed the old xmldom library. JS file has been updated to use @xmldom/xmldom library.Support for the older version xmldom library is removed. Please ensure you update your JavaScript Transporter Data Feeds using the code described in this blog: https://www.archerirm.community/t5/roadmap-blogs/data-feed-manager-javascript-transporter-scripts-require-update/ba-p/683320 Integration is currently supported only for on-prem customers.
Archer 6.9 SP1	February 2021	The new JavaScript Transporter Data Feeds need to have 2 new parameters added to the Transport tab – see the Data Feeds configuration section. Enhanced data structure to include factor and sub factor information for all company ratings. Added triggered assessments and notifications, based on ratings such that assessments and/or notifications can be triggered based on changes to ratings. Leveraged enhanced Archer platform capabilities, including calculated cross-references and expanded reporting capabilities, to enhance user experience.
Archer 6.4.1.1	May 2020	Enhanced data structure to include factor and subfactor information for all company ratings. Previous integration only included top level. This release includes two additional layers.  Data feeds revised to accommodate enhanced data structure and to allow for automated, scheduled ingestion of SecurityScorecard data. Previous release required manual initiation of data feeds.  Included event log module to capture historical changes for each company’s ratings.  Added triggered assessments and notifications, based on ratings such that assessments and/or notifications can be triggered based on changes to ratings.  Leveraged enhanced Archer platform capabilities, including calculated cross-references and expanded reporting capabilities, to enhance user experience.  Updated Security Scorecard graphics.
Archer 6.4.1.1	August 2017	Initial Release

Known issues

• Because of the API request limitations from SecurityScorecard, portfolios with 300+ entries might encounter timeouts when utilizing JavaScript data feeds. Please contact SecurityScorecard if experiencing issues running the data feeds.

• For more information please visit: https://securityscorecard.readme.io/docs/rate-limits 

Overview of Security Scorecard integration

Key features and benefits

The Security Scorecard integration enables organizations to:

• Provide cybersecurity ratings for third parties and supporting data to provide detailed and in-depth information on the potential risks within those third parties- in the form of Factor ratings and Finding counts.

• Enable cyber and risk professionals to assess the cybersecurity of potential business partners and to monitor cybersecurity ratings of existing partners. 

Prerequisites (ODA and system requirements)

The following table lists the components and prerequisites for the SecurityScorecard integration.

Components	Prerequisites
Archer Solution Area(s)	Third Party Management
Archer Use Case(s)	Third Party Catalog
Archer Applications	Third Party Profile Third Party Engagements
Uses Custom Application	Yes
Requires On-Demand License	1 - 3 Archer On-Demand Application (ODA) licenses are required for this offering.
Archer Requirements	Archer 6.14 and later
Partner/Vendor Requirements	Valid Risk Recon License is required
Supported Archer Environments	On-Premises Archer SaaS Archer Hosted

Compatible Use Cases and Applications

Related Applications

Application	Use Case	Primary Purpose of the Relationship
Third Party Profile	Third Party Catalog Third Party Risk Management Third Party Engagement Operational Scenario Analysis	The Third-Party Profile application is used to document all the third-party relationships used by an organization.       In this application, the organizational structure of the third-party relationship is established, third party contacts documented, and relationship manager, risk analyst, and procurement / legal officer accountabilities are created. This application is the hub for navigation throughout the solution and contains summary metrics and reporting.
Engagements	Third Party Catalog Third Party Risk Management Third Party Engagement	The Engagements application serves as the repository for all products and services provided by a third-party to the organization.  Engagements are documented by type, description; and business unit; are associated with the third party delivering the engagement; the associated contracts and business processes and are assigned to an engagement owner and manager. The Engagements application serves as the focal point for presenting all the engagement-centric risk assessments and performance metrics and financial spend and 4th party supply chain dependencies documented.

Impacted Use Cases

• Third Party Catalog

• Third Party Risk Management

• Operational Scenario Analysis

• Third Party Engagement

Additional resources

The following additional resources are available for this offering:

• Third-party website: www.securityscorecard.io 

• Installation Guide Videos: https://securityscorecard-3.wistia.com/projects/w3d5amd1ar 

SecurityScorecard Integration components

Architecture diagram

The following diagram shows the relationships between the applications that make up SecurityScorecard integration.

Applications

• SecurityScoreCard Monitoring

• SecurityScoreCard Event Log

• SecurityScoreCard Portfolio

Personas and Access Roles

The following table describes the functions that make up the application’s organization roles. Depending on the organization of your company, these functions and responsibilities may vary.

Name	Type	Install Method	Install Option	Required
SSC: Administrator	Access Role		Override Permissions	Recommended See appendix for Role based permissions and the Group assignments
SSC: Read-Only	Access Role		Override Permissions
SSC: User	Access Role		Override Permissions
SecurityScorecard Event Log	Application	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard Monitoring	Application	Create New Only	Do not Override Layout(s)	Recommended
SecurityScorecard Portfolio	Application	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard	Dashboard	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard Assessment	Questionnaire	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard	Workspace	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard Portfolio: Bottom 10 Companies	Report	Create New Only		Required
SecurityScorecard Portfolio: Company Score Distribution	Report	Create New Only		Required
SecurityScorecard Portfolio: SecurityScorecard Portfolio	Report	Create New Only		Required
SecurityScorecard Portfolio: SSC Scheduled Report Distribution	Report	Create New Only		Required
SecurityScorecard Portfolio: Top 10 Risk Factors	Report	Create New Only		Required

Role and Group Assignments

The following table describes the Role based permissions and the Group assignments included with this package:

