Edinburgh City Council to create ‘register of shadow IT’ following audit report recommendation
Edinburgh City Council is to create a register of shadow IT systems that have been purchased by various departments without appropriate controls or oversight.
The city council’s governance, risk and best value committee identified a series of risks around ‘fragmented’ systems that are in use across different departments without the knowledge of the IT department. They are typically externally hosted by a third party supplier, and usually cloud based.
Shadow IT can also include software or hardware such as laptops, smartphones, and scanners that can be connected to an organisation’s network.
Across the council, shadow IT includes technology systems used by directorates and divisions that are not hosted on either the Council’s Corporate or Learning and Teaching networks, or not supported and maintained by Customer and Digital Services and CGI, the Council’s technology partner.
The report said: “Significant control weaknesses were identified both the adequacy of design and operating effectiveness of the key controls established across the Council to manage the security, information, and resilience risks associated with ongoing use of shadow IT and end user computing applications to support delivery of Council services. Consequently, two High rated findings have been raised.
“The first finding highlights the need to refresh the Council’s digital strategy for both the Corporate and Learning and Teaching networks to provide a clear strategic direction for future use and alignment of technology systems across the Council that includes consideration of use of both shadow IT and end user computing applications following assessment of their associated advantages and risks.
“This finding also confirms that there is no current register of shadow IT and end computing user applications used across the Council and notes that Directorates and Divisions are currently procuring shadow IT applications on their own with limited oversight by or engagement with either Commercial and Procurement Services or Digital Services to confirm that all relevant risks have been considered either prior to purchase or in advance of contract extensions through a waiver of the Council’s Contract Standing Orders.”
The report added that the established Digital Service and CGI enterprise architecture governance forum is “limited in its ability to effectively ensure that the Council’s current and future technology architecture is optimised; efficient; provides best value; and remains aligned with the Council’s digital strategy and technology risk appetite”.
As a result the council has agreed to update its digital strategy – first conceived in 2016 – this year that “includes consideration of future use of both networked and cloud-based systems solutions that are aligned with the Council’s strategic and service delivery objectives and applicable security and compliance requirements.”
A separate cloud strategy will also be prepared as part of the overarching digital strategy that outlines the opportunities and risks associated with ongoing and future use of cloud based shadow IT systems.
In addition a council-wide register of shadow IT and end user computing applications will be developed and centrally maintained by Commercial and Procurement Services (CPS).
The pandemic has taught me how to share more – and I feel a better leader for it
As a young professional starting out in the tech sector 30 years ago, I thrived on the fast pace,constant change and demanding workload. I lived in London, Singapore and Australia…
We need to shout about our successes. Liz Fletcher on celebrating women in biotech
Throughout my career in biotechnology and life sciences, I have seen many women leading ground-breaking research studies in their fields of expertise. Yet, and I include myself in this, we…
Getting the best out of patient data is key to unlocking future health benefits in Scotland
It is important that clinicians’ voices are heard in the consultation around Scotland’s new health and care data strategy, which closes this week (12 August). Busy GPs like myself are the trusted…
How motherhood helped me be a better leader
Consider this an open letter to anyone I have worked with before I became a mother and before I fully understood how being a parent is actually a prized asset…
‘We cannot achieve our goals without entrepreneurs’ – Kate Forbes on vision for new ‘tech scaler’ network
From the very start of my ministerial career, I have had responsibility for the Scottish tech sector – and I can still say what I have said from the start,…
Finding a role in cyber was ‘tough’ for Cheryl Torano. Now she’s determined to help other women join an under-represented industry
When I decided to upskill to change careers at the age of 30 and dive into the digital world, I knew I would be starting out at the bottom of…
Why innovation and marketing are the perfect partners to make changes that matter￼
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…