Here is a small list of the major policies and best practices to manage Shadow IT
Policies To Have
1.Have A Shadow IT Policy
Create a policy document that takes care of the major areas of Shadow IT Management. This will make sure all company assets and services get registered on a single repository from and all major data sharing gets accounted for including an organization’s subdomain, third-party services etc.
2. Use IT Department As A Service-Delivery Organization
Associating every major activity through the IT increases the chances of proper use of the IT infrastructure, mostly making sure major activities are logged. This has certain dependencies on the IT policy of course
3.Guideline For IT Budgeting & Procurement
This is one of the major areas that the policies must take care of. This will allow for all major services being logged and thus the data shared gets logged and gets stopped from becoming Shadow IT
4.Guideline For IT System Consolidation
The IT infrastructure should be very well documented as this allows for the data capture and lose points. The policies must be coherent with the same.
What Not To Do
Practice #1: Use Of Substandard Development Techniques
Shadow application development needs one to have a decent understanding of software architecture, secure programming guidelines etc. Often managers of non-technical background do not have this in place causing sensitive data to be mishandled
Practice #2: Over-Reliance on Shadow Cloud Provider Security
Often times it may be assumed the cloud provider will handle the security needs. The extent of this expectation needs verification. Proper implementation of the security features could make a huge difference.
Practice #3: Unsecured Shadow File Storage / Mobility
How and where files or sensitive data may be stored must be well understood and implemented in the organization. This will mean the organization can track and maintain the logs of the registered data sources. In case of absence of this, on an occurrence of the breach, it is very hard to understand what all got compromised, since there may exist untracked data sources. BYOD could also be such a use case where it increases the efficiency of the worker but adds security issues.
Practice #4: Use of Pre-Hacked Shadow IT Drives
An example of this could be an attack like ‘Bad USB’. In this, the USB firmware (the part that controls the action of the USB when connected) could get administrator rights and pass on data from the endpoint it is connected to. This is hard to identify as the malware-scanning software do not detect it. Thus a compromised hardware could make things very dangerous.
Reference :
https://www.servercentral.com/managing-shadow-it-risks/
https://www.cio.com/article/2380960/byod/6-tips-to-help-cios-manage-shadow-it.html