SSC: Administrator

SSC: User

SSC: Read Only

Page Name

C

R

U

D

C

R

U

D

C

R

U

D

SecurityScorecard Assessment: Content Record

X

X

X

X

X

X

X

SecurityScorecard Assessment: Data Import

X

X

X

X

SecurityScorecard Assessment: Email Option

X

X

X

SecurityScorecard Assessment: Export Options

X

X

X

SecurityScorecard Assessment: Print Option

X

X

X

SecurityScorecard Assessment: Save Report

X

X

X

X

X

X

X

X

X

X

X

X

SecurityScorecard Assessment: Schedule

X

X

X

X

X

X

X

X

SecurityScorecard Event Log: Content Record

X

X

X

X

X

X

SecurityScorecard Event Log: Data Import

X

X

X

X

SecurityScorecard Event Log: Email Option

X

X

X

SecurityScorecard Event Log: Export Options

X

X

X

SecurityScorecard Event Log: Print Option

X

X

X

SecurityScorecard Event Log: Save Report

X

X

X

X

X

X

X

X

X

X

X

X

SecurityScorecard Monitoring: Content Record

X

X

X

X

X

X

SecurityScorecard Monitoring: Data Import

X

X

X

X

SecurityScorecard Monitoring: Email Option

X

X

X

SecurityScorecard Monitoring: Export Options

X

X

X

SecurityScorecard Monitoring: Print Option

X

X

X

SecurityScorecard Monitoring: Save Report

X

X

X

X

X

X

X

X

X

X

X

X

SecurityScorecard Portfolio: Content Record

X

X

X

X

X

X

SecurityScorecard Portfolio: Data Import

X

X

X

X

SecurityScorecard Portfolio: Email Option

X

X

X

SecurityScorecard Portfolio: Export Options

X

X

X

SecurityScorecard Portfolio: Print Option

X

X

X

SecurityScorecard Portfolio: Save Report

X

X

X

X

X

X

X

X

X

X

X

X

Group Assignments:

SecurityScorecard Administrators

SecurityScorecard Users

SecurityScorecard Read Only

Installing the Security Scorecard integration

This section provides instructions for configuring Security Scorecard with the Archer Platform.  This document is not intended to suggest optimum installations or configurations.  

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.

All components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.  

Important: The integration described in this guide is provided as a reference implementation for evaluation and testing purposes.  It may or may not meet the needs and use cases for your organization.  If additional customizations or enhancements are needed, it is recommended that customers contact Archer Professional Services for assistance.

Step 1: Prepare for the installation

1. Ensure that your Archer system is at Archer Platform version 6.14.

2. Obtain the Data Dictionary for the ODA by contacting your Archer Account Representative or calling 1-888-539-EGRC. The Data Dictionary contains the configuration information for the use case.

3. Read and understand "Packaging Data" in the Archer Platform Help.

Step 2: Install the package

Installing a package requires that you import the package file, map the objects in the package to objects in the target instance, and then install the package. For more information, see Installing the Packages.

Step 3: Set up data feeds

You must import and schedule each use case data feed that you want to use. See Setting Up Data Feeds for complete information.

Step 4: Test the Installation

Test the application according to your company standards and procedures, to ensure that the use case works with your existing processes.

Installing the package

To configure the Archer platform, you must first download the installation package from the Archer Exchange and extract the following components:  

File Name	Description
SecurityScorecard_Archer_6.14.zip	SecurityScorecard Application Package
SSC Images	12 Image files to be used for company grades and factor grades.
Data Feeds	Data feed configuration for SecurityScorecard integration. Contains 6 data feed files: SSC_0__Event_Log_Nightly_Cleanup.dfx5   SSC_1__Events_Nightly_Cleanup.dfx5   SSC_2__Sync_Portfolio.dfx5   SSC_3__Sync_Industry_Factor_Scores.dfx5   SSC_4__Get_Historical_Scores.dfx5   SSC_5__Get_Event_Logs.dfx5

Task 1: Back up your database

There is no undo function for package installation. Packaging is a powerful feature that can make significant changes to an instance. Archer strongly recommends that you back up the instance database before installing a package. This process enables a full restoration if necessary.

An alternate method for undoing a package installation is to create a package of the affected objects in the target instance before installing the new package. This package provides a snapshot of the instance before the new package is installed, which can be used to help undo the changes made by the package installation. You must manually delete new objects created by the package installation.

Task 2: Import the package

1. From the menu bar, click > Application Builder > Install Packages.

2. In the Available Packages section, click Import.

3. Click Add New, then select the package file that you want to import.

4. Click OK.

5. The Available Packages section displays the package file and is ready for installation.

6. Click Install icon next to the package file

   1. Package mapping is not necessary. All components of the install will be new.  

   2. When prompted, click okay to the warning message that appears.

7. Select the following configuration for the installation:  

Name	Type	Install Method	Install Option	Recommended or Required
SSC: Administrator	Access Role		Override Permissions	Recommended
SSC: Read-Only	Access Role		Override Permissions	Recommended
SSC: User	Access Role		Override Permissions	Recommended
SecurityScorecard Event Log	Application	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard Monitoring	Application	Create New Only	Do not Override Layout(s)	Recommended
SecurityScorecard Portfolio	Application	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard	Dashboard	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard Assessment	Questionnaire	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard	Workspace	Create New Only	Do not Override Layout(s)	Required
SecurityScorecard Portfolio: Bottom 10 Companies	Report	Create New Only		Required
SecurityScorecard Portfolio: Company Score Distribution	Report	Create New Only		Required
SecurityScorecard Portfolio: SecurityScorecard Portfolio	Report	Create New Only		Required
SecurityScorecard Portfolio: SSC Scheduled Report Distribution	Report	Create New Only		Required
SecurityScorecard Portfolio: Top 10 Risk Factors	Report	Create New Only		Required

8. Click the Install Button  

Task 3: Map objects in the package

1. From the menu bar, click > Application Builder > Install Packages.

2. In the Available Packages section, select the package you want to map.

3. In the Actions column, click for that package.

The analyzer runs and examines the information in the package. The analyzer automatically matches the system IDs of the objects in the package with the objects in the target instances and identifies objects from the package that are successfully mapped to objects in the target instance, objects that are new or exist but are not mapped, and objects that do not exist (the object is in the target but not in the source).

Note: This process can take several minutes or more, especially if the package is large, and may time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings set to less than 60 minutes.

4. When the analyzer is complete, the Advanced Package Mapping page lists the objects in the package file and corresponding objects in the target instance. The objects are divided into tabs, depending on whether they are found within Applications, Solutions, Access Roles, Groups, Sub- forms, or Questionnaires.
   In each tab of the Advanced Mapping Page, review the icons next to each object to determine which objects you must map manually.

