RiskRecon Third Party Security Risk Monitoring

The Archer Third Party Security Risk Monitoring use case, powered by RiskRecon, delivers transparent security measurements, analytics, and analyst-level insight to dramatically improve your third-party risk management program. It provides organizations with visibility, insight, and actionable intelligence into their third- and fourth-party IT risk environments. With Third Party Security Risk Monitoring, you can quickly assess the effectiveness of security controls for third parties, without relying on manual spreadsheet assessments and long emails with no audit trails.

The Archer Third Party Security Risk Monitoring use case discovers and analyzes each third party’s IT footprint using artificial intelligence (AI) to automatically measure the value of each asset. This enables analysts to quickly identify each third party’s specific systems that pose the greatest risk, based on vulnerability severity and asset criticality. Organizations can leverage the Third Party Security Risk Monitoring use case both as a stand-alone solution for monitoring third-party risk or as the basis for implementing a broader IT and third-party risk management program when deployed with complementary Archer use cases.

On this page

Release notes

Date	Component	Description
September 2025	JavaScript Data Feeds	The JavaScript Transporter in Data Feed Manager has been updated to use Fetch instead of Request. Fetch is a modern JavaScript API for making HTTP requests, replacing the older Request library. Fetch is available starting with Archer version 2025.02 for SaaS clients and 2024.11.1 for On-prem clients. Older versions will continue to require the Request library. The Request module will remain available for the duration of the package version’s support lifecycle. For more information, see the following blog post: Data Feed Manager JavaScript Transporter Scripts Require Update.
February 2025	Package, Data Feeds	Offering has been updated with the capability of processing Breach Events of Third Parties. Third Party Scan Results application layout has been modified to accommodate breach events data. Existing Issue where the Portfolio Data Feed was unable to identify Risk Recon companies having multiple Content Ids in Internal ID field has been fixed. Third Party Profile has been updated to accommodate the Breach and Ransomware Events frequency information. Issues data feed has been updated to capture information about how to fix/resolve findings.
November 2024	Package, Data Feeds	This is a significant update to the existing integration. Offering Updated: Third party portfolio management – ability to make third party additions and deletions directly within Archer to synch with RR, additional security domain and criteria information, issue and action plan details and workflow, breach event details and enhanced executive level reporting Ratings information is enhanced with additional security criteria. As part of this Domain Ratings application is renamed to Security Profile and modified into levelled application. First Level – Domain Ratings. Second Level – Security Criteria Access Roles SysAdmin has access to add/delete third parties within TPSRM – integration with RR Dashboards TPSRM executive level dashboard Data Feeds A new data feed has been added for company vendor addition in the RiskRecon portfolio. Henceforth, users are not required to map the TOE Id in Archer manually, the data feed will create the Third Parties in RiskRecon. Issue Data Feed now fetches data from Actions Plan Findings endpoint through pagination
May 2024	Package, Subscription Notification	The applications and the Data Feeds have been merged into a single Archer package. The package consists of following components: Applications Third Party Profile Domain Ratings Third Party Scan Results Third Party Tickets Subcontractors Exception Requests Access Roles Third Party: 1st Line of Defense Third Party: 2nd Line of Defense Third Party: Read Only Dashboards Third Party Security Risk Monitoring Overview Third Party Security Risk Monitoring Tickets Data Feeds TPSRM: Vendors – JST TPSRM: Issues – JST TPSRM: Create Task TPSRM: Sync Company Tasks to Third Party Instance TPSRM: Sync Completed Third Party Tasks to Company Instance In the Implementation guide, the steps for creating Application Notifications(now deprecated) have been replaced with creating Subscription Notification. The occurrences of Third Party Security Risk Monitoring in the Implementation have been replaced with RiskRecon.
September 2022	JS File	Archer has removed the old xmldom library. JS file has been updated to use @xmldom/xmldom library. Data Feed Manager JavaScript Transporter Scripts Require Update -Archer Community - 683320 (archerirm.community)
December 2021	JavaScript	Re-Signed JavaScript file.
September 2021	Data Feeds	The RiskRecon JavaScript file was updated to add asset criticality and issue priority filtering capabilities. Corresponding updates were made to the TPSRM: Issues and TPSRM: Vendors data feeds that allow the last run time to be passed as a parameter. For more information, see Import the TPSRM: Vendors 2024.09 - JST Data Feed and Import the TPSRM: Issues 2024.09 – JST Data Feed.
August 2020	Data Feeds	The RiskRecon JavaScript file was updated for improved performance, severity filtering capability, and error handling for data feeds. For more information, see Import the TPSRM: Vendors 2024.09 - JST Data Feed and Import the TPSRM: Issues 2024.09 – JST Data Feed.
August 2020	Package Version	The Third Party Security Risk Monitoring package has been updated to 6.7.

Fixed issues

Date	Component	Description
September 2020	Data Feeds	For customers who have Archer configured to use HTTPS and have a self-signed SSL certificate or another form of non-perfected SSL certificate from a top tier Certificate Authority, data feeds were failing due to validation errors. To resolve this issue, the verifyCerts optional parameter was added to the TPSRM: Vendors – JST data feed and TPSRM: Issues – JST data feed. This parameter is set to ‘true’ by default, and you must set it to ‘false’ if you have Archer configured to use HTTPS and have a non-perfected SSL certificate in place.
March 2020	Data Feeds	In Data Feed Manager, if own Enterprise is set to ‘yes’ in the Custom Parameters section, the GUIDs for archer Report GUID and archer Key Field GUID are hard coded in the JavaScript file. When you manually create a report in 6.4.1.1, the hard coded GUID does not match the report GUID. To resolve this issue, the following parameters were added to the TPSRM: Vendors – JST data feed and the TPSRM: Issues – JST data feed: ownEnterprise = false archerReportGUIDTP = GUID of the ‘TPSRM – Vendors to track’ report in Third Party Profile. This value has been pre-populated. archerKeyFieldGUIDTP = GUID of the ‘Security Risk Monitoring ID’ field in Third Party Profile. This value has been pre-populated. Archer recommends using the data feeds and JavaScript file added in the package.

Date

Component

Description

September 2020

Data Feeds

For customers who have Archer configured to use HTTPS and have a self-signed SSL certificate or another form of non-perfected SSL certificate from a top tier Certificate Authority, data feeds were failing due to validation errors.

To resolve this issue, the verifyCerts optional parameter was added to the TPSRM: Vendors – JST data feed and TPSRM: Issues – JST data feed. This parameter is set to ‘true’ by default, and you must set it to ‘false’ if you have Archer configured to use HTTPS and have a non-perfected SSL certificate in place.

March 2020

Data Feeds

In Data Feed Manager, if own Enterprise is set to ‘yes’ in the Custom Parameters section, the GUIDs for archer Report GUID and archer Key Field GUID are hard coded in the JavaScript file. When you manually create a report in 6.4.1.1, the hard coded GUID does not match the report GUID.

To resolve this issue, the following parameters were added to the TPSRM: Vendors – JST data feed and the TPSRM: Issues – JST data feed:

ownEnterprise = false
archerReportGUIDTP = GUID of the ‘TPSRM – Vendors to track’ report in Third Party Profile. This value has been pre-populated.
archerKeyFieldGUIDTP = GUID of the ‘Security Risk Monitoring ID’ field in Third Party Profile. This value has been pre-populated.

Archer recommends using the data feeds and JavaScript file added in the package.

Overview of RiskRecon Third Party Security Risk Monitoring

About the offering

Key features and benefits

Receive an actionable view of security issues for each third party.
Pinpoint potential exposures and root causes for 50+ security criteria
Obtain on-demand assessments of any organization's security practices.
Demonstrate risk control quality to regulators and standards bodies.
Proactively identify common exposures throughout your third-party portfolio
Gain objective insight into your third-party security performance and IT landscape.
Continuously monitor third party security performance
Optimize use of analysts’ time and outside auditor resources
Allocate risk resources to where they are needed most, to focus on high-value, low-performing third parties.
Engage third parties with accurate, actionable security performance insights and corrective actions.
Analyze Risk Recon information about the resolution/fix of Findings.

RiskRecon Third Party Security Risk Monitoring components

Architecture diagram

The component diagram below illustrates the different Archer applications and RiskRecon components involved in the integration. The integration leverages JavaScript Transporter Data Feeds and APIs to ingests RiskRecon Company details ,ratings and issues into Archer applications in a scheduled manner.

The integration also creates the Third Parties/Companies in RiskRecon based on the Third Party Profile records, therefore sets Third Party Profile to be the single source for Third party repository for the organization.

A diagram of a process

Description automatically generated

Workflow

The initiation of the Archer RiskRecon integration begins when a Third Party Profile is created, and the value of Portfolio Request field is set to ‘Vendor Addition Request’.
An Archer JST feed picks all the Third Parties and sends an API request to RiskRecon to bulk create the Companies.
- The creation of Companies in RiskRecon might be delayed as its creation depends on various factors such as Company name, domain name etc.
- The Risk Relationship will be set to ‘uncategorized’ by the API.
- The content ID of the Third Party Profile record will be mapped to Internal ID.
Once RiskRecon creates the Companies , Archer routinely checks and updates the Security Risk Monitoring ID in the corresponding Third Party records.
Archer JST feed fetches the Domain Ratings and Security Criteria data of the Companies from and ingests in Archer applications.
A subsequent JST feeds then ingest the issues related to the Companies in Third Party Scan Results application.
The Breach Event data feed then ingests breach events data of the Companies in Risk Recon Organization's portfolio into Third Party Scan Results application.
Provision has also been provided to delete the Company from RiskRecon portfolio through Archer Portfolio Request value list field in Third Party Profile application.

Note: Only Third Party: Administrator role has the permission to request it.

Prerequisites (ODA and system requirements)

The following table lists the components and prerequisites for RiskRecon Third Party Security Risk Monitoring

Components	Prerequisites
Archer Solution Area(s)	Third Party Governance
Archer Use Case(s)	Third Party Catalog, Third Party Engagement, Issues Management
Archer Applications	Third Party Profile, Subcontractors, Exception Requests
Uses Custom Application	Yes(3)
Requires On-Demand License	Yes(3)
On-Demand Applications	Security Profile Third Party Scan Results Third Party Tickets
Archer Requirements	Archer Platform Release 2023.09 and later
Partner/Vendor Requirements	Valid License is required
Supported Archer Environments	On-Premises Archer SaaS

