Shadow IT

Last updated

In big organizations, shadow IT refers to information technology (IT) systems deployed by departments other than the central IT department, to bypass [1] limitations and restrictions that have been imposed by central information systems. [2] While it can promote innovation and productivity, shadow IT introduces security risks and compliance concerns, especially when such systems are not aligned with corporate governance. [3]

Contents

Origins

Information systems in large organizations can be a source of frustration for their users. [2] In order to bypass limitations of solutions provided by a centralized IT department, as well as restrictions that are deemed detrimental to individual productivity, non-IT departments might develop independent IT resources and for the specific or urgent need or requirements. [4] In some cases, IT specialists could be recruited or software solutions procured outside of the centralized IT department, sometimes without the knowledge, or approval of corporate governance channels.

Benefits

Although often perceived as attempts to undermine corporate governance, the existence of shadow IT often is an indicator of needs from individual departments not being satisfied from a centrally managed information ecosystem. Thus the immediate benefits of shadow IT are as follows:

Drawbacks

In addition to information security risks, some of the implications of shadow IT are: [6] [7]

Compliance

Shadow IT increases the likelihood of uncontrolled data flows, making it more difficult to comply with various legislations, regulations or sets of best practices. These include, but are not limited to:

Prevalence

Within an organization, the amount of shadow IT activity is by definition unknown, especially since departments often hide their shadow IT activities as a preventive measure to ensure their ongoing operations. Even when figures are known, organizations are reluctant to voluntarily admit their existence. As a notable exception, The Boeing Company has published an experience report [1] describing the number of shadow applications which various departments have introduced to work around the limitations of their official information system.

According to Gartner, by 2015, 35 percent of enterprise IT expenditures for most organizations will be managed outside the central IT department's budget. [11]

A 2012 French survey [12] of 129 IT managers revealed some examples of shadow IT :

Examples

Examples of these unofficial data flows include USB flash drives or other portable data storage devices, instant messaging software, Gmail or other online e-mail services, Google Docs or other online document sharing and Skype or other online VOIP software—and other less straightforward products: self-developed Access databases and self-developed Excel spreadsheets and macros. Security risks arise when data or applications move outside protected systems, networks, physical location, or security domains.

Related Research Articles

<span class="mw-page-title-main">Accounting information system</span> System of collecting, storing and processing financial and accounting data

An accounting information system (AIS) is a system of collecting, storing and processing financial and accounting data that are used by decision makers. An accounting information system is generally a computer-based method for tracking accounting activity in conjunction with information technology resources. The resulting financial reports can be used internally by management or externally by other interested parties including investors, creditors and tax authorities. Accounting information systems are designed to support all accounting functions and activities including auditing, financial accounting porting, -managerial/ management accounting and tax. The most widely adopted accounting information systems are auditing and financial reporting modules.

Workspace is a term used in various branches of engineering and economic development.

Enterprise architecture (EA) is a business function concerned with the structures and behaviours of a business, especially business roles and processes that create and use business data. The international definition according to the Federation of Enterprise Architecture Professional Organizations is "a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a comprehensive approach at all times, for the successful development and execution of strategy. Enterprise architecture applies architecture principles and practices to guide organizations through the business, information, process, and technology changes necessary to execute their strategies. These practices utilize the various aspects of an enterprise to identify, motivate, and achieve these changes."

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure and business applications. The evaluation of evidence obtained determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

Shadow system is a term used in information services for any application relied upon for business processes that is not under the jurisdiction of a centralized information systems department. That is, the information systems department did not create it, was not aware of it, and does not support it.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

Software asset management (SAM) is a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization, and disposal of software applications within an organization. According to ITIL, SAM is defined as “…all of the infrastructure and processes necessary for the effective management, control, and protection of the software assets…throughout all stages of their lifecycle.” Fundamentally intended to be part of an organization's information technology business strategy, the goals of SAM are to reduce information technology (IT) costs and limit business and legal risk related to the ownership and use of software, while maximizing IT responsiveness and end-user productivity. SAM is particularly important for large corporations regarding redistribution of licenses and managing legal risks associated with software ownership and expiration. SAM technologies track license expiration, thus allowing the company to function ethically and within software compliance regulations. This can be important for both eliminating legal costs associated with license agreement violations and as part of a company's reputation management strategy. Both are important forms of risk management and are critical for large corporations' long-term business strategies.

Mobile device management (MDM) is the administration of mobile devices, such as smartphones, tablet computers, and laptops. MDM is usually implemented with the use of a third-party product that has management features for particular vendors of mobile devices. Though closely related to Enterprise Mobility Management and Unified Endpoint Management, MDM differs slightly from both: unlike MDM, EMM includes mobile information management, BYOD, mobile application management and mobile content management, whereas UEM provides device management for endpoints like desktops, printers, IoT devices, and wearables as well.

