While shadow IT is often stigmatized as initiated by rogue employees, that is typically far from the case. Most employees who look to use shadow IT have no ill will to harm the enterprise but instead are driven by the functionality of a tool and its ability to provide a competitive advantage. ISACA’s white paper, Shadow IT Primer, highlights controls and good practices for handling shadow IT. Insight from the latest guidance will also be helpful in conjunction with ISACA’s recent Shadow IT Audit/Assurance program.
“While there are certainly risks to shadow IT, it also drives innovation,” said Zach Loeber, senior manager of infrastructure and operations at ISACA, and a contributor to the guidance. “Employees using shadow IT typically have the best intentions in mind—they want to fill a need, add value and seize opportunity. ISACA’s guidance helps organizations leverage those intentions in a more controlled and secure manner.”
The guidance outlines common examples of shadow IT—from brand-monitoring software to task management tools—and outlines eight controls and practices for managing shadow IT, including:
These controls help mitigate the most concerning shadow IT-related threats. A recent poll of ISACA members indicated that loss of regulated personal or financial data is the biggest concern (58 percent), followed by exposure of valuable and commercially sensitive information (20 percent) and loss of brand credibility (16 percent).
Once a decision has been made to introduce shadow IT into the workplace, auditors play a role in informing management of the effectiveness of the shadow IT governance, monitoring and management. For guidance on the issue, ISACA developed a shadow IT audit/assurance program, which seeks to:
Built on the premises of “prevent, discover and manage,” the Shadow IT Audit Program allows auditors to identify the scope of organizational functions, systems and assets to be reviewed.
Subscribe to our newsletter for all the latest updates and special offers.
Click Here To view archive additions