Compatible Use Cases and Applications

Related Applications

Application	Description
Third Party Profile	The Third Party Profile application is used to store information about each third party included in your business activities. Here, you can assign relationship managers, review associated contracts, and document meetings and activities associated with the relationship. Through the Third Party Profile application, you can: Understand who your third parties are, what they do for you and who is responsible for the relationship. Perform business impact analyses, the results of which are used to auto-calculate a third party tier. Automatically determines which assessments are appropriate for the third party relationship.
Security Profile Level -Domain Ratings	The Domain Ratings on-demand application collects and tracks individual security domain ratings of third parties. The application integrates with Third Party Security Risk Monitoring to pull in individual scoring metrics across each of their security domains. Through the Domain Ratings application, you can: Analyze the most recent domain score of the related third party. Evaluate the domain score over a period. See a heat map of all related issues contributing to the current score (if ingesting issues from Third Party Security Risk Monitoring).
Security Profile Level -Security Criteria	The Security Criteria is the second level of Security Profile applications. It is an on-demand application that collects and tracks the security criteria ratings of the third parties. Through the Security Criteria application, you can: Analyze the Security Criteria based on the respective Domain Ratings
Third Party Scan Results	The Third Party Scan Results on-demand application collects consistent vulnerability scan results delivered by data feed or manual creation. The application natively integrates with Third Party Security Risk Monitoring using data feeds, with the potential for additional integrations. Through the Third Party Scan Results application, you can: Consolidate scan issues across multiple third parties and identify specific security domains and criteria based on scan results. Auto-notify appropriate personnel when new vulnerability results are identified based on severity. Follow technical recommendations for each scan result to assist with remediation.
Third Party Tickets	The Third Party Tickets on-demand application provides a method of creating and assigning tickets to specific third party scan results. Third party tickets can consolidate similar scan results based on defined filters such as severity or security domain. The application allows tickets to be assigned to a specific owner, who has one of two ways for addressing a ticket: Create an Exception Request Create a Remediation Each ticket includes information from third party scan results as well as roll-up data from any associated Exception Requests or remediation plans.
Subcontractors	The Subcontractors application allows you to organize and manage information related to your third party suppliers and subcontractors. It serves as a repository for contact information, and its analytic capability gives you the ability to easily spot and mitigate potential risks.
Exception Requests	The Exception Requests application allows you to manage the process of granting, denying, and expiring exceptions to the remediation required in a third party ticket. Through built-in workflow, the application ensures that all exceptions are properly reviewed. The tool can also report on exceptions across the enterprise, monitoring them by control, department, or severity. Through the Exception Requests application, you can: Enable employees to submit exception requests through an easy-to-use web interface. Allow designated individuals to evaluate exception requests and approve or deny the requests based on risk posed to the business. Grant exceptions for a specific period of time and notify proper personnel as expiration dates approach. Enable management to track granted exceptions, facilitating periodic reviews of exceptions and the exceptions’ impact. Allow employees to track the status of their own policy exception requests through My Requests reports. Understand the policies or standards with the most approved exceptions and use the information to support training and awareness programs.

Note: The Task Management application is not included in the Third Party Security Risk Monitoring package, however, you must configure Task Management settings for task creation and assignment. For more information, see Configure Task Management.

Impacted Use Case(s)

Archer Use Case(s)
Third Party Catalog
Third Party Engagement
Issues Management

Access Roles and Record Permissions

The following table describes the use case access roles.

Access Roles	Permissions
Third Party: 1st Line of Defense	This role provides CRU access to Third Party Tickets, Third Party Scan Results, and Task Management, and read-only access to Third Party Profile and Domain Ratings for the first line of defense. The first line of defense typically includes Business Unit Owners, Business Unit Managers, and Relationship Managers. In this use case, this role is responsible for submitting third party tickets for exception requests and remediation plans.
Third Party: 2nd Line of Defense	This role provides CRU access to Third Party Tickets, Third Party Scan Results, and Task Management, and read-only access to Third Party Profile and Domain Ratings for the second line of defense. The second line of defense typically includes Business Unit Risk Owners. In this use case, this role is responsible for reviewing third party tickets submitted for remediation plans.
Third Party: Read Only	This role provides read-only access to Third Party Profile, Third Party Tickets, Third Party Scan Results, and Domain Ratings, and CRU access to Task Management.
Third Party: Administrator	This role provides full access to CRUD to all Third Party Management applications. Note: This role only has the access to request vendor deletion from RiskRecon Portfolio.

Dashboards

The following table describes the use case dashboards.

Dashboard	Description
Third Party Security Risk Monitoring Overview	The Third Party Security Risk Monitoring Overview dashboard provides a high-level overview of Security Risk Monitoring ratings for each third party. You can compare overall third party risk ratings or view individual domain ratings. You can also view security findings, ticket status, and commonly used fourth parties to evaluate for risk exposure.
Third Party Security Risk Monitoring Tickets	The Third Party Security Risk Monitoring Tickets dashboard provides ticket owners and ticket reviewers with information about third party tickets. This dashboard includes ticket age, ticket assignments, and ticket status.

Data Feeds

The following table describes the use case data feeds.

Data Feed	Description
TPSRM: Portfolios 2024.09 - JST	The TPSRM: Portfolios 2024.09 – JST data feed is a JavaScript Transporter feed that runs every 5 hours. It performs the following functionalities: Creation of Third Party records in RiskRecon based on the Archer Third party records Update of Security Risk Monitoring ID in Third Party Profile application with TOE ID Deletion of Third Party record in RiskRecon based on the Portfolio Request
TPSRM: Vendors 2024.09 - JST	The TPSRM: Vendors 2024.09 – JST data feed is a JavaScript Transporter feed that import third and fourth party data. The data feed is preconfigured to create new records when no match is found against the preconfigured data feed key, and to update records when Third Party Security Risk Monitoring performs new scans. If you want to change the preconfigured data feed key, you may do so in the provided XSLT.
TPSRM: Issues 2024.09 – JST	The TPSRM: Issues 2024.09 – JST data feed is a JavaScript Transporter feed that import issues to the Third Party Profile, Domain Ratings, and Third Party Scan Results applications. The data feed is preconfigured to create new records when no match is found against the preconfigured data feed key, and to update records when Third Party Security Risk Monitoring creates, closes, or updates any issues. If you want to change the preconfigured data feed key, you may do so in the provided XSLT.
TPSRM: Create Task	The optional TPSRM: Create Task data feed is an Archer-to-Archer data feed that creates Task Management records on your company instance when a Ticket Owner creates a remediation for a ticket in the Third Party Tickets application. Source report: Tickets Pending Third Party Task Generation.
TPSRM: Sync Company Tasks to Third Party Instance	The optional TPSRM: Sync Company Tasks to Third Party Instance data feed is an Archer-to-Archer data feed that creates and syncs Task Management records from your company instance to align with the internal version created by the Security Risk Monitoring – Create Task data feed. Source report: A2A: Sync Company Tasks to Third Party Instance. Note: This data feed is imported on your third party (external) instance.
TPSRM: Sync Completed Third Party Tasks to Company Instance	The optional TPSRM: Sync Completed Third Party Tasks to Company Instance data feed is an Archer-to-Archer data feed that imports completed third party tasks back to your company instance. Source report: A2A: Sync Completed Third Party Tasks to Company Instance.

Additional Resources

For additional information, please visit https://www.riskrecon.com.

Installing RiskReconThird Party Security Risk Monitoring

Security considerations

The information in this publication is provided “as is”. Archer makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Client is solely responsible for ensuring that the installation of the application is performed in a secure manner. Archer recommends clients perform a full security evaluation prior to implementation.

Installation overview

Step 1: Prepare for the installation

Ensure that your Archer system meets the following requirements:
- Archer Platform version 2024.09
Read and understand "Packaging Data" in the Archer Platform Help.

Step 2: Install the package

Installing a package requires that you import the package file, map the objects in the package to objects in the target instance, and then install the package. For more information, see Installing the Packages.

Step 3: Set up data feeds

You must import and schedule each use case data feed that you want to use. See Setting Up Data Feeds for complete information.

Step 4: Test the installation

Test the application according to your company standards and procedures, to ensure that the use case works with your existing processes.

Installing the package

Task 1: Back up your database

There is no Undo function for a package installation. Packaging is a powerful feature that can make significant changes to an instance. It is strongly recommended to back up the instance database before installing a package. This process enables a full restoration if necessary.

An alternate method for undoing a package installation is to create a package of the affected objects in the target instance before installing the new package. This package provides a snapshot of the instance before the new package is installed, which can be used to help undo the changes made by the package installation. You must manually delete new objects created by the package installation.

Task 2: Import the package

Go to the Install Packages page.
1. From the menu bar, click .
2. Under Application Builder, click Install Packages.
In the Available Packages section, click Import.
Click Add New.
Locate and select the package that you want to import.
Click OK.

The Available Packages section displays the package file and is ready for installation.

Task 3: Map objects in the package

Important: This step is required only if you are upgrading to a later version of [ODA name].

From the menu bar, click > Application Builder > Install Packages.
In the Available Packages section, select the package you want to map.
In the Actions column, click for that package.

The analyzer runs and examines the information in the package. The analyzer automatically matches the system IDs of the objects in the package with the objects in the target instances and identifies objects from the package that are successfully mapped to objects in the target instance, objects that are new or exist but are not mapped, and objects that do not exist (the object is in the target but not in the source).

Note: This process can take several minutes or more, especially if the package is large, and may time out after 60 minutes. This time-out setting temporarily overrides any IIS time-out settings set to less than 60 minutes. When the analyzer is complete, the Advanced Package Mapping page lists the objects in the package file and corresponding objects in the target instance. The objects are divided into tabs, depending on whether they are found within Applications, Solutions, Access Roles, Groups, Sub- forms, or Questionnaires.

On each tab of the Advanced Mapping Page, review the icons next to each object to determine which objects you must map manually.

Icon	Name	Description
	Awaiting Mapping Review	Indicates that the system could not automatically match the object or children of the object to a corresponding object in the target instance. Objects marked with this symbol must be mapped manually through the mapping process. Important: New objects should not be mapped. This icon should remain visible. The mapping process can proceed without mapping all the objects. Note: You can execute the mapping process without mapping all the objects. The icon is for informational purposes only.
	Mapping Completed	Indicates that the object and all child objects are mapped to an object in the target instance. Nothing more needs to be done with these objects in Advanced Package Mapping.
	Do Not Map	Indicates that the object does not exist in the target instance or the object was not mapped through the Do Not Map option. These objects will not be mapped through Advanced Package Mapping and must be remedied manually.
	Undo	Indicates that a mapped object can be unmapped. This icon is displayed in the Actions column of a mapped object or object flagged as Do Not Map.

For each object that requires remediation, do one of the following:

To map each item individually, on the Target column, select the object in the target instance to which you want to map the source object. If an object is new or if you do not want to map an object, select Do Not Map from the drop-down list.

Important: Ensure that you map all objects to their lowest level. When objects have child or related objects, the parent object provides a drill-down link. You must map child objects before parent objects. For more details, see "Mapping Parent/Child Objects" in the Archer Platform Help.
To automatically map all objects in a tab that have different system IDs but the same object name as an object in the target instance, do the following:

In the toolbar, click Auto Map.

Select an option for mapping objects by name.

Option	Description
Ignore case	Select this option to match objects with similar names regardless of the case of the characters in the object names.
Ignore spaces	Select this option to match objects with similar names regardless of whether spaces exist in the object names.

Click OK. The Confirmation dialog box opens with the total number of mappings performed. These mappings have not been committed to the database yet and can be modified in the Advanced Package Mapping page.
Click OK.

To set all objects in the tab to Do Not Map, in the toolbar, click Do Not Map.

Note: To undo the mapping settings for any individual object, in the Actions column, click Undo.

When all objects are mapped, the Checkmark icon is displayed in the tab title. The Missing objects icon is displayed next to the object to indicate that the object will not be mapped.

Verify that all other objects are mapped correctly.
(Optional) To save your mapping settings so that you can resume working later, see "Importing and Exporting Mapping Settings" in the Archer Platform Help.
Once you have reviewed and mapped all objects, click Execute.
Select “I understand the implications of performing this operation,” and then click OK. The Advanced Package Mapping process updates the system IDs of the objects in the target instance as defined on the Advanced Package Mapping page. When the mapping is complete, the Import and Install Packages page is displayed.

Important: Advanced Package Mapping modifies the system IDs in the target instance. Any Data Feeds and Web Service APIs that use these objects will need to be updated with the new system IDs.