Identity correlation is, in information systems, a process that reconciles and validates the proper ownership of disparate user account login IDs that reside on systems and applications throughout an organization and can permanently link ownership of those user account login IDs to particular individuals by assigning a unique identifier to all validated account login IDs.

Enterprise mobility management (EMM) is the set of people, processes and technology focused on managing mobile devices, wireless networks, and other mobile computing services in a business context. As more workers have bought smartphone and tablet computing devices and have sought support for using these devices in the workplace, EMM has become increasingly significant.

Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle information whether it is physically or electronically created (ESI).

<span class="mw-page-title-main">Digital mailroom</span> Automation of incoming mail processes

Digital mailroom is the automation of incoming mail processes. Using document scanning and document capture technologies, companies can digitise incoming mail and automate the classification and distribution of mail within the organization. Both paper and electronic mail (email) can be managed through the same process allowing companies to standardize their internal mail distribution procedures and adhere to company compliance policies.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

A client portal is an electronic gateway to a collection of digital files, services, and information, accessible over the Internet through a web browser.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Hewlett Packard Enterprise Networking is the Networking Products division of Hewlett Packard Enterprise. HPE Networking and its predecessor entities have developed and sold networking products since 1979. Currently, it offers networking and switching products for small and medium sized businesses through its wholly owned subsidiary Aruba Networks. Prior to 2015, the entity within HP which offered networking products was called HP Networking.

Bring your own device —also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own personal computer (BYOPC)—refers to being allowed to use one's personally owned device, rather than being required to use an officially provided device.

<span class="mw-page-title-main">Dell Software</span> Former software division of Dell, Inc.

Dell Software was a former division of Dell with headquarters in Round Rock, Texas, United States. Dell Software was created by merging various acquisitions by Dell Inc., the third-largest maker of PCs and now a privately held company, to build out its software offerings for data center and cloud management, information management, mobile workforce management, security and data protection for organizations of all sizes.

Enterprise legal management (ELM) is a practice management strategy of corporate legal departments, insurance claims departments, and government legal and contract management departments.

Data center management is the collection of tasks performed by those responsible for managing ongoing operation of a data center. This includes Business service management and planning for the future.

References

  1. 1 2 Handel, Mark J.; Poltrock, Steven (2011). "Working around official applications: experiences from a large engineering project". CSCW '11: Proceedings of the ACM 2011 conference on Computer supported cooperative work. pp. 309–312. doi:10.1145/1958824.1958870. S2CID   2038883.
  2. 1 2 Newell, Sue; Wagner, Eric; David, Gary (2006). Clumsy Information Systems: A Critical Review of Enterprise Systems. Agile Information Systems: Conceptualization, Construction, and Management. p. 163. ISBN   1136430482.
  3. Kopper, Andreas; Westner, Markus; Strahringer, Susanne (2020-06-01). "From Shadow IT to Business-managed IT: a qualitative comparative analysis to determine configurations for successful management of IT by business entities". Information Systems and e-Business Management. 18 (2): 209–257. doi: 10.1007/s10257-020-00472-6 . hdl: 10419/288329 . ISSN   1617-9854.
  4. Zarnekow, R; Brenner, W; Pilgram, U (2006). Integrated Information Management: Applying Successful Industrial Concepts in IT. ISBN   978-3540323068.
  5. RSA,November 2007,The Confessions Survey: Office Workers Reveal Everyday Behavior That Places Sensitive Information at Risk,available from (PDF), archived from the original (PDF) on February 11, 2012, retrieved September 15, 2017
  6. Tamás, Fábián (2022). "Shadow IT in the New IT Management Triangle".
  7. Myers, Noah; Starliper, Matthew W.; Sumers, Scott L.; Wood, David A. (March 8, 2016). "The Impact of Shadow IT Systems on Perceived Information Credibility and Managerial Decision Making".
  8. "Gramm-Leach-Bliley Act".
  9. "Under Construction".
  10. "23 NYCRR 500". govt.westlaw.com. Retrieved 2019-10-17.
  11. "Predictions Show IT Budgets Are Moving Out of the Control of IT Departments". Gartner. Archived from the original on June 29, 2013. Retrieved 2012-04-25.
  12. RESULTATS DE L’ENQUETE SUR LE PHENOMENE DU "SHADOW IT" par Thomas Chejfec : http://chejfec.com/2012/12/18/resultats-complets-de-lenquete-shadow-it/
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.