Icon	Name	Description
	Awaiting Mapping Review	Indicates that the system could not automatically match the object or children of the object to a corresponding object in the target instance. Objects marked with this symbol must be mapped manually through the mapping process. Important: New objects should not be mapped. This icon should remain visible. The mapping process can proceed without mapping all the objects. Note: You can execute the mapping process without mapping all the objects. This icon is for informational purposes only.
	Mapping Completed	Indicates that the object and all child objects are mapped to an object in the target instance. Nothing more needs to be done with these objects in Advanced Package Mapping.
	Do Not Map	Indicates that the object does not exist in the target instance, or the object was not mapped through the Do Not Map option. These objects will not be mapped through Advanced Package Mapping and must be remedied manually.
	Undo	Indicates that a mapped object can be unmapped. This icon is displayed in the Actions column of a mapped object or object flagged as Do Not Map.

 

5. For each object that requires remediation you can map each item individually or map all object on a tab.

   To map each item individually, do the following.

   1. On the Target column, select the object in the target instance to which you want to map the source object.

   2. If an object is new or if you do not want to map an object, select Do Not Map from the drop-down list.

   3. Ensure that you map all objects to their lowest level. When objects have child or related objects, the parent object provides a drill-down link. You must map child objects before parent objects. For more details, see "Mapping Parent/Child Objects" in the Archer Platform Help.

   To automatically map all objects in a tab that have different system IDs but the same object name as an object in the target instance, do the following.

   1. In the toolbar, click Auto Map.

   2. Select an option for mapping objects by name.

      • Ignore case - Select this option to match objects with similar names regardless of the case of the characters in the object names.

      • Ignore spaces - Select this option to match objects with similar names regardless of whether spaces exist in the object names.

   3. Click OK. The Confirmation dialog box opens with the total number of mappings performed. These mappings have not been committed to the database yet and can be modified in the Advanced Package Mapping page.

   4. Click OK. To set all object in the tab to Do Not Map, in the toolbar, click Do Not Map. To undo the mapping settings for any individual object, in the Actions column, click Undo.

When all objects are mapped, the icon is displayed in the tab title. The icon is displayed next to the object to indicate that the object will not be mapped.

1. Verify that all other objects are mapped correctly.

2. (Optional) To save your mapping settings so that you can resume working later, see "Importing and Exporting Mapping Settings" in the Archer Platform Help.

3. Once you have reviewed and mapped all objects, click Execute.

4. Select I understand the implications of performing this operation and click OK.

The Advanced Package Mapping process updates the system IDs of the objects in the target instance as defined on the Advanced Package Mapping page. When the mapping is complete, the Import and Install Packages page is displayed.

Important: Advanced Package Mapping modifies the system IDs in the target instance. You will need to update any Data Feeds and Web Service APIs that use these objects, with the new system IDs.

Task 4: Install the package

All objects from the source instance are installed in the target instance unless the object cannot be found or is flagged to not be installed in the target instance. The Log Messages section provides a list of conditions that may cause objects not to be installed. The Package Installation Log section displays a log entry.

1. From the menu bar, click > Application Builder > Install Packages.

2. In the Available Packages section, locate the package file that you want to install, and click Install.

3. In the Selected Components section, click the Lookup button to open the Package Selector window.

   • To select all components, select the top-level checkbox.

   • To install only specific global reports in an already installed application, select the checkbox associated with each report that you want to install. Items in the package that do not match an existing item in the target instance are selected by default.

4. Under the Install Method drop-down menu, select an option for each selected component. To use the same Install Method for all selected components, select a method from the top-level drop-down list. If you have any existing components that you do not want to modify, select Create New Only. You may have to modify those components after installing the package to use the changes made by the package.

5. To deactivate target fields and data-driven events that are not in the package, in the Post-Install Actions section, select the Deactivate target fields and data-driven events that are not in the package checkbox. To rename the deactivated target fields and data-driven events with a user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a prefix. This can help you identify any fields or data-driven events that you may want to review for cleanup post-install.

6. Click Install.

7. Click OK.

Task 5: Review the package installation log

1. From the menu bar, click > Application Builder > Install Packages.

2. In the Package Installation Log tab, click the package that you want to view.

3. In the Package Installation Log page, in the Object Details section, click View All Errors. To view individual logs, in the Errors column of the log you want to view, click the Failures link or Warnings link. Clicking View All Errors, Failures, or Warnings opens the specific errors on a different page.
   

4. Click the Export icon to export the log file.

5. Click Close.

Task 6: Adding new fields to the layout of third party profile (Required) 

To facilitate the connection of your Third Party Profile records to the SecurityScorecard Portfolio records seven fields must be created. The SecurityScorecard Domain field is the only field that will accept user input (other fields are calculations), therefore you should configure the permissions of this field at this time.  

1. Add a new tab to the Default Tab Set named SecurityScorecard. 

2. Add a Section to the SecurityScorecard tab called SecurityScorecard Information. 

3. Add a second section called SecurityScorecard Monitoring.  

4. Create the SecurityScorecard Domain text field.

5. Create the SecurityScorecard Portfolio cross-reference field and select Company for the Available Reference.    

   1. Select the following field properties and options:

      1. Single Column

      2. Make this a calculated field

   2. Input the following configuration for the Calculation Properties.

      1. Matching Filters section:

         • ID - 1

         • Field Name - Domain

         • Operator - Field Value Match

         • Values - Third Party Profile: SecurityScorecard Domain

      2. Additional Related Filters section:

         • ID - 1

         • Field Name - Domain

         • Operator - Does Not Equal

6. Create a numeric field for Last 30 Day Score Change.  The field configuration is shown below.  

   1. Calculation (copy and paste this into the formula box):  REF([SecurityScorecard Portfolio],[Last 30 Day Score Change]) 

7. Create a values list field named SecurityScorecard Grade. The SecurityScorecard Grade field is a calculated values list.  The first step will be to create the field as a values list and save it with no calculation.  The calculation will be added in the last step. The process for adding images to the values is covered in “Installing SecurityScorecard Images”. After you have added values A, B, C, D, F and ? select Apply to save the record.  Go to the Options tab and add the calculation.  

