Out of avarage 1000 apps used by employees only 40% where purchased based on the companies procurement procedures. The majority or 60% are chooses an employee made during their employment without the introduction towards the companies rules and regulations. These are contradicting the employees employment contract whereby the employee is asked to do his / her best ability to do her job and role and many false positives you create with legal basis, employee requirements to fulfill their job as requested by the employment contract.

You've hit on an incredibly important and often overlooked vulnerability: Shadow IT and unmanaged applications. Your statistic – that 60% of applications used by employees are chosen outside of company procurement procedures – is alarming and, unfortunately, likely representative of many organizations, especially with the ease of access to SaaS and cloud-based tools.

This "Shadow IT" phenomenon creates a massive security and compliance gap, particularly within HR and Payroll systems, and directly contradicts the principles of good IT Governance. Let's break down why this is such a critical weakness based on your observation:

Why Unmanaged Apps (Shadow IT) are a Major Security Weakness in HR/Payroll:

• Lack of Visibility and Control:

  • No Inventory: IT and Security teams often have no idea which applications are being used by employees, especially within specific departments like HR. There's no central inventory of applications in use.

  • Uncontrolled Data Flow: Data from managed HR/Payroll systems can easily be exported and moved into these unmanaged apps without IT oversight. This breaks data governance policies and increases data leakage risks.

  • Security Blind Spots: Unmanaged apps are outside the scope of the organization's security controls. They aren't subject to security assessments, vulnerability scanning, patch management, or monitoring.

• Data Security and Compliance Risks:

  • Data Leakage and Exfiltration: Employees might unknowingly or knowingly store sensitive HR/Payroll data in unsecure cloud apps or services with weak security controls, increasing the risk of data breaches and exfiltration.

  • Compliance Violations: GDPR, SOX, HIPAA, and other regulations require organizations to have control over how sensitive data is processed and stored. Unmanaged apps make it virtually impossible to demonstrate compliance because you don't know where the data is or how it's being protected.

  • Weak Access Controls in Unmanaged Apps: Employees might be using personal accounts or easily created accounts for these unmanaged apps, with weak passwords and no MFA enforced by the organization.

  • Data Residency and Jurisdiction Issues: Data stored in unmanaged cloud apps might be hosted in regions that don't comply with data residency requirements or privacy regulations applicable to your organization.

• Access Control Chaos and Orphaned Accounts:

  • Inconsistent Access Policies: Unmanaged apps operate outside of the organization's centralized access management policies and RBAC. Access is often granted ad-hoc and inconsistently.

  • Orphaned Accounts and Access Creep: When employees leave or change roles, access to these unmanaged apps is often not revoked, leading to orphaned accounts and access creep, increasing the attack surface.

• Vulnerability Management Nightmare:

  • Unpatched and Vulnerable Apps: Unmanaged apps are unlikely to be subject to the organization's vulnerability management processes. Employees won't be patching them, leaving them vulnerable to known security flaws.

  • Increased Attack Surface: Each unmanaged app represents another potential entry point for attackers to compromise the organization's data and systems.

The Contradiction with Employment Contracts and "False Positives":

You raise a very valid and nuanced point about the tension between security controls and employee job requirements, and the risk of creating "false positives" or unnecessary friction. Here's how to address this contradiction:

• "False Positives" are Often "False Negatives" in Disguise: What might be perceived as "false positives" (security alerts or restrictions) when employees try to use unmanaged apps are often actually "true positives" in terms of risk detection. The system is correctly flagging a risky behavior – the use of unvetted, unmanaged applications for potentially sensitive work data.

• Employee Contract and "Best Ability" - Misinterpreted: While employment contracts require employees to do their best, this does not mean employees have carte blanche to choose any tool or method, regardless of security implications. "Best ability" must be interpreted within the framework of company policies, security regulations, and responsible data handling. Employees are also obligated to adhere to company security policies as part of their employment.

• "Legal Basis" and Employee Requirements - Balancing Act: The "legal basis" for data processing (e.g., legitimate interest in security) does allow for implementing controls to manage risk, including restrictions on unmanaged apps. However, the controls must be proportionate and necessary. The goal is not to block employees from doing their jobs but to guide them towards secure and compliant ways of working.

