Member’s Login

Forgot Password  |  Create an account

Eight Controls to Help Manage Shadow IT and Optimize Its Benefits: ISACA

Posted By - DynamicCISO,

While shadow IT is often stigmatized as initiated by rogue employees, that is typically far from the case. Most employees who look to use shadow IT have no ill will to harm the enterprise but instead are driven by the functionality of a tool and its ability to provide a competitive advantage. ISACA’s white paper, Shadow IT Primer, highlights controls and good practices for handling shadow IT. Insight from the latest guidance will also be helpful in conjunction with ISACA’s recent Shadow IT Audit/Assurance program.

“While there are certainly risks to shadow IT, it also drives innovation,” said Zach Loeber, senior manager of infrastructure and operations at ISACA, and a contributor to the guidance. “Employees using shadow IT typically have the best intentions in mind—they want to fill a need, add value and seize opportunity. ISACA’s guidance helps organizations leverage those intentions in a more controlled and secure manner.”

The guidance outlines common examples of shadow IT—from brand-monitoring software to task management tools—and outlines eight controls and practices for managing shadow IT, including:

  • A shadow IT policy
  • IT department as a service-delivery organization
  • IT budgeting and procurement
  • IT system consolidation
  • User education

These controls help mitigate the most concerning shadow IT-related threats. A recent poll of ISACA members indicated that loss of regulated personal or financial data is the biggest concern (58 percent), followed by exposure of valuable and commercially sensitive information (20 percent) and loss of brand credibility (16 percent).

Once a decision has been made to introduce shadow IT into the workplace, auditors play a role in informing management of the effectiveness of the shadow IT governance, monitoring and management. For guidance on the issue, ISACA developed a shadow IT audit/assurance program, which seeks to:

  • Provide management with an assessment of shadow IT policies, procedures and operating effectiveness
  • Identify control weaknesses that could result in the proliferation of shadow IT solutions and a greater likelihood that shadow IT is not detected
  • Evaluate the effectiveness of the enterprise’s response to, and ongoing management of, shadow IT

Built on the premises of “prevent, discover and manage,” the Shadow IT Audit Program allows auditors to identify the scope of organizational functions, systems and assets to be reviewed. 

Related Tags - Shadow IT, ISACA,

Subscribe to our newsletter for all the latest updates and special offers.

Click Here To view archive additions

Older Entries

Monday, April 14th, 2014 02:55:00 PM Heartbleed - Bruce Schneier, CTO
Sunday, April 27th, 2014 09:10:00 AM Heartbleed FAQs - Richard Henderson, Security Strategist FortiGuard Labs
View All