   1. Calculation:  REF([SecurityScorecard Portfolio],[Grade])  

   2. Add the information in the General section

      • Name: SecuirtyScorecard Grade

      • Alias: SecuirtyScorecard_Grade

   3. In Values, add the Text and Images values for A, B, D, D, F, and ?.

   4. In Calculation Properties Formula type: REF([SecurityScorecard Portfolio],[Grade])

8. Create a numeric field called “SecurityScorecard Score”.  The field configuration is shown below.  

   1. Calculation: REF([SecurityScorecard Portfolio],[Score])  

      • Name: SecurityScorecard Score

      • Alias: SecurityScorecare_Score

      • Type: Numeric

      • Properties - select:

        • Format the numeric value using the thousand seperators

        • Make this a calculated field

   2. Calculation Properties: 

      • Formula: FEF([SecurityScorecardPortfolio],[Score])

      • Recalculations: As needed (Recommended)

      • Error Handling: Display Error

9. Create a cross-reference list field called SecurityScorecard Factors. 

   1. General Information:

      • Name: SecurityScorecard Factors

      • Alias: Security_Scorecard_Factors

      • Type: Cross-Reference

      • Available Reference: SecuirtyScorecard Portfolio

      • Associated Level: Factor

   2. Display Control: Grid

   3. Options: Make this a calculated field

   4. Calculation Properties - Additional Related Filters:

      • ID - 1

      • Field Name - Company Key

      • Operator - Does Not Equal

   5. Field to Display - SecurityScorecard Portfolio:

      • Name (Key)

      • Description

      • Grade

      • Score

      • Industry Grad

      • Industry Score

   6. Sorting:

      • ID - 1

      • Field - Name

      • Order - Ascending

10. Pull the fields on layout as shown in the image below.  SecurityScorecard Grade should span 2 rows.  The SecurityScorecard Monitoring field is a related records field that was created during the package installation process.  It will be located on the left in the list of fields off layout.  

Optional: Repeat the steps for the “Subsidiary” and “Sub-Subsidiary” levels of the Third Party Profile application if your organization utilizes these levels.

Task 7: Adding New Fields to the Layout of Engagements (Optional)  

SecurityScorecard information related to the Third Party Profile record can be displayed within the Engagements application if desired. Create the NEW fields for the Engagements application by following the steps below.

1. We recommend that you add a new tab to the Default Tab Set named “SecurityScorecard”.  Create the new tab by selecting “New” in the Default Tab Set section.  After the tab is created, create a new section called “SecurityScorecard Information”.  

 

2. Create the SecurityScorecard Domain text field.  Select the arrow to the right of “Add New Field” then select TEXT from the list of field choices.  The images below show the field configuration.  

 

 

Calculation:  If( NOT( ISEMPTY( REF([Third Party],[SecurityScorecard Domain],[Third Party Profile]))), REF([Third Party],[SecurityScorecard Domain],[Third Party Profile]), If( NOT( ISEMPTY( REF([Third Party],[SecurityScorecard Domain],[Subsidiary]))), REF([Third Party],[SecurityScorecard Domain],[Subsidiary]), If( NOT( ISEMPTY( REF([Third Party],[SecurityScorecard Domain],[Sub-Subsidiary]))), REF([Third Party],[SecurityScorecard Domain],[Sub-Subsidiary]),NOVALUE())))  

 

3. Create the SecurityScorecard Portfolio cross-reference field.  Select “Add New Field” as directed in Step 3 then select “Cross-Reference” as the field type.  The remaining images in this step show the field configuration.
   

4. Create a numeric field for “Last 30 Day Score Change”.  The field configuration is shown below.  Calculation (copy and paste this into the formula box):  REF([SecurityScorecard Portfolio],[Last 30 Day Score Change]) 

  

5. The SecurityScorecard Grade field is a calculated values list.  The first step will be to create the field as a values list and save it with no calculation.  The calculation will be added in the last step.  Create a values list field and name it “SecurityScorecard Grade”.   

   1. The field configuration is shown below. Skip the options tab until you have completed the values tab.  The process for adding images to the values is covered here. After you have added values A, B, C, D, F and ? select “Apply” to save the record.  Now go to the “Options” tab and add the calculation.  

 

 

 

b. Calculation:  REF([SecurityScorecard Portfolio],[Grade])  

6. Create a numeric field called “SecurityScorecard Score”.  The field configuration is shown below.  The calculation is: REF([SecurityScorecard Portfolio],[Score])  

  

7. Create a cross-reference list field called “SecurityScorecard Factors”.  The field configuration is shown below.  

 

8. Pull the fields on layout as shown in the image below.  SecurityScorecard Grade should span 2 rows.  

    

9. Repeat the layout changes for the Layouts of the Engagements application to ensure a consistent user experience.  

Task 8: Installing SecurityScorecard Images

Two of the values list fields within the SecurityScorecard solution require the Archer administrator to upload 10 local images to visualize the SecurityScorecard grades. Follow the steps below to upload the image files to your Archer instance:

Prerequisites:

• Download the SecurityScorecard_Archer_6.14.zip file from the Archer Exchange.

• Extract the SSC Images folder to your local hard drive.

1. Log into Archer.

2. Navigate to the Administration menu.

   a. Under Application Builder, select the Global Values Lists menu option.

3. Filter the list for the SSC: Company Grades global values list.

   1. Click into it the SSC: Company Grades global values list.

   2. Click the A value in the list.

   3. Click the Edit link under the Image.

4. For each image in the SSC Images folder perform the following steps:

   1. Click the Add New link in the Available Graphics pop-up.

   2. Click the Add New link in the upload pop-up.

   3. Select an image file from the SSC Images folder, then click the Open button.

   4. Click the OK button in the upload pop-up.

   5. Repeat steps a-d until all 10 images have been uploaded to the Archer server.

5. Review the list of images in the Graphic Selector pop-up, verify that the following images have been uploaded.
   

6. Once the image files are uploaded, click the Cancel button on the Graphic Selector pop-up.

Configure SecurityScorecard

A Standard or Enterprise SecurityScorecard account is required for this integration. The user must initially login to their SSC account and generate an API key. The Portfolio ID of the Portfolio selected for synchronization with Archer must also be determined. Upon configuration, the Archer data feeds will communicate with the SecurityScorecard Platform adding all 3^rd Party records from the SecurityScorecard Platform to Archer.     