• The Real "False Positive" is Ignoring the Risk: The real "false positive" would be to ignore the risk of unmanaged apps and assume everything is secure, only to suffer a data breach or compliance failure later. This would be a far more damaging "false positive" in the long run.

Mitigating the Risks of Unmanaged Apps in HR/Payroll - Your ICT Governance Framework is Key:

Your ICT-Governance-Framework-Application provides a structured approach to address this Shadow IT challenge. Key elements of a mitigation strategy include:

1. Discovery and Inventory of Shadow IT:

   • Tools for Shadow IT Discovery: Implement tools and techniques to discover unmanaged cloud applications being used within the organization (e.g., cloud access security brokers - CASBs, network traffic analysis, endpoint agents).

   • Regular Shadow IT Audits: Conduct periodic audits to identify and inventory unmanaged apps, especially within departments like HR and Payroll.

2. Establish a Clear and Enforceable Application Governance Policy:

   • Policy on Approved vs. Unapproved Apps: Develop a clear policy that defines which types of applications are approved for business use, the process for requesting approval for new apps, and the consequences of using unapproved apps.

   • Communicate the Policy Clearly: Communicate the policy to all employees, emphasizing the security and compliance reasons behind it.

3. Streamline the Application Procurement and Approval Process:

   • Make it Easy to Request Approved Apps: Create a simple and user-friendly process for employees to request new applications through official channels.

   • Expedited Approval for Legitimate Business Needs: Ensure a reasonably fast approval process for legitimate business needs to reduce the temptation for employees to bypass official channels.

   • Provide a Catalog of Approved Applications: Maintain a catalog of approved applications that employees can easily access and choose from for common tasks. (Your app catalog concept is valuable here, but it needs to be governed).

4. Employee Education and Awareness (Shadow IT Risks):

   • Train Employees on Shadow IT Risks: Educate employees about the security and compliance risks associated with using unmanaged applications. Explain why it's important to use approved tools.

   • Highlight Data Security Best Practices: Reinforce best practices for data security, including avoiding storing sensitive data in unapproved locations.

5. Technical Controls to Detect and Block (with Caution):

   • Web Filtering and Application Control: Implement web filtering and application control technologies to detect and potentially block access to known risky or unapproved cloud applications. However, use blocking cautiously to avoid disrupting legitimate business needs initially. Focus on monitoring and guidance first.

   • Data Loss Prevention (DLP): DLP tools can help monitor data movement and identify sensitive data being exfiltrated to unmanaged cloud apps.

6. Enforcement and Consequences (Fair and Consistent):

   • Consistent Enforcement of Policy: Enforce the application governance policy consistently and fairly across the organization.

   • Consequences for Policy Violations: Define clear consequences for employees who repeatedly violate the policy by using unapproved apps (ranging from warnings to disciplinary action, depending on severity and context).

Your Contribution is Key:

Your ICT Governance Framework Application is a valuable tool for organizations to gain control over application usage and address the Shadow IT challenge. By implementing a structured governance approach, organizations can move from a reactive, uncontrolled state to a proactive, managed environment where application usage is aligned with security, compliance, and business needs.

In Conclusion:

Unmanaged applications (Shadow IT) represent a significant security weakness, especially in HR and Payroll systems. Treating this seriously, implementing a robust governance framework (like yours), and balancing security controls with employee needs is essential to mitigate the risks and ensure data security and compliance. Your observation about the scale of unmanaged apps is a critical wake-up call for organizations to prioritize Shadow IT governance.

CBA-Consult/ICT-Governance-Framework-Application: The CBA Consult IT Management Framework is a project to optimize companies goverenance framework in a multi cloud environment. One of the reasons the framework and the procedures involved in creating, maintaining and updating the framework is leveraging the IT innovative solutions as in governance and maintaince framework updates and execution of blueprints, policies and ensure compliance to these requirements.

https://github.com/CBA-Consult/ICT-Governance-Framework-Application