MANAGING IT RISK BEYOND CORE IT

JUNE 8, 2017

1

AGENDA• What is Shadow IT• How did we create this problem• Defining the problem• Defining the risks• What can be done

INTRODUCTIONShadow IT defined (in simplest terms)– IT systems or solutions being used without proper IT approval.

• Network Appliances• SaaS Applications• Email Clients• Collaboration Platforms• Mobile Applications

HOW WE GOT HERE

4

HOW WE GOT HERE

5

Project Definition

Planning

Development

Test

Acceptance

Go Live

HOW BIG IS THE PROBLEM

6

HOW BIG IS THE PROBLEM

7

IT IS NOT AN ISOLATED PROBLEM

8

IT IS NOT AN ISOLATED PROBLEM

9

WHAT THIS DOES

10

RISKS

• The number one thing we have all been saying: COMPLIANCE AND SECURITY- ISO27001

- Section 6.1, 15.1 and 15.2- PCI

- 2.4, 6.2, 6.3, 6.5, 6.5.1, 8.1.5- HIPAA

- 164.308(a)(1)(ii)(A), 164.308(a)(3)(ii)(C), 164.308(a)(6)(ii)- FedRAMP

- SI-7, SA-12- GDPR

- Section 2 – Article 32, and Section 3 – Article 35

11

RISK 1- UNCONTROLLED COSTS/DUPLICATE SERVICES

12

https://www.servicenow.com/content/dam/servicenow/documents/datasheets/ds-application-portfolio-management.pdf

RISK 2 - INEFFICIENCIES

• Google Drive• Apple iCloud• Gmail• Salesforce• Facebook• Cisco WebEx• Jive• Microsoft Office 365• YouTube• Dropbox

• Box• Asana• Evernote• Google Drive• Zenefits• Mailchimp• Adobe• Send anywhere• Slack• Basecamp

13

RISK 3 - INTEROPERABILITY

14

RISK 4 – STRATEGIC ROADMAP

15

http://www.virtusapolaris.com/services/application-services/outsourced-cto-services/it-strategy-and-roadmap/

WRANGLING THE PROBLEM- If you are in IT

- Develop relationship with BU and meet regularly - COMMUNICATE- Reduce evaluation times – BE INCLUSIVE

- Identify weakness that caused Shadow IT in the first place- Reinstitute IT as the single gatekeeper for IT deployments- Conduct user awareness training and education- Conduct Service reviews with BU- Conduct Daily log reviews

- If you are not in IT- Let IT know what you need- Pay attention to the risk of your business- Understand all data is sensitive and should not be shared- If you use it, alert your management; everything needs protection.

16

SET UP A PROJECT – MICROSOFT RECOMMENDATIONS

• Step 1 – Find out what people are using• Step 2 – Control data through granular policies• Step 3 – Protect data at the file level• Step 4 – Use behavioral analytics to protect apps and data

17

https://blogs.microsoft.com/microsoftsecure/2017/04/24/4-steps-to-managing-shadow-it/

SET UP A PROJECT• Step 1 – Identify• - Use tools if needed• Step 2 – Categorize based on users/BU• Step 3 – Talk to BU/Users to determine needs• Step 4 – Evaluate risk• Step 5 – Risk Reponses/Determine usage• Step 6 – Reporting• Step 7 – Control development• Step 7 – Education• Step 8 – Continuous communication

18

https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

GAINING MOMENTUM AND QUICK WINS

• Identification of unapproved apps• Blacklist most dangerous apps• 30-60-90 day plan to address problem• Contract clauses

19

COMMON ENTERPRISE TOOLS

• Netskope• Skyhigh• Forcepoint• Macafee Web Gateway• ServiceNow

20

REMEMBER…

• Tools are no good without the right people and processes

21

PUTTING IT ALL TOGETHER

• BU will always follow the path of least resistance• IT has to be seen as a resource• BU have to be responsible for data ownership• IT has to educate BU on risks to shadow IT• BU need to communicate needs• IT has to evaluate technologies quicker• Organizations need to develop policies • Organizations need to enable IT to be more agile• Organizations need to understand risk to compliance and security

22

QUESTIONS?

23

THANK YOU

Justin Orcutt, CRISCJustin.orcutt@nccgroup.trust

470-249-7810

24