Task 4: Install the package

All objects from the source instance are installed in the target instance unless the object can not be found or is flagged to not be installed in the target instance. The Log Messages section provides a list of conditions that may cause objects not to be installed. The Package Installation Log section displays a log entry.

From the menu bar, click > Application Builder > Install Packages.
In the Available Packages section, locate the package file that you want to install, and click Install.
In the Selected Components section, click the Lookup button to open the Package Selector window.
- To select all components, select the top-level check box.
- To install only specific global reports in an already installed application, select the checkbox associated with each report that you want to install.

Note: Items in the package that do not match an existing item in the target instance are selected by default.

Under the Install Method drop-down menu, select an option for each selected component. To use the same Install Method for all selected components, select a method from the top-level drop-down list.

Note: If you have any existing components that you do not want to modify, select Create New Only. You may have to modify those components after installing the package to use the changes made by the package.

To deactivate target fields and data-driven events that are not in the package, in the Post-Install Actions section, select the Deactivate target fields and data-driven events that are not in the package checkbox. To rename the deactivated target fields and data-driven events with a user-defined prefix, select the Apply a prefix to all deactivated objects checkbox, and enter a prefix. This can help you identify any fields or data-driven events that you may want to review for cleanup post-install.
Click Install.
Click OK.

Task 5: Review the package installation log

From the menu bar, click > Application Builder > Install Packages.
In the Package Installation Log tab, click the package that you want to view.
In the Package Installation Log page, in the Object Details section, click View All Errors.

Note: To view individual logs, in the Errors column of the log you want to view, click the Failures link or Warnings link. Clicking View All Errors, Failures, or Warnings opens the specific errors on a different page.
Click the Export icon to export the log file.
Click Close.

Configure the JavaScript Transporter Settings

Before you upload a JavaScript file, you must configure JavaScript Transporter settings in the Archer Control Panel.

Open the Archer Control Panel.
Go to Instance Management and select All Instances.
Select the instance.
On the General tab, go to the JavaScript Transporter section.
In the Max Memory Limit field, set the value to 2048 MB (2 GB).
In the Script Timeout field, set the value to 120 minutes (2 hours).
Require Signature is enabled by default on install. Signed Certificate Thumbprints are required for all Hosted clients.
1. In the Signing Certificate Thumbprints section, add a thumbprint for each digitally signed JavaScript file.
  1. Double-click an empty cell in the Signing Certificate Thumbprints section.
  2. Enter the digital thumbprint of the trusted certificate used to sign the JavaScript file.
    
    Note: For more information on how to obtain digital thumbprints, see Digital Thumbprints.
    
    Important: If you enable Require Signature and do not specify thumbprints, JavaScript files will not be accepted by the system.
On the toolbar, click Save.

Digital Thumbprints

When running JavaScript data feeds, you can set the system to only allow digitally signed JavaScript files from trusted sources for security considerations.

For a certificate to be trusted, all the certificates in the chain including the Root CA Certificate and Intermediate CA certificates must be trusted on both the Web Server and Services Server machines.

Archer Technologies LLC Certificate in the Trusted Root CA Store

Archer Technologies LLC certificate is not present on every machine’s root by default.

On the Java Script file, right-click and select Properties.
1. Click the Digital Signatures tab.
2. From the Signature List window, select Archer Technologies LLC.
3. Click the Details button.
4. Click View Certificate.
5. Click Install Certificate.
6. Select Local Machine.
7. Click Next.
8. Select Place all certificates in the following store and click Browse.
  1. Select Trusted Root Certification Authorities and click OK.
  2. Click Next.
  3. Click Finish.

Upon successful import, click OK.

Obtain a Certificate Thumbprint

On the Web Server and Services Server machines, open the Manage Computer Certificates program.
1. Launch “certmgr” from the Start menu.
2. Navigate to Certificates – Local Computer > Trusted Root Certification Authorities > Certificates.
Verify that the certificate is trusted.
1. Double-click the Archer Technologies LLC certificate.
2. In the Certificate window, click the Certification Path tab.
3. Ensure that the Certificate Status window displays the following message: “This certificate is OK.”
  
  Note: If the Certificate Status window displays something different, follow the on-screeninstructions.
Obtain the trusted certificate thumbprint.
1. In the Certificate window, click the Details tab.
2. Scroll to and select the Thumbprint field.
  
  The certificate's digital thumbprint appears in the window.
3. Copy the thumbprint.
  
  Note: For information on adding digital thumbprints, see Step 7a of Configure the JavaScript Transporter Settings regarding where thumbprint is relevant.

Configuring the RiskReconArcher Third Party Security Risk Monitoring

Before you begin

This section provides instructions for configuring the Archer Third Party Security Risk Monitoring use case, powered by RiskRecon, with the Archer Platform. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products to install the required components.

Obtain the API Key from RiskRecon

You must obtain an API key from RiskRecon prior to configuring the data feeds. To obtain a key, perform the following steps:

Log in to RiskRecon.
Go to My Account > System Administration.
Locate the account for which you want to obtain an API key, then click Manage.
Select the API Keys tab under the System Administration section.
Click New API Key.
Enter a description for the API key.
Select a key expiration date.
Click Create API Key.
Click the clipboard located on the left side of the user account to copy the key to your clipboard, and then save it for later use.

This API key is used when defining customer parameters for the TPSRM: Portfolios 2024.09 – JST, TPSRM: Vendors 2024.09 - JST and the TPSRM: Issues 2024.09 – JST. For example, see step 9 of TPSRM: Portfolios 2024.09 – JST.

Configuring Archer

Before you install the Third Party Security Risk Monitoring package in Archer, you must install all prerequisite use cases and download the following configuration files from the Archer Exchange on Archer Link:

Archer_2024.09_Third_Party_Security_Risk_Monitoring_Installation_Package.zip

Note: The TPSRM: Create Task.dfx5, TPSRM: Sync Company Tasks to Third Party Instance.dfx5, and TPSRM: Sync Completed Third Party Tasks to Company Instance.dfx5 data feed files are optional. You only need to import these files if you plan to assign tasks to third party contacts through a secondary external third party instance.

For more information on installing the prerequisite use cases, see “Installing Issues Management,” “Installing Third Party Catalog,” and “Installing Third Party Engagement” in the Archer Online Documentation.

Configure Task Management

If you want to leverage the Task Management-based integration between your company and third party instances, you must configure settings to function with the Archer Third Party Security Risk Monitoring use case. Task Management is used when you choose to send remediation tasks to third party contacts in your third party instance for response. You only need to configure Task Management if you plan to use the following optional data feeds:

TPSRM: Create Task
TPSRM: Sync Company Tasks to Third Party Instance
TPSRM: Sync Completed Third Party Tasks to Company Instance

Note: If you do not want to leverage Task Management to send remediation tasks to your third parties, continue to the data feeds section to set up the required data feeds. For more information, see Set Up Third Party Security Risk Monitoring Data Feeds.

Create Type Values

To leverage Task Management, you must create a Third Party Remediation type value on the company and third party instances.

Create a Third Party Remediation Type Value in the Task Management Application (Company Instance)

Log in to your company instance.
Go to the Manage Applications page.
1. From the menu bar, click .
2. Under Application Builder, click Applications.
Select Task Management.
On the Fields tab, select the Type values list field.
Click the Values tab.
Create a Third Party Remediation value.
1. Click Add New.
2. In the Text Value field, enter Third Party Remediation.
3. Click Save.
Click Save.

Create a Third Party Remediation Type Value in the Task Management Application (Third Party Instance)

Log in to your third party instance.
Go to the Manage Applications page.
1. From the menu bar, click .
2. Under Application Builder, click Applications.
Select Task Management.
On the Fields tab, select the Type values list field.
Click the Values tab.
Create a Third Party Remediation value.
1. Click Add New.
2. In the Text Value field, enter Third Party Remediation.
3. Click Save.
Click Save.

Configure Record Permissions

Archer recommends that you create an automatic record permission for Task Management to provide read-only access to members of the Third Party: Read Only group.

Log in to your third party instance.
Go to the Applications page:
1. From the menu bar, click .
2. Under Application Builder, click Applications.
Locate and select Task Management.
Click the Fields tab.
Click Add New.
In the Field Types section, do the following:
1. Expand the Advanced menu.
2. Select Record Permissions.
3. Click OK.
In the Name field, enter Read Only Access.
Click the Options tab and do the following:
In the Permissions section, select Automatic.
In the Rules section, click Add New.

In the Manage Automatic Selection Rule window, do the following:

In the Rule Name field, enter Type Contains Third Party Remediation.

In the Conditions section, enter the following values:

Field to Evaluate	Operator	Value(s)	Relationships
Type	Contains	Third Party Remediation	N/A

In the Users/Group Permission section, click Lookup.

Expand the Groups list, and do the following:
1. Navigate to Third Party Management.
2. Expand the Third Party Management list.
3. Select Third Party: Read Only.
4. Click OK. The Third Party: Read Only group is added to the rule with the Read check box selected.
Click Apply.
In the Default Users/Groups section, click Lookup.
Select Record Creator from the list of Available Users/Groups.
Click OK.
Click Save.

Add a Third Party Contact to the Third Party: Read Only Group

Once you configure record permissions for the Third Party: Read Only group, you can assign third party contacts to that group when remediating tasks in your third party instance.

Log in to your third party instance.
Go to the Users page:
1. From the menu bar, click .
2. Under Access Control, click Users.
Select the user account you want to add to the Third Party: Read Only group.
Click the Groups tab.
Click Lookup.
Expand the Groups list, and do the following:
1. Navigate to Third Party Management.
2. Expand the Third Party Management list.
3. Select Third Party: Read Only.
4. Click OK.
Click Save.

Create Notifications

Archer recommends creating notifications to alert key stakeholders when tasks have been created and completed.

Create Third Party Remediation Task Creation Notifications

Log in to your third party instance.
Go to the Notifications, click on Application Notifications.
Click on + icon.
Select ‘Subscription Notification’ in Type field and select ‘Task Management’ in Application and click on ‘Continue’.
Click the Layout tab.
Click the Rules tab.
Click Add New.
Select Create a New Rule from Scratch.
In the Name field, enter Notification: Third Party Remediation Task Creation.

In the Criteria section, enter the following values:

Field to Evaluate	Operator	Value(s)	Relationships
Record Status	Equals	New	And
Type	Equals	Third Party Remediation	N/A

In the Linked Actions section, click Add New.
In the Available Action Types section, select Generate Notification.
Click OK.
In the General Information section, do the following:
1. In the Name field, enter Notification: Third Party Remediation Task Creation.
2. Set the Status to Active.
In the Template Design section, in the Letterhead field, select Archer Default - Creation.
Click the Content tab, and do the following:
1. In the Subject field, enter “New Third Party Remediation Task:”
2. In the Toolbar field, select Task ID. [Field: Task ID] is added to the subject line.
3. In the Subject field, after [Field: Task ID], enter “Has Been Assigned”
4. In the Body field, select the following fields:
- Task ID
- Type
- Due Date
- Assigned To
- Description
- Created by

Click the Delivery tab, and do the following:
1. In the From Address field, enter the email that you want to appear as the notification sender.
2. In the Frequency field, select Instantly.
3. In the Email Recipient Options section, select Separate Emails.
4. In the Recipients section, in the `To` field, select Assigned To.
5. Click Save.
Click Save.

