Shadow IT and Rogue Applications
Authored by Lindsay Timcke ; Director, IT & Cyber
The last ten years have shown an unprecedented growth in application development and deployment. Presently there is pretty much an application for anything and everything you can imagine. From a corporate standpoint what this has led to is a dramatic increase in groups or even individuals within companies purchasing software that meets their department needs, however they sometimes do this without including the IT department in the decision process. The group goes online, identifies the application they desire, they purchase it via either a corporate card (most likely) or on their own and then submit the expense for reimbursement. Once the application is purchased via the web they then save a copy on one of the network drives or local C drive and the application is born and put into “Production”, this all can and does happen daily at many firms around the world.
Over time this application will grow in size and complexity while the user community and importance to the group for completing their daily tasks will also increase. Soon, the group will request and put on (usually) a business analyst whose entire job becomes working to keep the application operating and adding new functionality over time.
Compliance Concerns
The above is a very simple example of how both a Shadow IT department is born and how rogue applications are introduced to a corporate environment. From a compliance and audit standpoint the above introduces many points of concern, including the following: usurping the corporate System Development Life Cycle (SDLC) & Change Management processes, not having the application backed up as part of the corporate policies for Backups and Recoveries, potential non adherence to the firms Logical Security Policies (Password Policy), and non-inclusion of these rogue applications in the Business Continuity Planning (BCP) and Disaster Recovery (DR) Programs.
How can CLA help?
CLA’s cybersecurity and data privacy team has years of experience developing policy, performing vendor review assessments, application review, responding to cyber incidents and helping prevent them. Please contact us to help in assessing and mitigating your risk for a cyber attack.
Kadian currently works with the Information Security Services Group as well as higher education group providing compliance services, outsourcing and co-sourcing engagements and information security assessments.
Comments are closed.