Obtain the API Token from SecurityScorecard 

1. Confirm with customer service that your API service is enabled.

2. Obtain an API token form the Settings page within the SecurityScorecard platform.

Obtain the Portfolio ID form SecurityScorecard

1. The next step is to determine the Portfolio ID of the SSC Portfolio that will be used to synchronize with Archer.

2. A SecurityScorecard Customer Success representative can assist, or you can copy and paste the Portfolio ID from the URL of the desired portfolio.

Setting Up Data Feeds

Configuring the JavaScript Transporter Settings

Before you upload a JavaScript file, you must configure JavaScript Transporter settings in the Archer Control Panel.

1. On the General tab, go to the JavaScript Transporter section.

   1. Open the Archer Control Panel.

   2. Go to Instance Management and select All Instances.

   3. Select the instance you want to use.

   4. On the General tab, go to the JavaScript Transporter section.

2. In the Max Memory Limit field, set the value to 2048 MB (2 GB).

3. In the Script Timeout field, set the value to 120 minutes (2 hours).

4. (Optional) If you want to allow only digitally signed JavaScript files in the data feed, enable Require Signature.

   1. In the JavaScript Transporter Settings section, select the checkbox Require Signature. A new empty cell appears in the Signing Certificate Thumbprints section

   2. In the Signing Certificate Thumbprints section, double-click an empty cell.

   3. Enter the digital thumbprint of the trusted certificate used to sign the JavaScript file.

      Important: If you enable Require Signature and specify no thumbprints, no JavaScript files will be accepted by the system.

   4. (Optional) If you want to add additional thumbprint sources, repeat steps 1-3 for each thumbprint.

   5. On the toolbar, click Save.
      

Obtaining Digital Thumbprints

When running JavaScript data feeds, you can set the Archer instance to only allow digitally signed JavaScript files from trusted sources for security considerations.

For a certificate to be trusted, all the certificates in the chain, including the Root CA Certificate and Intermediate CA certificates, must be trusted on both the Web Server and Services Server machines.

Archer Technologies LLC cert in the Trusted Root CA Store

Archer Technologies LLC certificate is not present on every machine’s root by default.

1. On the JavaScript file, right-click and select Properties.

   1. Click the Digital Signatures tab.

   2. From the Signature List window, select Archer Technologies LLC.

   3. Click the Details button.

   4. Click View Certificate.

   5. Click Install Certificate.

   6. Select Local Machine.

   7. Click Next.

   8. Select Place all certificates in the following store and click Browse.

      1. Select Trusted Root Certification Authorities and click OK.

      2. Click Next.

      3. Click Finish.

2. Upon successful import, click OK.

Obtaining a Certificate Thumbprint

1. In the Archer Control Panel environment, open the Manage Computer Certificates program.

   1. Click Start.

   2. Type:  certificate

   3. From the search results, click Manage Computer Certificates.

2. Ensure that your trusted source certificates are in the Certificates sub-folder of the Trust Root Certification Authorities folder.

3. In the Certificates sub-folder, double-click the Archer Technologies LLC that contains the thumbprint you want to obtain.

4. Verify that the certificate is trusted.

   1. In the Certificate window, click the Certification Path tab.

   2. Ensure that the Certificate Status windows displays the following message:

      This certificate is OK

      Note: If the Certificate Status windows displays something different, follow the on-screen instructions.

5. Obtain the trusted certificate thumbprint.

   1. In the Certificate window, click the Details tab.

   2. Select the Thumbprint field.

      The certificate's digital thumbprint appears in the window.

   3. Copy the thumbprint.

Setting up the SSC Event Log Night Cleanup Data Feed

After the work above has been completed, you will need to import and configure the four data feeds to facilitate the synchronization of SecurityScorecard data into your Archer instance. To do this, perform the following steps: 

Prerequisites:

• Download the SecurityScorecard_Archer_6.14.zip file from the Archer Community.

• Extract the DataFeeds folder on your local hard drive.

• User account to execute the data feeds (see Data Feed Account Setup below for specifications).

Data Feed Account Setup: 

• Create a new Archer user account:

1. Use a non-expiring security parameter for this account (recommended).

2. Generate a strong password (recommended).

3. Grant the user the “SSC: Administrator” access role (recommended). Account must have at CRUD access to the “SecurityScorecard Event Log” application.

• Make a note of the username and password for this account as they will be needed during the installation of the data feeds.

1. Log into Archer.

2. Navigate to the Administration menu. 

   1. Under Integration, select the Data Feeds menu option. 

3. Click the “Import” link in the Manage Data Feeds section.

4. Locate and select the SSC_0_Event_Log_Nightly_Cleanup.dfx5 file on your local hard drive and select it.

5. Archer will open the data feed in edit mode.

6. Admin Notifications (optional).

   1. Within the General tab you can setup an email notification to Archer administrators to advise of data feed execution success, warning and failures. Below are instructions on how to turn this on:

      1. Within the Notifications section on the General tab, select “Send job status notifications to selected users when jobs status changes”.

      2. Select the appropriate groups/users to receive the notification. 

7. Transport Configuration.

   1. Security section:

      1. Enter the “URL” within the Security section to the URL of your Archer instance.

   2. Transport Configuration section:

      1. Enter the “User Name” of the Archer account that will execute the data feed (see Data Feed Account Setup above for details).

      2. Enter the “Password” of the data feed account that will execute the data feed.

      3. Enter the “Instance” of your Archer environment.

8. Configure schedule (Recommended Frequency: Nightly).

   1. Click on the Schedule tab.

   2. In the Recurrences section enter the following information: (recommended).

Setting up the SSC Events Nightly Cleanup Data Feed

1. Log into Archer.

2. Navigate to the Administration menu. 

   a. Under Integration, select the Data Feeds menu option.