Create Third Party Remediation Task Reminder Notifications

Log in to your third party instance.
Go to the Notifications, click on Application Notifications.
Click on + icon.
Select ‘Subscription Notification’ in Type field and select ‘Task Management’ in Application and click on ‘Continue’.
Click the Rules tab.
Click Add New.
Select Create a New Rule from Scratch.
In the Name field, enter Notification: Third Party Remediation Task Reminder.

In the Criteria section, enter the following values:

Field to Evaluate	Operator	Value(s)	Relationships
Status	Does Not Equal	Complete	And
Type	Equals	Third Party Remediation	N/A

In the Linked Actions section, click Add New.
In the Available Action Types section, select Generate Notification.
Click OK.
In the General Information section, do the following:
1. In the Name field, enter Notification: Third Party Remediation Task Reminder.
2. Set the Status to Active.

In the Template Design section, in the Letterhead field, select Archer Default - Creation.
Click the Content tab, and do the following:
1. In the Subject field, enter “Third Party Remediation Task Requires Action by”
2. In the Toolbar field, select Due Date. [Field: Due Date] is added to the subject line.
3. In the Body field, select the following fields:
- Task ID
- Type
- Due Date
- Assigned To
- Description
- Created by

Click the Delivery tab, and do the following:

In the From Address field, enter the email that you want to appear as the notification sender.
In the Frequency field, select Reminder.

In the Criteria section, Archer recommends entering the following values:

Field	Operator	Days	Target	Occurrence
Due Date	Equals	0	After Today	Once
Due Date	Equals	5	After Today	Once

In the Email Recipient Options section, select Separate Emails.
In the Recipients section, in the `To` field, select Assigned To.
Click Save.

Click Save.

Create Third Party Remediation Task Complete Notifications

Log in to your company instance.
Go to the Notifications, click on Application Notifications.
Click on + icon.
Select ‘Subscription Notification’ in Type field and select ‘Task Management’ in Application and click on ‘Continue’.
Click the Layout tab.
Click the Rules tab.
Click Add New.
Select Create a New Rule from Scratch.
In the Name field, enter Notification: Third Party Remediation Task Complete.

In the Criteria section, enter the following values:

Field to Evaluate	Operator	Value(s)	Relationships
Status	Changed To	Complete	And
Type	Contains	Third Party Remediation	N/A

In the Linked Actions section, click Add New.
In the Available Action Types section, select Generate Notification.
Click OK.
In the General Information section, do the following:
1. In the Name field, enter Notification: Third Party Remediation Task Complete.
2. Set the Status to Active.

In the Template Design section, in the Letterhead field, select Archer Default - Complete.
Click the Content tab, and do the following:
1. In the Subject field, enter “Third Party Remediation Task:”
2. In the Toolbar field, select Task ID. [Field: Task ID] is added to the subject line.
3. In the Subject field, after [Field: Task ID], enter “has been Completed”
4. In the Body field, select the following fields:
- Task ID
- Type
- Due Date
- Assigned To
- Description
- Resolution
- Created by

Click the Delivery tab, and do the following:
1. In the From Address field, enter the email that you want to appear as the notification sender.
2. In the Frequency field, select Instantly.
3. In the Email Recipient Options section, select Separate Emails.
4. In the Recipients section, in the `To` field, select Created by.
5. Click Save.

Click Save.

Create Reports

You must configure the base reports for the optional TPSRM: Sync Company Tasks to Third Party Instance and TPSRM: Sync Completed Third Party Tasks to Company Instance data feeds.

Create the A2A: Sync Company Tasks to Third Party Instance Report

This report displays all remediation tasks that are created in the company instance and assigned to third party contacts. You must create this report on the company instance.

Log in to your company instance.
Go to the Task Management workspace.
1. Click the drop-down arrow next to your username in the top-right corner of the screen.
2. Click Workspaces Display.
3. Select the check box next to Task Management.
4. Click Save.
5. From the menu bar, select Task Management.
6. Click next to Task Management.
Click New to create a new report.
In the Fields to Display section, add the following fields from Task Management in the Available window to the Selected window:
- Tracking ID
- Description
- Attachments
- Assigned To
- Due Date
- Status
- Type

In the Filters section, enter the following values:

Field to Evaluate	Operator	Value(s)	Relationships
Type	Contains	Third Party Remediation	And
Status	Does Not Equal	Complete	N/A

(Optional) In the Sorting section, enter the following values:

Field to Evaluate	Order	Grouping	Relationships
Task ID	Ascending	Disabled	N/A

Click Search.
Click Save.
In the Report Information section, in the Name field, enter A2A: Sync Company Tasks to Third Party Instance.
In the Report Type section, in the Permissions field, select Global Report.
Click Save.
From the search results page, in the Save drop-down menu, click Save Report Changes.
In the Report Information section, copy the numeric value from the ID field and save it for use when importing the TPSRM: Sync Company Tasks to Third Party Instance data feed.

Note: Do not include the braces {} in the copied text.

This numeric ID is used in the Report field when importing the optional TPSRM: Sync Company Tasks to Third Party Instance Report data feed. See step 9b of (Optional) Import the TPSRM: Sync Company Tasks to Third Party Instance Data Feed.

Create the A2A: Sync Completed Third Party Tasks to Company Instance Report

This report displays all remediation tasks that have been completed by the third party contact. You must create this report on the third party instance.

Log in to your third party instance.
Go to the Task Management workspace.
1. From the menu bar, select Task Management.
2. Click next to Task Management.
Click New to create a new report.
In the Fields to Display section, add the following fields from Task Management in the Available window to the Selected window:
- Subject
- Status
- Resolution
- Completion Date

In the Filters section, enter the following values:

Field to Evaluate	Operator	Value(s)	Relationships
Status	Equals	Complete	And
Completion Date	Current	Day	And
Completion Date	Last	3 Days	And
Type	Equals	Third Party Remediation	N/A

In the Advanced Operator Logic field, enter 1 AND (2 or 3) AND 4.

(Optional) In the Sorting section, enter the following values:

Field to Evaluate	Order	Grouping	Relationships
Task ID	Ascending	Disabled	N/A

Click Search.
Click Save.
In the Report Information section, in the Name field, enter A2A: Sync Completed Third Party Tasks to Company Instance.
In the Report Type section, in the Permissions field, select Global Report.
Click Save.
From the search results page, in the Save drop-down menu, click Save Report Changes.
In the Report Information section, copy the numeric value from the ID field and save it for use when importing the TPSRM: Sync Completed Third Party Tasks to Company Instance data feed.

Note: Do not include the braces {} in the copied text.

This numeric ID is used in the Report field when importing the optional TPSRM: Sync Completed Third Party Tasks to Company Instance data feed. See step 9b of (Optional) Import the TPSRM: Sync Completed Third Party Tasks to Company Instance Data Feed.

Set Up Third Party Security Risk Monitoring Data Feeds

The Third Party Security Risk Monitoring use case includes four data feeds:

TPSRM: Portfolios 2024.09 - JST Data Feed
TPSRM: Vendors 2024.09 - JST Data Feed
TPSRM: Issues 2024.09 – JST Data Feed
TPSRM: Breach Events 2024.09 – JST Data Feed
(Optional) TPSRM: Create Task
(Optional) TPSRM: Sync Company Tasks to Third Party Instance
(Optional) TPSRM: Sync Completed Third Party Tasks to Company Instance

Import the TPSRM: Portfolios 2024.09 – JST Data Feed

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Note:

The TPSRM: Portfolios 2024.09 – JST is scheduled every 5 hours by default. See Schedule Data Feeds for information about modifying the schedule.
The Data Feed performs the following functions:
- Identify the Third Party records that does not have TOE ID and Portfolio Request field has been set to ‘Vendor Addition Request’(default) and sends an API request to RiskRecon for Bulk Addition of the Third Parties.
  
  The content ID of the Third party is also sent to RiskRecon will acts as an initial identifier till the Third Party/Companyis created.
- Identify(through Content Id) the Third Parties/Companies that have been created in RiskRecon and update the Security Risk Monitoring field in Third Party application with the TOE ID.
- Identify the Third Party records where the Portfolio Request field has been set to ‘Vendor Deletion Request’ and delete the Third party from the RiskRecon portfolio.
  
  Please note that only the Company will be deleted from RiskRecon and the Third Party Profile records and its associated Third Party Domain Ratings and Third Party Scan Results data will not be removed from Archer. Please note that there might be a delay in the Third Party creation in RiskRecon after the Bulk Add request. The data feed will track the Third Party till it is created in RiskRecon.

The Data Feed uses APIs to modify/create records and does not use the data feed functionality for record updates.
Please do note that in case an existing Third Party record in Archer needs to be mapped with an existing Third party in RiskRecon, add the Content ID of the Third Party record in Archer to Internal ID field in RiskRecon.
Risk Recon provides a limit to Toes deletion for a 24 hour period. In an event where the number of Third Party Profile records exceeds the Risk Recon limit, the data feed will delete the toes as per the limitation from the Organization portfolio and will delete the remaining records in the next scheduled Data Feed run.

Log in to your company instance.
Go to the Manage Data Feeds page:
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
In the Manage Data Feeds section, click Import.
Locate and select the TPSRM: Portfolios 2024.09 – JST.dfx5 data feed file.
Verify settings in the General tab.
1. In the General Information section, set the Status field to Active.
2. In the Feed Information section, confirm that the Target field is set to Domain Ratings.
Click the Transport tab.
In the Transport section, in the Transport Method field, select JavaScript Transporter.
In the Transport Configuration section, click Upload.
1. Locate and select the signed_RiskRecon_API_v2.js JavaScript file.

In the Custom Parameters section, enter the following key values:

Key	Value
feedType	[should be set to ‘portfolio’]
apiKey	[insert API Key from Third Party Security Risk Monitoring]
archerUrl	[insert the URL of your Archer instance]
archerInstance	[insert the name of your Archer instance]
archerUser	[insert user account name that has read access to all Third Party Profile records] Note: You can add this user to the Third Party: Read Only group for access.
archerPass	[insert password for the archerUser account name]
ownEnterprise	[should be set to false for TPSRM]
archerReportGUIDTP	[GUID of the ‘TPSRM – Vendors to track’ report in Third Party Profile. This value is pre-populated.]
archerKeyFieldGUIDTP	[GUID of the ‘Security Risk Monitoring ID’ field in Third Party Profile. This value is pre-populated.]
archerReportGUIDNOTOE	[GUID of ‘DFM:TPSRM – Vendors with no TOE ids’ report in Third Party Profile. This value is pre-populated.]
archerKeyFieldGUIDNOTOE	[GUID of ‘Third Party ID’ field in Third Party Profile. This value is pre-populated.]
archerReportGUIDDELETETOE	[GUID of ‘DFM: TPRM Portfolio Delete Request’ report in Third Party Profile. This value is pre-populated.]
archerFieldGUIDDELETETOE	[GUID of ‘Portfolio Request’ field in in Third Party Profile. This value is pre-populated.]
archerFieldDeleteValueListValue	[GUID of ‘Vendor_Deletion_Successful’ value in ‘Portfolio Request’ value list field in Third Party Profile. This value is pre-populated.]
ignoreLastRunTime	Uses the LastRunTime data feed token in the last retrieved parameter while fetching Toes results. [should be set to true/false]

The following additional parameters are valid options for the Custom Parameters section:

Key	Type	Value
proxy	Protected	[insert the URL of the proxy server] Note: This key should only be entered if you use a proxy server. If you are an Archer Hosted (SaaS) customer, this key is required, and you must contact your Professional Services representative to configure this parameter.
LastRunTime	N/A	[last_retrieved=YYYY-MM-DD] Passed into the vendors feed to retrieve only ratings that have been updated since the last feed execution. Filters results published or updated after the provided date string in format YYYY-MM-DD. Example: To retrieve results updated on or after 2020-11-20, use the following value: last_retrieved=2020-11-20
requestsPerMin	N/A	[Upper threshold of outgoing requests per minute. This value is pre-populated.]
concurrencyLimit	N/A	[Max number of in-flight requests at any given time. This value is pre-populated.]
maxRetry	N/A	[Max number of retries per individual requests. This value is pre-populated.
archerReportLimit	N/A	[Max number of vendors for which you want to retrieve data. This value is pre-populated and set to 1000 by default.]
verifyCerts	N/A	[true] or [false] By default, this value is set to true. If you have configured Archer to use HTTPS, and the SSL certificate is self-signed or is another form of non-perfected SSL certificate from a top tier Certificate Authority, you must set this value to false.

