kras99 -

How to build a shadow IT policy to reduce risks, with template

With a shadow IT policy in place, organizations reduce security risks from unapproved applications and services that employees introduce independently.

Shadow IT represents a major threat to enterprise security. One of the best ways to counter this threat is to put a shadow IT policy in place.

What is shadow IT and why is it a problem?

Shadow IT, also known as stealth IT, has been an enterprise IT security issue for decades. It became more difficult in the wake of the COVID-19 pandemic and subsequent rise in the number of work-from-home employees.

Shadow IT occurs when employees use unapproved applications or devices at work without the knowledge or approval of enterprise IT and security teams. Employees often engage in shadow IT activities due to dissatisfaction with established IT department activities, such as slow response times to problem resolution or refusal to implement an application because they like alternative applications better or are more comfortable using apps they have always used.

Employees usually aren't acting maliciously when using unauthorized technologies and often don't know they're creating problems. Shadow IT, however, introduces risks that can corrupt systems and compromise data privacy, integrity and security.

The top shadow IT worry is unauthorized data access, which could lead to data loss and theft. Loss of control over IT operations can cause havoc for CIOs, senior IT leaders and the company as a whole. Beyond security challenges, shadow IT is also a regulatory compliance risk.

Why you need a shadow IT policy

Many IT professionals recognize the importance of discovering shadow IT activities and mitigating their risks. These activities can add unplanned costs to an IT department. Prevention, therefore, is key.

One of the best ways to prevent shadow IT risk is to introduce a shadow IT policy. A shadow IT policy should establish guidelines to prohibit or limit shadow IT use -- laying out which applications, devices and technologies are acceptable to use at work for work -- and establish procedures to identify suspected shadow IT activity and address it, as well as how to reduce the likelihood it occurs again.

A shadow IT policy also helps reduce noncompliance, as well as prove compliance during an IT audit.

How to write a shadow IT policy

Writing a shadow IT policy is a team sport. IT and security teams should partner with the HR, legal and audit departments when building a policy.

The following sections identify IT and business issues that should be factored into a shadow IT policy.

People issues

  • Set up procedures to identify and address employees suspected of shadow IT activities.
  • Partner with HR and the legal department on issues associated with prosecuting shadow IT hackers.
  • Examine company policy for such activities, for example, reprimand or termination.
  • Examine legal implications if the accused employee fights the termination.
  • Consider retaining external expertise to address shadow IT, such as legal counsel with expertise in IT personnel and operational litigation.

Process issues

  • Establish procedures to recover and reestablish disrupted IT operations. This may simply be using existing operational procedures.
  • Consider technology to identify shadow IT activities.
  • Examine existing technology disaster recovery (DR) plans to ensure they can be used for operational recovery following a shadow IT event.
  • Establish procedures to recover, replace and reactivate mission-critical systems and processes. Existing DR plans and operational procedures may be used.
  • Set up procedures to examine the business impact of a shadow IT event -- for example, lost revenue or reputational damage.
  • Retain external expertise -- vendors and/or consultants -- to assist if the level of disruption caused by shadow IT is significant.
  • Identify potential compliance issues caused by shadow IT, for example, violation of standards and government regulations, such as HIPAA, Gramm-Leach-Bliley Act and Sarbanes-Oxley Act.

Technology operations issues

  • Evaluate technology that identifies and tracks shadow IT activities. These may be internal -- within the organization's IT infrastructure -- or external, for example, cloud services.
  • Establish procedures to dismantle shadow IT activities once they are identified. This may include evaluation for use by the company and movement into a secure operating environment segmented from IT production systems, the network or other resources.
  • Use existing or updated procedures to reestablish compromised network resources.
  • Repair and recover compromised IT hardware, for example, servers, switches, routers and power systems.
  • Repair and recover compromised IT operations, applications and systems.
  • Review and update software and other technology licenses that may have been affected by shadow IT. These may include maintenance and service-level agreements.
  • Retain external expertise to support recovery.

Security operations issues

  • Activate procedures to address physical and logical breaches caused by shadow IT activities. This may include unauthorized entry to a data center or operations center, as well as phishing, ransomware and virus attacks.
  • Activate procedures to address intellectual property theft.
  • Activate procedures to address theft of or damage to physical assets.
  • Activate procedures to reestablish IT physical and logical security operations.
  • Retain external expertise to support recovery.

Facilities operations issues

  • Activate procedures to repair, replace and reactivate data center facilities. This is especially important for organizations with large and/or multiple data centers.
  • Activate procedures to reestablish data center physical security.
  • Retain external expertise to support recovery.

Financial performance issues

  • Examine the business implication of shadow IT activities, for example, financial productivity.
  • Identify and prepare for potential noncompliance penalties for legal, regulatory and government activities, for example, submitting specific reports on time.
  • Retain external expertise to support business recovery.
  • Discuss potential insurance implications with the company's insurance provider(s).

Company performance issues

  • Initiate steps to repair potential damage to the organization's reputation, competitive position, customer loyalty, supply chains and other performance issues.
  • Initiate steps to respond to potential media attention to the shadow IT event.

Shadow IT policy template

Shadow IT is a major threat to IT organizations. Proactive measures, in partnership with other company departments, especially HR and legal, are essential to prevent, identify, address and mitigate shadow IT attacks.

This downloadable template provides a starting point for preparing a policy to address shadow IT activities. The result may be a separate standalone policy, or the content may be added to a larger IT security policy.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing