managing it risk beyond core it v3 · 2017. 11. 22. · managing it risk beyond core it june 8,...
TRANSCRIPT
MANAGING IT RISK BEYOND CORE IT
JUNE 8, 2017
1
AGENDA• What is Shadow IT• How did we create this problem• Defining the problem• Defining the risks• What can be done
INTRODUCTIONShadow IT defined (in simplest terms)– IT systems or solutions being used without proper IT approval.
• Network Appliances• SaaS Applications• Email Clients• Collaboration Platforms• Mobile Applications
HOW WE GOT HERE
4
HOW WE GOT HERE
5
Project Definition
Planning
Development
Test
Acceptance
Go Live
HOW BIG IS THE PROBLEM
6
HOW BIG IS THE PROBLEM
7
IT IS NOT AN ISOLATED PROBLEM
8
IT IS NOT AN ISOLATED PROBLEM
9
WHAT THIS DOES
10
RISKS
• The number one thing we have all been saying: COMPLIANCE AND SECURITY- ISO27001
- Section 6.1, 15.1 and 15.2- PCI
- 2.4, 6.2, 6.3, 6.5, 6.5.1, 8.1.5- HIPAA
- 164.308(a)(1)(ii)(A), 164.308(a)(3)(ii)(C), 164.308(a)(6)(ii)- FedRAMP
- SI-7, SA-12- GDPR
- Section 2 – Article 32, and Section 3 – Article 35
11
RISK 1- UNCONTROLLED COSTS/DUPLICATE SERVICES
12
https://www.servicenow.com/content/dam/servicenow/documents/datasheets/ds-application-portfolio-management.pdf
RISK 2 - INEFFICIENCIES
• Google Drive• Apple iCloud• Gmail• Salesforce• Facebook• Cisco WebEx• Jive• Microsoft Office 365• YouTube• Dropbox
• Box• Asana• Evernote• Google Drive• Zenefits• Mailchimp• Adobe• Send anywhere• Slack• Basecamp
13
RISK 3 - INTEROPERABILITY
14
RISK 4 – STRATEGIC ROADMAP
15
http://www.virtusapolaris.com/services/application-services/outsourced-cto-services/it-strategy-and-roadmap/
WRANGLING THE PROBLEM- If you are in IT
- Develop relationship with BU and meet regularly - COMMUNICATE- Reduce evaluation times – BE INCLUSIVE
- Identify weakness that caused Shadow IT in the first place- Reinstitute IT as the single gatekeeper for IT deployments- Conduct user awareness training and education- Conduct Service reviews with BU- Conduct Daily log reviews
- If you are not in IT- Let IT know what you need- Pay attention to the risk of your business- Understand all data is sensitive and should not be shared- If you use it, alert your management; everything needs protection.
16
SET UP A PROJECT – MICROSOFT RECOMMENDATIONS
• Step 1 – Find out what people are using• Step 2 – Control data through granular policies• Step 3 – Protect data at the file level• Step 4 – Use behavioral analytics to protect apps and data
17
https://blogs.microsoft.com/microsoftsecure/2017/04/24/4-steps-to-managing-shadow-it/
SET UP A PROJECT• Step 1 – Identify• - Use tools if needed• Step 2 – Categorize based on users/BU• Step 3 – Talk to BU/Users to determine needs• Step 4 – Evaluate risk• Step 5 – Risk Reponses/Determine usage• Step 6 – Reporting• Step 7 – Control development• Step 7 – Education• Step 8 – Continuous communication
18
https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
GAINING MOMENTUM AND QUICK WINS
• Identification of unapproved apps• Blacklist most dangerous apps• 30-60-90 day plan to address problem• Contract clauses
19
COMMON ENTERPRISE TOOLS
• Netskope• Skyhigh• Forcepoint• Macafee Web Gateway• ServiceNow
20
REMEMBER…
• Tools are no good without the right people and processes
21
PUTTING IT ALL TOGETHER
• BU will always follow the path of least resistance• IT has to be seen as a resource• BU have to be responsible for data ownership• IT has to educate BU on risks to shadow IT• BU need to communicate needs• IT has to evaluate technologies quicker• Organizations need to develop policies • Organizations need to enable IT to be more agile• Organizations need to understand risk to compliance and security
22
QUESTIONS?
23