Click Save.

Import the TPSRM: Vendors 2024.09 – JST Data Feed

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Note: The TPSRM: Vendors 2024.09 – JST Data Feed is scheduled to run daily by default. See Schedule Data Feeds for information about modifying the schedule.

Log in to your company instance.
Go to the Manage Data Feeds page:
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
In the Manage Data Feeds section, click Import.
Locate and select the TPSRM: Vendors 2024.09 – JST.dfx5 data feed file.
Verify settings in the General tab.
1. In the General Information section, set the Status field to Active.
2. In the Feed Information section, confirm that the Target field is set to Domain Ratings.
Click the Transport tab.
In the Transport section, in the Transport Method field, select JavaScript Transporter.
In the Transport Configuration section, click Upload.
1. Locate and select the signed_RiskRecon_API_v2.1.0 js JavaScript file.

In the Custom Parameters section, enter the following key values:

Key	Value
feedType	[should be set to ‘vendor`]
apiKey	[insert API Key from Third Party Security Risk Monitoring]
archerUrl	[insert the URL of your Archer instance]
archerInstance	[insert the name of your Archer instance]
archerUser	[insert user account name that has read access to all Third Party Profile records] Note: You can add this user to the Third Party: Read Only group for access.
archerPass	[insert password for the archerUser account name]
ownEnterprise	[should be set to false for TPSRM]
archerReportGUIDTP	[GUID of the ‘TPSRM – Vendors to track’ report in Third Party Profile. This value is pre-populated.]
archerKeyFieldGUIDTP	[GUID of the ‘Security Risk Monitoring ID’ field in Third Party Profile. This value is pre-populated.]
archerReportGUIDNOTOE	[GUID of ‘DFM:TPSRM – Vendors with no TOE ids’ report in Third Party Profile. This value is pre-populated.]
archerKeyFieldGUIDNOTOE	[GUID of ‘Third Party ID’ field in Third Party Profile. This value is pre-populated.]
archerReportGUIDDELETETOE	[GUID of ‘DFM: TPRM Portfolio Delete Request’ report in Third Party Profile. This value is pre-populated.]
archerFieldGUIDDELETETOE	[GUID of ‘Portfolio Request’ field in in Third Party Profile. This value is pre-populated.]
archerFieldDeleteValueListValue	[GUID of ‘Vendor_Deletion_Successful’ value in ‘Portfolio Request’ value list field in Third Party Profile. This value is pre-populated.]
ignoreLastRunTime	Uses the LastRunTime data feed token in the last retrieved parameter while fetching Toes results. [should be set to true/false]
vendorEndpoints	Enter one or more of the following endpoints: • hostEndpoint • descEndpoint • industryEndpoint • subEndpoint By default, this value is set to descEndpoint, industryEndpoint, subEndpoint.

The following additional parameters are valid options for the Custom Parameters section:

Key	Type	Value
proxy	Protected	[insert the URL of the proxy server] Note: This key should only be entered if you use a proxy server. If you are an Archer Hosted (SaaS) customer, this key is required, and you must contact your Professional Services representative to configure this parameter.
LastRunTime	N/A	[last_retrieved=YYYY-MM-DD] Passed into the vendors feed to retrieve only ratings that have been updated since the last feed execution. Filters results published or updated after the provided date string in format YYYY-MM-DD. Example: To retrieve results updated on or after 2020-11-20, use the following value: last_retrieved=2020-11-20
requestsPerMin	N/A	[Upper threshold of outgoing requests per minute. This value is pre-populated.]
concurrencyLimit	N/A	[Max number of in-flight requests at any given time. This value is pre-populated.]
maxRetry	N/A	[Max number of retries per individual requests. This value is pre-populated.
archerReportLimit	N/A	[Max number of vendors for which you want to retrieve data. This value is pre-populated and set to 1000 by default.]
verifyCerts	N/A	[true] or [false] By default, this value is set to true. If you have configured Archer to use HTTPS, and the SSL certificate is self-signed or is another form of non-perfected SSL certificate from a top tier Certificate Authority, you must set this value to false.

Click Save.

Import the TPSRM: Issues 2024.09 – JST Data Feed

Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

Note: The TPSRM: Issues 2024.09 – JST Data Feed is scheduled to run daily by default. See Schedule Data Feeds for information about modifying the schedule.

Log in to your company instance.
Go to the Manage Data Feeds page.
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
In the Manage Data Feeds section, click Import.
Locate and select the TPSRM: Issues 2024.09 – JST.dfx5data feed file.
Verify settings in the General tab.
1. In the General Information section, set the Status to Active.
2. In the Feed Information section, confirm that the Target field is set to Third Party Scan Results.
Click the Transport tab.
In the Transport section, in the Transport Method field, select JavaScript Transporter.
In the Transport Configuration section, click Upload.
1. Locate and select the signed_RiskRecon_API_v2.1.0.js JavaScript file.

In the Custom Parameters section, enter the following key values:

Key	Value
feedType	[should be set to ‘issue’]
apiKey	[insert API Key from Third Party Security Risk Monitoring]
archerUrl	[insert the URL of your Archer instance]
archerInstance	[insert the name of your Archer instance]
archerUser	[insert user account name that has read access to all Third Party Profile records] Note: You can add this user to the Third Party: Read Only group for access.
archerPass	[insert password for the archerUser account name]
ownEnterprise	[should be set to false for TPSRM]
archerReportGUIDTP	[GUID of the ‘TPSRM – Vendors to track’ report in Third Party Profile. This value is pre-populated.]
archerKeyFieldGUIDTP	[GUID of the ‘Security Risk Monitoring ID’ field in Third Party Profile. This value is pre-populated.]
archerReportGUIDNOTOE	[GUID of ‘DFM:TPSRM – Vendors with no TOE ids’ report in Third Party Profile. This value is pre-populated.]
archerKeyFieldGUIDNOTOE	[GUID of ‘Third Party ID’ field in Third Party Profile. This value is pre-populated.]
archerReportGUIDDELETETOE	[GUID of ‘DFM: TPRM Portfolio Delete Request’ report in Third Party Profile. This value is pre-populated.]
archerFieldGUIDDELETETOE	[GUID of ‘Portfolio Request’ field in in Third Party Profile. This value is pre-populated.]
archerFieldDeleteValueListValue	[GUID of ‘Vendor_Deletion_Successful’ value in ‘Portfolio Request’ value list field in Third Party Profile. This value is pre-populated.]
ignoreLastRunTime	Uses the LastRunTime data feed token in the last retrieved parameter while fetching Toes results. [should be set to true/false]
severity	[severitylevel] Available values : critical, high, medium, low

The following additional parameters are valid options for the Custom Parameters section:

Key	Type	Value
proxy	Protected	[insert the URL of the proxy server] Note: This key should only be entered if you use a proxy server. If you are an Archer Hosted (SaaS) customer, this key is required, and you must contact your Professional Services representative to configure this parameter.
requestsPerMin	N/A	[Upper threshold of outgoing requests per minute. This value is pre-populated.]
concurrencyLimit	N/A	[Max number of in-flight requests at any given time. This value is pre-populated.]
maxRetry	N/A	[Max number of retries per individual requests. This value is pre-populated.]
archerReportLimit	N/A	[Max number of vendors for which you want to retrieve data. This value is pre-populated and set to 1000 by default.]
verifyCerts	N/A	[true] or [false] By default, this value is set to true. If you have configured Archer to use HTTPS, and the SSL certificate is self-signed or is another form of non-perfected SSL certificate from a top tier Certificate Authority, you must set this value to false.
asset_value	N/A	[Values] Available values: high, medium, low, idle, key
security_domain	N/A	[Values] Available values:data_loss, defensibility, dns_security, email_security, network_filtering, software_patching, threat_intell, web_app_security, web_encryption
security_criteria	N/A	[Values] Available values :web_encryption_key_length, attack_surface_web_hostname, web_encryption_date_expire, threatintel_botnet_host, web_encryption_hash, governance_regulatory_requirements, patching_web_cms, web_http_security_headers, patching_other, email_encryption_enabled, governance_security_certifications, governance_customer_base, data_loss_36plus, malicious_code, patching_app_server, threatintel_cc_server, data_loss_6, defensibility_hosting_providers, domain_hijacking_protection, data_loss_24, threatintel_phishing_site, email_hosting_providers, patching_openssl, attack_surface_web_ip, breach_events_15_plus, unsafe_network_services, web_encryption_protocol, web_encryption_date_valid, breach_events_0_15, data_loss_12, dns_hijacking_protection, threatintel_hostile_host_hacking, email_authentication, unencrypted_sensitive_communications, config_web_cms_authentication, dns_hosting_providers, threatintel_other, threatintel_spamming_host, unencrypted_sensitive_systems, patching_os, threatintel_hostile_host_scanning, shared_hosting, data_loss_36, patching_web_server, threat_intel_alert_external, web_encryption_subject, host_hosting_providers, patching_vuln_open_ssl, web_threat_intel_alert_external, hosting_countries, iot_devices

Click Save.

Import the TPSRM: Breach Events 2024.09 – JST Data Feed

Before you upload a JavaScript file, configure JavaScript Transporter settings in the Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings.

The TPSRM: Breach Events 2024.09 – JST Data Feed is scheduled to run daily by default. See Schedule Data Feeds for information about modifying the schedule.

Log in to your company instance.
Go to the Manage Data Feeds page.
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
In the Manage Data Feeds section, click Import.
Locate and select the TPSRM: Breach Events 2024.09 – JST.dfx5 data feed file.
Verify settings in the General tab.
1. In the General Information section, set the Status to Active.
2. In the Feed Information section, confirm that the Target field is set to Third Party Scan Results.
Click the Transport tab.
In the Transport section, in the Transport Method field, select JavaScript Transporter.
In the Transport Configuration section, click Upload.
1. Locate and select the signed_RiskRecon_API_v2.1.0.js JavaScript file.