3. Click the “Import” link in the Manage Data Feeds section.

4. Locate and select the SSC_1__Events_Nightly_Cleanup.dfx5 file on your local hard drive and select it.

5. Archer will open the data feed in edit mode.

6. Admin Notifications (optional).

   a. Within the General tab you can setup an email notification to Archer administrators to advise of data feed execution success, warning and failures. Below are instructions on how to turn this on:

   1. Within the Notifications section on the General tab, select “Send job status notifications to selected users when jobs status changes”.

   2. Select the appropriate groups/users to receive the notification. 

7. Transport Configuration. 

   a. Security section: Enter the “URL” within the Security section to the URL of your Archer instance.

b. Transport Configuration section:

1. Enter the “User Name” of the Archer account that will execute the data feed (see Data Feed Account Setup above for details).

2. Enter the “Password” of the data feed account that will execute the data feed. iii. Enter the “Instance” of your Archer environment.

8. Configure schedule (Recommended Frequency: Nightly).

   1. Click on the Schedule tab.

   2. In the Recurrences section enter the following information: (recommended).

Setting up Sync Portfolio Data Feed

1. Log into Archer.

2. Navigate to the Administration menu. 

   a. Under Integration, select the Data Feeds menu option.

3. Click the “Import” link in the Manage Data Feeds section.

4. Locate and select the SSC_2__Sync_Portfolio.dfx5 file on your local hard drive and select it.

5. Archer will open the data feed in edit mode.

6. Admin Notifications (optional).

   a. Within the General tab you can setup an email notification to Archer administrators to advise of data feed execution success, warning and failures. Below are instructions on how to turn this on:

   1. Within the Notifications section on the General tab, select “Send job status notifications to selected users when jobs status changes”.

   2. Select the appropriate groups/users to receive the notification. 

7. Transport Configuration. 

   1. Click on the Transport tab.

   2. In the Transport section select “JavaScript Transporter” for the Transport Method.

   3. In the Transport Configuration section click the Upload tab in the top right.

   4. Upload the “Sync_Portfolio.js” file.

   5. Click on the Transport tab.  In the Custom Parameters section, enter 5 Custom Parameters as follows:

      1. host           | Plain Text | api.securityscorecard.io

      2. api_key       | Plain Text | [Enter your API TOKEN] (see page 8 of this guide)

      3. portfolio     | Plain Text | [Enter your PORTFOLIO ID] (see page 8 of this guide) iv. verifyCerts |Plain Text | true or false

      4. proxy          | Plain Text | (optional)

9. Configure schedule (Recommended Frequency: Nightly).

1. Click on the Schedule tab.

2. In the Recurrences section enter the following information: (recommended).

   

Setting up Sync Industry Factor Scores Data Feed

1. Log into Archer.

2. Navigate to the Administration menu. 

   1. Under Integration, select the Data Feeds menu option.

3. Click the “Import” link in the Manage Data Feeds section.

4. Locate and select the SSC_3__Sync_Industry_Factor_Scores.dfx5 file on your local hard drive and select it.

5. Archer will open the data feed in edit mode.

6. Admin Notifications (optional).

   1. Within the General tab you can setup an email notification to Archer administrators to advise of data feed execution success, warning and failures. Below are instructions on how to turn this on:

      1. Within the Notifications section on the General tab, select “Send job status notifications to selected users when jobs status changes”.

      2. Select the appropriate groups/users to receive the notification. 

7. Transport Configuration 

   1. Click on the Transport tab.

   2. In the Transport section select “JavaScript Transporter” for the Transport Method.

   3. In the Transport Configuration section click the Upload tab in the top right.

   4. Upload the “Sync_Industry_Info.js” file.

8. Click on the Transport tab. 

1. In the Custom Parameters section, enter 3 Custom Parameters as follows:

   1. host           | Plain Text | api.securityscorecard.io

   2. api_key       | Plain Text | [Enter your API TOKEN] (see page 8 of this guide)

   3. portfolio     | Plain Text | [Enter your PORTFOLIO ID] (see page 8 of this guide) iv. verifyCerts |Plain Text | true or false

      v. proxy          | Plain Text | (optional)

      9. Configure schedule (Recommended Frequency: Nightly).

1. Click on the Schedule tab.

2. In the Recurrences section enter the following information: (recommended).

Setting up the Get Historical Scores Data Feed

1. Log into Archer.

2. Navigate to the Administration menu. 

   a. Under Integration, select the Data Feeds menu option.

3. Click the “Import” link in the Manage Data Feeds section.

4. Locate and select the SSC_4__Get_Historical_Scores.dfx5 file on your local hard drive and select it.

5. Archer will open the data feed in edit mode.

6. Admin Notifications (optional).

   1. Within the General tab you can setup an email notification to Archer administrators to advise of data feed execution success, warning and failures. Below are instructions on how to turn this on:

      1. Within the Notifications section on the General tab, select “Send job status notifications to selected users when jobs status changes”.

      2. Select the appropriate groups/users to receive the notification. 

7. Transport Configuration.

   1. Click on the Transport tab

   2. In the Transport section select “JavaScript Transporter” for the Transport Method.

   3. In the Transport Configuration section click the Upload tab in the top right.

   4. Upload the “Get_Historical_Scores.js” file.

8. Custom Parameters:

   1. Click on the Transport tab 

   2. In the Custom Parameters section, enter 3 Custom Parameters as follows:

      1. host           | Plain Text | api.securityscorecard.io

      2. api_key       | Plain Text | [Enter your API TOKEN] (see page 8 of this guide)

      3. portfolio     | Plain Text | [Enter your PORTFOLIO ID] (see page 8 of this guide) iv. verifyCerts |Plain Text | true or false

         v. proxy          | Plain Text | (optional)

    

9. Configure schedule (Recommended Frequency: Nightly).

   1. Click on the Schedule tab.

   2. In the Recurrences section enter the following information: (recommended).

Setting up the Get Event Logs Data Feed

1. Import Log into Archer.

2. Navigate to the Administration menu. 

   a. Under Integration, select the Data Feeds menu option.

