Subscribe / Log In
Subscribe / Log In

Shadow IT policy


  • Provided by TechRepublic Premium
  • Published November 2, 2017
  • Topic TechRepublic Premium
  • Format PDF
This policy provides guidelines for the appropriate use of shadow IT, explains the restrictions that will apply to it, and defines elements pertaining to employee and IT department responsibilities.

From the policy:

Allowable scenarios
Shadow IT is permitted but only for non mission-critical applications, services, or processes. Examples of permitted shadow IT that can be implemented and run by users include development or personal productivity tools, blogging, time tracking, or other elements that are not considered “production.” In short, revenue-generating components, or those that would adversely affect the business if failed or unavailable, must remain under the control of the IT department.

Employee responsibilities
Employees seeking alternative/additional technological processes should consult with the IT department to determine whether existing solutions can be applied or IT can implement these required processes for the organization. If not, employees should build a justification explaining what they need, why the alternative works for them, and how they intend to use it. They should present this justification to the IT department for review and approval. Operational requirements (who will maintain the process or processes, what level of access may be granted to users, performing support, etc.) must be scoped and documented in advance. This need not be cumbersome and could constitute a single page.

Approved shadow IT solutions (and the employees who utilize them) can follow Tech Pro Research’s Information Security Policy and Cloud Data Storage Policy to ensure that appropriate standards for data management and secure practices are met. In a nutshell, no confidential or sensitive data should be stored in any shadow IT solution without proper controls and handling, such as encryption and access only by authorized personnel.

Complex passwords that change periodically should be used for any external applications/services not directly under IT control. Where possible, the IT department should set up single sign-on access to permit the secure usage of existing corporate credentials.

People Also Downloaded