In the Custom Parameters section, enter the following key values:

Key	Value
feedType	[should be set to ‘breach_events`]
apiKey	[insert API Key from Third Party Security Risk Monitoring]
archerUrl	[insert the URL of your Archer instance]
archerInstance	[insert the name of your Archer instance]
archerUser	[insert user account name that has read access to all Third Party Profile records] Note: You can add this user to the Third Party: Read Only group for access.
archerPass	[insert password for the archerUser account name]
ownEnterprise	[should be set to false for TPSRM]
archerReportGUIDTP	[GUID of the ‘TPSRM – Vendors to track’ report in Third Party Profile. This value is pre-populated.]
archerKeyFieldGUIDTP	[GUID of the ‘Security Risk Monitoring ID’ field in Third Party Profile. This value is pre-populated.]
archerReportGUIDNOTOE	[GUID of ‘DFM:TPSRM – Vendors with no TOE ids’ report in Third Party Profile. This value is pre-populated.]
archerKeyFieldGUIDNOTOE	[GUID of ‘Third Party ID’ field in Third Party Profile. This value is pre-populated.]
archerReportGUIDDELETETOE	[GUID of ‘DFM: TPRM Portfolio Delete Request’ report in Third Party Profile. This value is pre-populated.]
archerFieldGUIDDELETETOE	[GUID of ‘Portfolio Request’ field in in Third Party Profile. This value is pre-populated.]
archerFieldDeleteValueListValue	[GUID of ‘Vendor_Deletion_Successful’ value in ‘Portfolio Request’ value list field in Third Party Profile. This value is pre-populated.]
ignoreLastRunTime	Uses the LastRunTime data feed token in the last retrieved parameter while fetching Toes results. [should be set to true/false]

10. The following additional parameters are valid options for the Custom Parameters section:

Key	Type	Value
proxy	Protected	[insert the URL of the proxy server] Note: This key should only be entered if you use a proxy server. If you are an Archer Hosted (SaaS) customer, this key is required, and you must contact your Professional Services representative to configure this parameter.
LastRunTime	N/A	[last_retrieved=YYYY-MM-DD] Passed into the vendors feed to retrieve only ratings that have been updated since the last feed execution. Filters results published or updated after the provided date string in format YYYY-MM-DD. Example: To retrieve results updated on or after 2020-11-20, use the following value: last_retrieved=2020-11-20
requestsPerMin	N/A	[Upper threshold of outgoing requests per minute. This value is pre-populated.]
concurrencyLimit	N/A	[Max number of in-flight requests at any given time. This value is pre-populated.]
maxRetry	N/A	[Max number of vendors for which you want to retrieve data. This value is pre-populated and set to 1000 by default.]
archerReportLimit	N/A	[true] or [false] By default, this value is set to true. If you have configured Archer to use HTTPS, and the SSL certificate is self-signed or is another form of non-perfected SSL certificate from a top tier Certificate Authority, you must set this value to false.
verifyCerts	N/A	[true] or [false] By default, this value is set to true. If you have configured Archer to use HTTPS, and the SSL certificate is self-signed or is another form of non-perfected SSL certificate from a top tier Certificate Authority, you must set this value to false.

11. Click Save.

(Optional) Import the TPSRM: Create Task Data Feed

This is an optional Archer-to-Archer data feed on your company instance.

Log in to your company instance.
Go to the Manage Data Feeds page:
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
In the Manage Data Feeds section, click Import.
Locate and select the TPSRM: Create Task.dfx5 data feed file.
Verify settings in the General tab.
1. In the General Information section, set the Status field to Active.
2. In the Feed Information section, confirm that the Target field is set to Third Party Tickets.
Click the Transport tab.
In the Transport section, confirm that the Transport Method field is set to Archer Web Services Transporter.
In the Security section, in the URL field, insert the URL to your company instance.
In the Transport Configuration section, do the following:

In the Search Type field, confirm that Report ID is selected.
In the User Name field, enter the username of a user that has read access to all Third Party Tickets.

Note: You can add this user to the Third Party: Read Only group for access.
In the Instance field, enter the name of your company instance.
In the Password field, enter the password of the username you provided in the User Name field.

If you are an Archer Hosted (SaaS) customer, in the Proxy section, set the Proxy Options field to Use System Proxy.
Click Save.

(Optional) Import the TPSRM: Sync Company Tasks to Third Party Instance Data Feed

This is an optional Archer-to-Archer data feed on your third party instance that runs when you choose to assign a task to a third party contact. This data feed creates and syncs Task Management records on your third party instance to match the version on your company instance.

Important: You must create the A2A: Sync Company Tasks to Third Party Instance report on your company instance before you import this data feed. For more information, see Create the A2A: Sync Company Tasks to Third Party Instance Report.

Log in to your third party instance.
Go to the Manage Data Feeds page:
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
In the Manage Data Feeds section, click Import.
Locate and select the TPSRM: Sync Company Tasks to Third Party Instance.dfx5 data feed file.
Verify settings in the General tab.
1. In the General Information section, set the Status field to Active.
2. In the Feed Information section, confirm that the Target field is set to Task Management.
Click the Transport tab.
In the Transport section, confirm that the Transport Method field is set to Archer Web Services Transporter.
In the Security section, in the URL field, insert the URL to your company instance.
In the Transport Configuration section, do the following:
1. In the Search Type field, confirm that Report ID selected.
2. In the Report field, insert the report ID that you obtained in step 13 of Create the A2A: Sync Company Tasks to Third Party Instance Report.
3. In the User Name field, enter a user name of a user who has read-only access to Third Party Remediations.
  
  Note: You can add this user to the Third Party: Read Only group for access. For more information, seeConfigure Record Permissions.
4. In the Instance field, enter the name of your company instance.
5. In the Password field, enter the password of the username you provided in the Username field.
If you are an Archer Hosted (SaaS) customer, in the Proxy section, set the Proxy Options field to Use System Proxy.
Click Save.

(Optional) Import the TPSRM: Sync Completed Third Party Tasks to Company Instance Data Feed

This is an optional Archer-to-Archer data feed on the company instance that syncs completed third party tasks. This data feed pulls information from the third party instance back to the company instance.

Important: You must create the A2A: Sync Completed Third Party Tasks to Company Instance report on your third party instance before you import this data feed. For more information, see Create the A2A: Sync Completed Third Party Tasks to Company Instance Report.

Log in to your company instance.
Go to the Manage Data Feeds page:
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
In the Manage Data Feeds section, click Import.
Locate and select the TPSRM: Sync Completed Third Party Tasks to Company Instance.dfx5 data feed file.
Verify settings in the General tab.
1. In the General Information section, set the Status field to Active.
2. In the Feed Information section, confirm that the Target field is set to Task Management.
Click the Transport tab.
In the Transport section, confirm that the Transport Method field is set to Archer Web Services Transporter.
In the Security section, in the URL field, insert the URL to your third party instance.
In the Transport Configuration section, do the following:
1. In the Search Type field, confirm that Report ID is selected.
2. In the Report field, insert the report ID that you obtained in step 14 of Create the A2A: Sync Completed Third Party Tasks to Company Instance Report.
3. In the User Name field, enter a user name of a user who has read-only access to Third Party Remediations.
  
  Note: You can add this user to the Third Party: Read Only group for access. See Configure Record Permissions for more information.
4. In the Instance field, enter the name of your third party instance.
5. In the Password field, enter the password of the username you provided in the User Name field.
If you are an Archer Hosted (SaaS) customer, in the Proxy section, set the Proxy Options field to Use System Proxy.
Click Save.

Schedule Data Feeds

Important: A data feed must be active and valid to successfully run.

As you schedule your data feed, the Data Feed Manager validates the information. If any information is invalid, an error message displays. You can save the data feed and correct the errors later; but the data feed does not process until you make corrections.

Go to the Schedule tab of the data feed that you want to modify.
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
3. Select the data feed.
4. Click the Schedule tab.

Go to the Recurrences section and complete frequency, start and stop times, and time zone. The following table describes the fields in the Recurrences section.

Field	Description
Frequency	Specifies the interval in which the data feed runs, for example, Minutely, Hourly, Daily, Weekly, Monthly, or Reference. Minutely. Runs the data feed by the interval set. For example, if you specify 45 in Every list, the data feed executes every 45 minutes. Hourly. Runs the data feed by the interval set, for example, every hour (1), every other hour (2) and so forth. Daily. Runs the data feed by the interval set, for example, every day (1), every other day (2) and, so forth. Weekly. Runs the data feed based on a specified day of the week, for example, every Monday of the first week (1), every other Monday (2), and so forth. Monthly. Runs the data feed based on a specified week of the month, for example, 1st, 2nd, 3rd, 4th, or Last. Recurrence. Runs a specified data feed as runs before the current one. This option indicates to the Data Feed Service that this data feed starts as soon as the referenced data feed completes successfully. For example, you can select to have a Threats data feed run immediately after your Assets data feed finishes. From the Reference Feed list, select after which existing data feed the current data feed starts. A reference data feed will not run when immediately running a data feed. The Run Data Feed Now option only runs the current data feed
Every	Specifies the interval of the frequency in which the data feed runs.
Start Time	Specifies the time the data feed starts running.
Start Date	Specifies the date on which the data feed schedule begins.
Time Zone	Specifies the time zone in of the server that runs the data feed.

(Optional) To override the data feed schedule and immediately run your data feed, in the Run Data Feed Now section, click Start.
Click Save.

Edit the XSLT

XSLT is a language used for transforming the structure or format of XML documents. XSLT is used to manipulate XML documents into a format that can be properly ingested into Archer. When the Third Party Security Risk Monitoring use case, powered by RiskRecon, adds new security domains to monitor, you must modify the XSLT contained in the TPSRM: Vendors 2024.09 - JST and TPSRM: Issues 2024.09 – JST feeds to account for the changes.

Modify the XSLT in the TPSRM: Vendors 2024.09 - JST Data Feed

The XSLT contained in the TPSRM: Vendors 2024.09 - JST data feed is used to split records in the XML into individual records for each Security Domain. These individual records are populated in the Domain Ratings application and linked back to the master record contained in the Third Party Profile application.

Important: Archer recommends using an API development environment to make an API call to RiskRecon to determine the naming convention used for the new security domain and how it is referenced in the Rating and Web Directory nodes.

Log in to your company instance.
Go to the Manage Data Feeds page.
1. From the menu bar, click .
2. Under Integration, click Data Feeds.
Locate and select the TPSRM: Vendors 2024.09 - JST.dfx5 data feed file.
Click the Navigation tab.
Go to the Xml File Definition section and do the following:
1. Press CTRL+A to select all the text in the XSLT.
2. Press CTRL+C to copy all the text in the XSLT.
Open an external text editor.
Paste the text in the external text editor.
Save the file with a new file name to prevent overwriting the original XSLT.
To add a new security domain, copy the text beginning with and ending with the </Record> tag before . Using the out-of-the-box XSLT, this represents lines 8-87.
Paste the text you copied in step 9 to just after the closing </Record> tag on line 807.

Note: The </xsl:for-each> command on line 808 should remain on the line directly after the text that you just pasted.

Change the newly pasted text that says  to .

For example, if the new security domain was titled Network Filtering, make the following revision:

Change the text between the <Risk_Recon_Domain> and </Risk_Recon_Domain> tags to the title of the new security domain.

For example, if the new security domain was titled Network Filtering, make the following revision:

<Risk_Recon_Domain>Network Filtering</Risk_Recon_Domain>

Change the text between the <Rating> and </Rating> tags to incorporate the title of the new security domain. You must use all lowercase letters with an underscore (_) between words.

For example, if the new security domain was titled Network Filtering, make the following revision:

<xsl:value-of: select=“network_filtering_rating”/>

</Rating>

Change the text between the <Web_Directory> and </Web_Directory> tags to incorporate the title of the new security domain. You must use all lowercase letters with an underscore (_) between words.

For example, if the new security domain was titled Network Filtering, make the following revision:

<Web_Directory>

network_filtering

</Web_Directory>

Save the file in the external text editor.
Press CTRL+A to select all the text.
Press CTRL+C to copy all the text.
Reopen the Archer window that you had open in step 5.
In the Xml File Definition section, press CTRL+A to select the original XSLT.
To overwrite the original XSLT, press CTRL+V to paste the modified XSLT.
Click Save.