3. Click the “Import” link in the Manage Data Feeds section.

4. Locate and select the SSC_5__Get_Event_Logs.dfx5 file on your local hard drive and select it.

5. Archer will open the data feed in edit mode.

6. Admin Notifications (optional).

   1. Within the General tab you can setup an email notification to Archer administrators to advise of data feed execution success, warning and failures. Below are instructions on how to turn this on:

      1. Within the Notifications section on the General tab, select “Send job status notifications to selected users when jobs status changes”.

      2. Select the appropriate groups/users to receive the notification. 

7. Transport Configuration. 

   1. Click on the Transport tab.

   2. In the Transport section select “JavaScript Transporter” for the Transport Method.

   3. In the Transport Configuration section click the Upload tab in the top right.

   4. Upload the “Get_Historical_Logs.js” file.

8. Custom Parameters:

   1. Click on the Transport tab. 

   2. In the Custom Parameters section, enter 3 Custom Parameters as follows:

      1. host       | Plain Text | api.securityscorecard.io

      2. api_key   | Plain Text | [Enter your API TOKEN] (see page 8 of this guide)

      3. portfolio | Plain Text | [Enter your PORTFOLIO ID] (see page 8 of this guide) iv. verifyCerts |Plain Text | true or false

         v. proxy          | Plain Text | (optional)

9. Configure schedule (Recommended Frequency: Nightly).

   1. Click on the Schedule tab.

   2. In the Recurrences section enter the following information: (recommended).

Validating the SecurityScorecard Use Case

Task 1: Executing the Data Feeds for the first time

Once the Data Feeds are configured, follow these steps to execute the Data Feed. Note that only one Data Feed can be executed at a time and any Data Feed with a Data Feed reference must be executed first. For example, if Data Feed 3 references Data Feed 2, then Data Feed 2 must be executed first.

1. Log into Archer.

2. Navigate to the Administration menu. 

   a. Under Integration, select the Data Feeds menu option. 

3. Execute the Data Feeds.

   1. Filter the list for “SSC”.

   2. Click into the “SSC 2: Sync Portfolio” data feed.

1. Navigate to the Schedule tab.

2. Click the Start button within the Immediate Processing section.

iii. Wait for the status marker to update to “Completed”.

c. Repeat the above steps for:

1. SSC 3: Sync Industry Factor Scores.

2. SSC 4: Get Historical Scores. iii. SSC 5: Get Event Logs in that order.

Task 2: Reviewing the SecurityScorecard Portfolio Data

1. On the menu bar, click Show All.

2. Select SecurityScorecard in the leftmost column.

3. Select SecurityScorecard under the Solutions column.

4. Select SecurityScorecard Portfolio name in the last column.

5. Review the Company, Factor and Sub-Factor information loaded by the data feeds based on the portfolio id you entered during the configuration of the data feeds.

3. Select SecurityScorecard under the Solutions column.

4. Select SecurityScorecard Event Log name in the last column.

Review the Event Summary and Event Detail information loaded by the data feeds based on the portfolio id you entered during the configuration of the data feeds.

Task 3: Configuring role-based permissions (required)

1. If you chose to install the 3 access roles during the package installation process (see appendix for Role based permissions and the Group assignments) the next step is to assign users to the 3 security groups. 

2. If you chose NOT to install the 3 access roles during the package installation process, manually configure role-based access for the 3 security groups, then assign users to the security groups.

Task 4: Customizing the SecurityScorecard Monitoring Assessment action (optional)

1. Log into Archer.

2. Navigate to the Administration menu. 

   a. Under Application Builder, select the Questionnaires menu option. 

3. Select the SecurityScorecard Assessment from the Questionnaires list.

4. Select the Layout Tab.

5. In the Designer sub-tab Create new fields to configure, configure existing fields, and drag fields on and off layout to make them appear on the questionnaire.

6. In the Campaigns sub-tab (under Properties) click Auto-Generating Campaign to adjust the assignment. By default, this is set to the Relationship Manager.

Task 5: Customizing the SecurityScorecard Monitoring Notification action (optional)

1. Log into Archer.

2. Navigate to the Administration menu. 

   1. Under Application Builder, select the Questionnaires menu option. 

3. Select Applications under the Application Builder Section.

4. Select the SecurityScorecard Monitoring Application.

5. Click the Layout Tab.

6. Click the Actions sub-tab.

7. Select Notify: SecurityScorecard Alert.

8. This Notification currently sends the assigned Relationship Manager a notification if the SecurityScorecard score changed beyond the configured threshold for a vendor.

9. In the General Tab, Configure the template’s Letterhead and Body Layout.

10. In the Content tab, modify the text sent to the user in the Subject and Body Field.

    1. Use the Toolbar field to find autofill fields, reports or links to insert into the body.

11. In the Delivery tab. 

    1. Modify the email sender properties in the Email Properties section.

    2. Configure whether the multiple recipients receive individual emails in the Email Recipient Options section.

    3. List Recipients in the recipient section.

Task 6: Customizing the SecurityScorecard Monitoring Vendor Invitation (optional)

1. Log into Archer.

2. Navigate to the Administration menu. 

   1. Under Notifications, select the On-Demand Notification Templates menu option. 

3. Select the SecurityScorecard Vendor Invitation from the list.

4. In the General Tab Configure the template’s Letterhead and Body Layout.

5. In the Content tab modify the text sent to the user in the Subject and Body Field as needed.

6. In the Access tab modify the permissions of the on-demand template as needed, by default anyone with access to the Third Party Profile record will be able to send this notification.

