Edinburgh City Council to create ‘register of shadow IT’ following audit report recommendation 

Edinburgh City Council is to create a register of shadow IT systems that have been purchased by various departments without appropriate controls or oversight. 

The city council’s governance, risk and best value committee identified a series of risks around ‘fragmented’ systems that are in use across different departments without the knowledge of the IT department. They are typically externally hosted by a third party supplier, and usually cloud based.

Shadow IT can also include software or hardware such as laptops, smartphones, and scanners that can be connected to an organisation’s network.

Across the council, shadow IT includes technology systems used by directorates and divisions that are not hosted on either the Council’s Corporate or Learning and Teaching networks, or not supported and maintained by Customer and Digital Services and CGI, the Council’s technology partner.

The report said: “Significant control weaknesses were identified both the adequacy of design and operating effectiveness of the key controls established across the Council to manage the security, information, and resilience risks associated with ongoing use of shadow IT and end user computing applications to support delivery of Council services. Consequently, two High rated findings have been raised.

“The first finding highlights the need to refresh the Council’s digital strategy for both the Corporate and Learning and Teaching networks to provide a clear strategic direction for future use and alignment of technology systems across the Council that includes consideration of use of both shadow IT and end user computing applications following assessment of their associated advantages and risks.

“This finding also confirms that there is no current register of shadow IT and end computing user applications used across the Council and notes that Directorates and Divisions are currently procuring shadow IT applications on their own with limited oversight by or engagement with either Commercial and Procurement Services or Digital Services to confirm that all relevant risks have been considered either prior to purchase or in advance of contract extensions through a waiver of the Council’s Contract Standing Orders.”

The report added that the established Digital Service and CGI enterprise architecture governance forum is “limited in its ability to effectively ensure that the Council’s current and future technology architecture is optimised; efficient; provides best value; and remains aligned with the Council’s digital strategy and technology risk appetite”.

As a result the council has agreed to update its digital strategy – first conceived in 2016 – this year that “includes consideration of future use of both networked and cloud-based systems solutions that are aligned with the Council’s strategic and service delivery objectives and applicable security and compliance requirements.”

A separate cloud strategy will also be prepared as part of the overarching digital strategy that outlines the opportunities and risks associated with ongoing and future use of cloud based shadow IT systems.

In addition a council-wide register of shadow IT and end user computing applications will be developed and centrally maintained by Commercial and Procurement Services (CPS).