Modify the XSLT in the TPSRM: Issues 2024.09 – JST Data Feed

The XSLT contained in the TPSRM: Issues 2024.09 – JST data feed is used to modify the format of the XML that contains the issues linked to each Security Criteria and Security Domain. It also converts the data contained in the security Domain node into a name appropriate for Archer.

Log in to your company instance. Go to the Manage Data Feeds page.
1. From the menu bar, click .
2. Under Integration, click Data Feeds.

Locate and select the TPSRM: Issues 2024.09 – JST.dfx5 data feed file.
Click the Navigation tab.
Go to the Xml File Definition section and do the following:
1. Press CTRL+A to select all the text in the XSLT.
2. Press CTRL+C to copy all the text in the XSLT.
Open an external text editor.
Paste the text in an external text editor.
Save the file with a new file name to prevent overwriting the original XSLT.
Navigate to the beginning of the <xsl:choose> loop contained on line 255 of the out-of-the-box XSLT.

Note: Within this loop, Archer tests the value returned in the security Domain node. Depending on that value, Archer assigns specific text to the RiskRecon Domain variable.

Copy the following three lines of code that begin on line 256 and end on line 258:

<xsl:when test="$securityDomain='software_patching'">

<xsl:value-of select="'Software Patching'"/>

</xsl:when>

Paste the three lines of code from step 10 after the </xsl:when> tag on line 294 and before the </xsl:choose> tag on line 295.
In the lines of code you pasted in step 11, change the text after “$securityDomain= to incorporate the new security domain. You must use all lowercase letters with an underscore (_) between words.

For example, if the new security domain was titled Network Filtering, make the following revision:

<xsl:when test="$securityDomain='network_filtering'">

Change the text after the <xsl:value-of select="' text to incorporate the new security domain.

For example, if the new security domain was titled Network Filtering, make the following revision:

<xsl:value-of select=”’Network Filtering’”/>

After making these changes, the new lines of text should look like the following text:

<xsl:when test="$securityDomain='network_filtering'">

<xsl:value-of select="'Network Filtering'"/>

</xsl:when>

Save the file in the external text editor.
Press CTRL+A to select all the text.
Press CTRL+C to copy all the text.
Reopen the Archer window that you had open in step 5.
In the Xml File Definition section, press CTRL+A to select the original XSLT.
To overwrite the original XSLT, press CTRL+V to paste the modified XSLT.
Click Save.

Using Third Party Security Risk Monitoring

You can use the Archer Third Party Security Risk Monitoring use case to track the risk ratings for your third parties and manage third party scan results.

Review Risk Ratings

You can review an up-to-date security risk overview of any third party to inform decisions about whether your company should initiate or continue your business relationship with that third party. Ratings are based on a scale from 0-10, with 0 being the worst and 10 being the best. The rating information is updated nightly through the TPSRM: Vendors 2024.09 – JST.dfx5 data feed. Third Party Security Risk Monitoring runs updated scans approximately every 2-4 weeks for each third party.

Go to the Third Party Profile page.
1. From the menu bar, click Third Party Governance.
2. Click Third Party Catalog.
3. Click Third Party Profile.
Select the third party that you want to review.
Go to the RiskRatings tab.
In the Security Risk Monitoring Rating Detailstab, review the following third party details:
- Company Description
- Industry
- Industry Average
- Percentile Rank
- Overall Security Risk Monitoring Rating
Select the Overall Security Risk Monitoring Rating to open the third party profile in Third Party Security Risk Monitoring, where you can review the risk rating in more detail.
In the Security Risk Monitoring Trend & Heat Map section, review the following third party details:
1. Overall Rating Trend. A visual representation of a third party’s overall Third Party Security Risk Monitoring risk rating over time. The scoring trends allow you to view periods of inclining or declining ratings and address them with your third parties as needed.
2. Third Party Scan Results heat map. A visual representation of the severity and criticality of all open issues for a third party. To open the Third Party Scan Results Heat Map report, do the following:
  1. Click Display Report.
  2. Select a number on the heat map to display the third party scan results matching that asset value and severity level.

In the Domain Ratings section, review the individual security domain ratings for the security areas.
To review more detailed information about an individual domain rating, click the link under the Domain Rating ID column. This opens the individual domain rating in the Domain Ratings application.

Important: When new security domains are added by Third Party Security Risk Monitoring, you must modify the XSLT contained in the TPSRM: Vendors 2024.09 – JST and TPSRM: Issues 2024.09 – JST data feeds to account for the changes. For more information, seeEdit the XSLT.

In the Additional Information tab, review the following third party details:
1. Security Risk Monitoring Subsidiaries
2. Hosting locations
Go to the Subcontractors tab to view the fourth parties that provide hosting services to the third party you are reviewing.
To review more detailed information about an individual fourth party, click the link under the Subcontractors column. This opens the individual fourth party record in the Subcontractors application.

Manage Third Party Scan Results

Third Party Security Risk Monitoring identifies third party vulnerability issues and ingests that data into Third Party Scan Results through a nightly data feed. You can view the scan results repository to triage issues for response from your third parties. Additionally, you can link third party scan results to tickets and enter the tickets into the Third Party Tickets advanced workflow.

Note: Archer automatically sets the overall status of a Third Party Scan Result vulnerability issue to ‘Verified’ if the Last Seen date is older than 60 days.

Create Tickets

There are multiple options for creating and linking tickets to third party scan results:

Bulk Action
- Scheduled bulk create references (recommended method)
- On-demand bulk action
- On-demand bulk update

Inline Edit
Manual Ticket Creation

Create Tickets Using Bulk Action

Bulk actions enable you to take an action on multiple records in a single application simultaneously.

Create a Scheduled Bulk Create Reference (recommended method)

Archer recommends scheduling bulk create references to automatically link third party scan results to tickets. The bulk create reference evaluates all third party scan results that meet your defined filter criteria, and then it groups the scan results into tickets on a scheduled basis. You can create multiple bulk create references for different filter criteria.

Complete the following steps to schedule a bulk create reference:

Go to the Third Party Scan Results page.
1. From the menu bar, click Third Party Governance.
2. Click Third Party Catalog.
3. Click Third Party Scan Results.
Click , and click Schedules.
Click Add New to add a new bulk action schedule.
Complete the General Information section.
(Optional) In the Notifications section, choose when you want the system to send notifications.
In the Recurrences section, schedule the frequency and time you want to run the bulk create reference.

Important: This schedule correlates with the TPSRM: Issues 2024.09 – JST data feed. Archer recommends that you set the Frequency to the same as or less than the frequency of the TPSRM: Issues 2024.09 – JST data feed and set the Start Time to a later start time than the data feed.

In the Filters section, Archer recommends entering the following values:

Field to Evaluate	Operator	Value(s)	Relationships
Severity	Contains	High, Critical	And
Vendor	Does Not Equal	No Selection	And
New Ticket Required?	Contains	Yes	N/A

Important: The values you enter in the Severity field correlate to the custom parameters you entered when you imported the TPSRM: Issues 2024.09 – JST data feed. For example, if you entered “severity[]=Medium&severity[]=High&severity[]=Critical” as the key value for minimumSeverity in the data feed, and enter “High, Critical” as the values for Severity in the bulk create reference, then the data feed will ingest medium, high, and critical issues, but the bulk action will filter out the medium issues and only create tickets for high and critical issues.

Click Save.
In the Bulk Actions section, click Add New.
In the General Information section, do the following:
1. Enter a name for the bulk action.
2. Enter an alias.
3. Set the Status to Active.
4. (Optional) Enter a description for the bulk action.
In the Group By field of the Bulk Create Configuration section, Archer recommends that you select the following fields: Security Criteria, Vendor, and Security Domain.

In the Field Value Expression section, Archer recommends entering the following values:

Field	Operator	Value(s)
Security Criteria	Mapped	Security Criteria
Security Domain	Mapped	Security Domain
Ticket Owner	Static	[user]
Vendor	Mapped	Vendor

Click Save.
Click to close out of Manage Bulk Action and return to Manage Bulk Schedule screen.
When you are finished making changes to the scheduled bulk action, click Save and then click .

The bulk action automatically runs on a scheduled basis by grouping third party scan results into new tickets based on the filters you set.

Create an On-Demand Bulk Action

Similar to a scheduled bulk create reference, an on-demand bulk action is a bulk action that allows you to select a batch of third party scan results to triage into tickets. Instead of running on a schedule, an on-demand bulk action allows you to create one-time bulk actions as needed.

Complete the following steps to create an on-demand bulk action:

Go to the Third Party Security Risk Monitoring Tickets dashboard.
1. From the menu bar, click Third Party Governance.
2. Under Dashboards, select Third Party Security Risk Monitoring Tickets.
In the Unassigned Third Party Scan Results iView, click the vertical bar that represents the third party for which you want to link unassigned scan results to tickets.
Select the records for which you want to perform an on-demand bulk create.
In the Options drop-down menu, select Enable Bulk Create.

Note: A warning message appears if you select a record that exceeds the limit of 1000 for selecting individual records. You can only apply bulk actions to all search results if the search results exceed 1000. You can lower the number by clicking Modify in the report to modify your search criteria.

Select the third party scan results that you want to evaluate and group together.
Click Create New Reference.
In Reference Field, select Third Party Tickets.
Specify the grouping criteria to evaluate the third party scan results and logically group them. For example, you could group third party scan results by Vendor, Security Domain, and Security Criteria.
Enter a value for the Ticket Owner.
Click Submit.

The system creates the tickets and enrolls them into the Third Party Tickets advanced workflow. The tickets are assigned to the ticket owner specified in step 9.

Perform an On-Demand Bulk Update

On-demand bulk update allows you to update a large selection of existing records.

Complete the following steps to perform an on-demand bulk update:

Go to the Third Party Security Risk Monitoring Tickets dashboard.
1. From the menu bar, click Third Party Governance.
2. Under Dashboards, select Third Party Security Risk Monitoring Tickets.
In the Unassigned Third Party Scan Results iView, click the vertical bar that represents the third party for which you want to link unassigned scan results to tickets.
Select the records for which you want to perform an on-demand bulk update.
In the Options drop-down menu, select Enable Bulk Update.

Note: A warning message appears if you select a record that exceeds the limit of 1000 for selecting individual records. You can only apply bulk actions to all search results if the search results exceed 1000. You can lower the number by clicking Modify in the report to modify your search criteria.

Update existing records as needed.
Click Save Changes.

Update Tickets Using Inline Edit

Inline edit allows you to link third party scan results to existing tickets in a line-by-line process. Inline editing is useful when you only want to update a small number of tickets. If you want to create or update tickets on a larger scale, Archer recommends using bulk action.

Complete the following steps to perform an inline edit:

Go to the Third Party Security Risk Monitoring Tickets dashboard.
1. From the menu bar, click Third Party Governance.
2. Under Dashboards, select Third Party Security Risk Monitoring Tickets.
In the Unassigned Third Party Scan Results iView, click the vertical bar that represents the third party for which you want to link unassigned scan results to tickets.
Select the records for which you want to perform an inline edit.
In the Options drop-down menu, select Enable Inline Edit.
Update individual third party scan results as needed.
Click Save.

Create Tickets Manually

If you want to create a ticket for a third party scan result, you can do it manually through the Third Party Scan Results application. This option only allows you to link one third party scan result to one new ticket. Manual ticket creation is not recommended if you have several third party scan results that you want triaged through ticketing.