7. To activate the On-Demand Notification Template, click on the General tab.

   1. Set the Status field to Active under the General Information section.

Task 7: Customizing the SecurityScorecard Scheduled Report Template (optional)

1. Log into Archer.

2. Navigate to the Administration menu. 

   1. Under Notifications, select the Scheduled Report Distributions menu option. 

3. Select SSC Scheduled Report Distribution from the list.

4. In the General Tab Configure the template’s Letterhead and Body Layout.

5. In the Content tab modify the text sent to the user in the Subject and Body Field as needed.

6. In the Delivery tab:

   1. Modify the email sender properties in the Email Properties section.

   2. Set the delivery schedule to configure when the email will be sent in the Delivery Schedule section.

   3. Configure whether the multiple recipients receive individual emails in the Email Recipient Options tab.

   4. List Recipients in the Recipient section.

7. To activate the Schedule Report Distribution, click on the General tab.

   1. Set the Status field to Active under the General Information section.

Task 8: Customizing the SecurityScorecard Dashboard (optional)

1. Log into Archer.

2. Navigate to the Administration menu. 

   1. Under Workspaces and Dashboards, select the Dashboards menu option. 

3. Select SecurityScorecard.

4. On the General tab. 

   1. Use the General information section to modify the name of the Dashboard or change the Description.

   2. Use the Layout Design Tab to format the Dashboard. Archer will provide a preview if this.

   3. Use the Documentation section to attach relevant files.

5. Click the Layout tab.

   1. Drag and drop the available iViews to the desired location or click Select iViews to insert additional iViews into the Dashboard.

6. In the Access tab select public to grant all users access to the Template or select private to restrict access to specified groups.

Using the SecurityScorecard Integration

After installation is complete, you are now ready to use the solution and begin receiving

SecurityScorecard data. The first step is to populate the SecurityScorecard Domain field with the domain of each Third Party Profile in Archer. This field is found on the SecurityScorecard tab of the Third Party Profile. Be sure to correctly enter the domain name by excluding any prefixes and extra text. An example of a correctly formatted domain entry is securityscorecard.com.

Task 1: Using the SecurityScorecard Dashboard

1. On the menu bar, click Show All.

2. Select the SecurityScorecard in the leftmost column.

3. Click SecurityScorecard under the Dashboards section. 

4. Here toggle between different iViews to find data visuals on current data.

5. In the Bottom 10 Companies iView you will find companies with the lowest scores.

6. In the Company Score Distribution iView you will find a distribution chart of company scores.

7. In the SecurityScorecard portfolio iView you can find the data related to all companies in the system.

8. In the Top 10 Risk Factors iView you can find a list of the Risk Factors that received the highest scores.

Task 2: Finding a domain in the SecurityScorecard Portfolio

1. On the menu bar, click Show All.

2. Select SecurityScorecard in the leftmost column.

3. Click SecurityScorecard under the Solutions column.

4. Select the Search Icon next to the SecurityScorecard Portfolio application in the last column.

5. In the Keyword Search Section type in the company name whose domain you wish to find.

6. In the Fields to Display section, make sure that the Domain Field appears on the Rightmost Column name, Selected.

7. A valid search entry will return a chart with all relevant domains. 

Task 3: Connecting SecurityScorecard data to a Third Party Profile record

1. On the menu bar, click Show All.

2. Select Third Party Management in the leftmost column.

3. Select Third Party Catalog under the Solutions column.

4. Select the Search Icon next to the Third Party Profile application in the last column.

1. In the Keyword Search section type in the company name for which you will input a Domain.

2. Click on the company name under the Third Party Name Column.

3. Click the Edit button at the top of the record.

4. Click on the SecurityScorecard Tab.

5. Enter the domain in the SecurityScorecard Domain Field.

6. Click the Save button at the top of the record.

7. The Third Party Profile will now contain the SecurityScorecard data based on the domain entered.

Task 4: Viewing SecurityScorecard data on an Engagement

1. SecurityScorecard data loaded into a Third Party Risk profile, through the steps provided above, the same information can also be displayed on any engagement linked to the third party profile.

2. To find this data, in the menu bar, click Third Party Management.

3. On the Solutions column select Third Party Catalog.

4. On the Application Column Select Engagements.

5. Open an Engagement by clicking an Engagement Record on the list.

6. Right under the Relationship Contacts section, select the SecurityScorecard Tab from the row of tabs.

7. You will find the SecurityScorecard data which was linked to the Third Party Profile record.

8. Select the SecurityScorecard data.

Task 5: Navigating Factors and Event Logs of a Company

1. On the menu bar, click Show All in the leftmost column.

2. Click SecurityScorecard Under the Solutions section.

3. Select SecurityScorecard Portfolio under Applications.

4. Select a SecurityScorecard Portfolio from the list.

5. Under the Industry Information section select the Factors tab.

6. You will see the company’s Grades for each respective Factor.

7. Click on the hyperlink text in the Factors grid to find more information about the Factor relating to the Company. In the Sub-factors section, you can find how the Company was graded at a more granular level.

8. Click on the Sub-Factor Title to learn more about the Sub-Factor and the company events that contributed towards the given Grade.

9. Click on an event located in the Events Section on the Sub-Factor page.

10. Here you can find additional information on the events that contributed towards a company’s given Grade.

11. Click the Event Log 

12. You will see all events that contribute to the factor grades.

13. Click on an Event to find additional information including which Factors and Sub-Factors were involved.

Task 6: Using the SecurityScorecard Monitoring Application to Configure Alerts

If you chose to install the SecurityScorecard Monitoring ODA during package installation, Archer can generate assessments or email notifications when user defined thresholds are breached. To setup a new monitoring plan follow these steps:

1. On the menu bar, click Show All.

2. Select SecurityScorecard in the leftmost column.

3. Select SecurityScorecard under the Solutions column.

4. Select the Create New Record Icon next to SecurityScorecard Monitoring in the last column.

5. Enter a name for the monitoring plan.

6. Select the Vendor monitored by SecurityScorecard.

7. Select the Type of monitoring.

   1. Issue Monitoring:

      1. Select an issue type.

      2. Select the Finding Count Threshold.

   2. Score Monitoring:

      1. Select the Measurement method.

      2. Enter the Score Threshold.

8. Select the Action(s) that should occur when the threshold is breached.

   3. Notification:

      1. Uses the “Notify: SecurityScorecard Alert” data driven event notification template.

   4. Assessment:

      1. Uses the “SecurityScorecard Assessment” questionnaire.

9. Click the "Save" button at the top of the screen to save.

Certification Environment

Date Tested: July 2024

Product Name	Version Information	Operating System
Archer	6.14	Virtual Appliance
SecurityScorecard	NA	NA