Complete the following steps to manually create a ticket for a third party scan result:

Go to the Third Party Scan Results page.
1. From the menu bar, click Third Party Governance.
2. Click Third Party Catalog.
3. Click Third Party Scan Results.
Locate and select the scan result that you want to add a ticket to.
In the Third Party Tickets section, click Add New.
Complete the General Information section.
In the Stakeholders section, assign a Ticket Owner and Ticket Reviewer.
(Optional) In the Comments section, add any comments that are applicable to the ticket.
Click Save.

The saved ticket is enrolled in the Third Party Tickets advanced workflow and is assigned to the Ticket Owner as specified in the Stakeholders section.

Manage Third Party Tickets

Once a ticket is created and saved, it enters the Third Party Tickets advanced workflow where you can manage your tickets to completion.

Review Third Party Tickets

User: Ticket Owner

When a third party ticket is created, you must decide whether to accept it, reject it, or reassign the ticket to another Ticket Owner.

Go to the Third Party Tickets page.
1. From the menu bar, click Third Party Governance.
2. Click Third Party Catalog.
3. Click Third Party Tickets.
Select the ticket you want to review.
Review all the sections of the ticket.
Do one of the following:
- Accept the ticket. Click Accept.
  
  The ticket is accepted and can then be routed through the appropriate remediation path.
- Reject the ticket. Click Reject.
  
  The ticket is sent to the Ticket Reviewer to confirm the cancelation or re-insert into the workflow by submitting changes.
- Reassign the ticket. Click Reassign.
  
  The ticket opens in Edit mode, and you can assign a new Ticket Owner. Once complete, click Assign Ticket, and the system notifies the new Ticket Owner.

Resolve Accepted Tickets

User: Ticket Owner

Once a ticket has been accepted, you must decide how to resolve it.

Go to the Third Party Tickets page.
1. From the menu bar, click Third Party Governance.
2. Click Third Party Catalog.
3. Click Third Party Tickets.
Select the ticket you want to resolve.
Click Edit.
Review the ticket details.
Do one of the following:
- Click Create Exception Request to create an exception request for the ticket.
  
  A new Exception Requests section is added to the bottom of the ticket. In the Exception Requests section, you can link an existing exception request to the ticket or create a new one. Once the exception has been submitted, the exception request is sent to the Ticket Reviewer for evaluation.
  
  For more information, see "Managing Exception Requests" in the Archer Issues Management use case documentation.
- Click Reassign Ticket to reassign the ticket.
  
  The ticket opens in Edit mode, and you can assign a new Ticket Owner. Once complete, click Assign Ticket, and the system notifies the new Ticket Owner.
- Click Reject to reject the ticket.
  
  The ticket is sent to the Ticket Reviewer to confirm the cancelation or re-insert into the workflow by submitting changes.
- Click Create Remediation Plan to complete a remediation for the ticket.
  
  A new Remediation Details section is added to the bottom of the ticket. See Manage Remediations for more information.

Manage Remediations

When a Ticket Owner chooses to resolve a ticket through remediation, a new Remediation Details section is added to the ticket to provide information about the remediation. A ticket can be remediated internally on your company instance or externally on your third party instance by a third party contact.

Create an Internal Remediation on the Company Instance

User: Ticket Owner

To create a remediation on your company instance, do the following:

Log in to your company instance.
Go to the Third Party Tickets page.
1. From the menu bar, click Third Party Governance.
2. Click Third Party Catalog.
3. Click Third Party Tickets.
Select the ticket for which you want to create an internal remediation.
Click Edit.
Go to the Remediation Details section.
Enter any relevant information.
Confirm that the Send Task to Third Party? field is set to No.
Do one of the following:
- If you are prepared to submit the remediation for review, click Submit for Review.
- If you want to commit your changes but not send the remediation for review, click Save or Save and Close.

Create an External Remediation for the Third Party Instance

User: Ticket Owner

If you want a third party contact to remediate a ticket, you can send a remediation task to them from your company instance to your third party instance. The TPSRM: Create Task data feed creates tasks for third party contacts. Then the TPSRM: Sync Company Tasks to Third Party Instance data feed pulls task information to the third party instance. When the task is complete, the TPSRM: Sync Completed Third Party Tasks to Company Instance data feed pulls the task information back to the company instance.

Important: To send a remediation task to a third party contact, you must have a third party instance set up with user accounts for your third party contacts. The TPSRM: Create Task and the TPSRM: Sync Completed Third Party Tasks to Company Instance data feeds must be imported on your company instance, and the TPSRM: Sync Company Tasks to Third Party Instance data feed must be imported on your third party instance.

Log in to your company instance.
Go to the Third Party Tickets page.
1. From the menu bar, click Third Party Governance.
2. Click Third Party Catalog.
3. Click Third Party Tickets.
Select the ticket for which you want to create an external remediation.
Click Edit.
In the Remediation Details section, do the following:
1. In the Expected Remediation Date field, enter a date for which you expect the ticket to be remediated.
2. In the Requested Remediation Details field, enter information that you want the third party contact to review.
3. In the Send Task to Third Party? field, select Yes.
4. In the Third Party Contact(s) field, select the third party contact for which you want to assign the remediation task.
  
  Note: The third party contact must have a user account created on both the company and third party instances. The usernames must match.
(Optional) In the Third Party Attachments section, create and attach a detailed report to the ticket.

Note: Archer recommends that you create and attach a report that includes all relevant details for each issue to ensure that the third party contact understands each item they need to resolve.
1. In the Third Party Scan Results section, click Display Report to view a report that details the third party scan results attached to the ticket.
2. Click Export.
3. Select the file format for which you want to export the report.
4. Once the export is complete, select Click Here.
5. In the window at the bottom of the screen, click Save As.
  1. Enter a file name and select the location to store the file.
  2. Click Save.
6. In the Third Party Attachments section, click Add New.
7. Locate and select the file you want to attach.
8. Click Open.
9. Click OK.

Do one of the following:
- Click Submit for Review. For more information, see Submit a Ticket for Approval.
- Click Save or Save and Close.
  
  If you have set up notifications for Task Management in Create Notifications, the system sends an email notification to the third party contact about the creation of a remediation task. The task is assigned to the third party contact in the third party instance through the TPSRM: Sync Company Tasks to Third Party Instance data feed. The system also sends email notifications to the third party contact as the task approaches the due date. When the third party contact completes the task, the system notifies the Ticket Owner and it gets sent back to the company instance through the TPSRM: Sync Completed Third Party Tasks to Company Instance data feed.

Submit a Ticket for Approval

User: Ticket Owner

You can submit a ticket to a Ticket Reviewer for approval before or after all tasks are complete.

If you click Submit for Review on a ticket before all tasks are complete, the ticket remains in a hold status until all tasks are completed. You will not have to Submit for Review again. Instead, the system automatically removes the ticket from a holding state and sends the ticket to the Ticket Reviewer once all tasks are complete.

If you want to wait until all tasks are complete, submit a ticket by opening it in Edit mode and verify that all tasks are closed. Make changes as needed, and then click Submit for Review.

The ticket is sent to the Ticket Reviewer for approval.

Review a Remediated Ticket

User: Ticket Reviewer

When a remediation is created for a ticket, the Ticket Reviewer must decide whether to approve it, reject it, make an update, or reassign the ticket to another Ticket Owner.

Go to the Third Party Tickets page.
1. From the menu bar, click Third Party Governance.
2. Click Third Party Catalog.
3. Click Third Party Tickets.
Select the ticket you want to review.
Click Edit.
Review the Remediation Details section.
Do one of the following:
- Click Approve to approve the remediation.
  
  The remediation is approved. Once the remediation is verified, the ticket is closed.
- Click Reject Plan to reject the remediation.
  
  The ticket is sent back to the Ticket Owner for them to decide whether to create an exception request, reassign the ticket, reject the ticket, or create a new remediation plan.
- Click Update Remediation Plan to ask for more details about the remediation.
  
  The ticket is sent back to the Ticket Owner to provide additional details about the remediation plan.
- Click Reassign to reassign the ticket.
  
  The ticket opens in Edit mode, and you can then choose a new Ticket Owner. Once complete, click Assign Ticket, and the system notifies the new Ticket Owner.

Certification environment

Date tested: February 2025

Product Name	Version Information	Operating System
Archer	2024.09	Windows
RiskRecon	Latest	SAAS

RiskRecon Third Party Security Risk Monitoring

Release notes

Fixed issues

Overview of RiskRecon Third Party Security Risk Monitoring

About the offering

Key features and benefits

RiskRecon Third Party Security Risk Monitoring components

Architecture diagram

Workflow

Prerequisites (ODA and system requirements)

Compatible Use Cases and Applications

Related Applications

Impacted Use Case(s)

Access Roles and Record Permissions

Dashboards

Data Feeds

Additional Resources

Installing RiskReconThird Party Security Risk Monitoring

Security considerations

Installation overview

Step 1: Prepare for the installation

Step 2: Install the package

Step 3: Set up data feeds

Step 4: Test the installation

Installing the package

Task 1: Back up your database

Task 2: Import the package

Task 3: Map objects in the package

Task 4: Install the package

Task 5: Review the package installation log

Configure the JavaScript Transporter Settings

Digital Thumbprints

Archer Technologies﻿ LLC Certificate in the Trusted Root CA Store

Obtain a Certificate Thumbprint

Configuring the RiskReconArcher Third Party Security Risk Monitoring

Obtain the API Key from RiskRecon

Configuring Archer

Configure Task Management

Create Type Values

Create a Third Party Remediation Type Value in the Task Management Application (Company Instance)

Create a Third Party Remediation Type Value in the Task Management Application (Third Party Instance)

Configure Record Permissions

Add a Third Party Contact to the Third Party: Read Only Group

Create Notifications

Create Third Party Remediation Task Creation Notifications

Create Third Party Remediation Task Reminder Notifications

Create Third Party Remediation Task Complete Notifications

Create Reports

Create the A2A: Sync Company Tasks to Third Party Instance Report

Create the A2A: Sync Completed Third Party Tasks to Company Instance Report

Set Up Third Party Security Risk Monitoring Data Feeds

Import the TPSRM: Portfolios 2024.09 – JST Data Feed

Import the TPSRM: Vendors 2024.09 – JST Data Feed

Import the TPSRM: Issues 2024.09 – JST Data Feed

Import the TPSRM: Breach Events 2024.09 – JST Data Feed

(Optional) Import the TPSRM: Create Task Data Feed

(Optional) Import the TPSRM: Sync Company Tasks to Third Party Instance Data Feed

(Optional) Import the TPSRM: Sync Completed Third Party Tasks to Company Instance Data Feed

Schedule Data Feeds

Edit the XSLT

Modify the XSLT in the TPSRM: Vendors 2024.09 - JST Data Feed

Modify the XSLT in the TPSRM: Issues 2024.09 – JST Data Feed

Using Third Party Security Risk Monitoring

Review Risk Ratings

Manage Third Party Scan Results

Create Tickets

Create Tickets Using Bulk Action

Create a Scheduled Bulk Create Reference (recommended method)

Create an On-Demand Bulk Action

Perform an On-Demand Bulk Update

Update Tickets Using Inline Edit

Create Tickets Manually

Manage Third Party Tickets

Review Third Party Tickets

Resolve Accepted Tickets

Manage Remediations

Create an Internal Remediation on the Company Instance

Create an External Remediation for the Third Party Instance

Submit a Ticket for Approval

Review a Remediated Ticket

Archer Technologies LLC Certificate in the Trusted Root CA Store