control, and governance
The Consumerization of IT
As employees increasingly demand to use their personal devices to access the organization's networks, auditors need to ensure the IT department has processes and controls in place to provide access securely.
Internal auditors may have read in recent months about another worrisome security risk, the so-called “consumerization of IT.” This buzz phrase refers to the increasingly common business practice of allowing employees to choose their own personal laptops, tablets, smart phones, and other computing devices and programs for accessing email and other proprietary data. Some of these activities have occurred for many years but within a limited and controlled scope, such as accessing email through a Web portal or accessing work through a Citrix client. Naturally, each of these has its own risks, including downloading data to the employee’s home computer.
The primary difference today is that the use of personal devices in the past was directed by IT, but now with the newer technologies that have become popular, employees are becoming the driving force. IT, in some respects, has fallen behind and is playing catch-up to provide processes to control these devices and minimize risks.
WHY IT’S A CONCERN
The consumerization of IT increases an organization’s IT risk. In response, chief audit executives will need to invest resources into training their IT auditors and direct their focus to the IT department’s implementation of control procedures to mitigate the security and organizational risks these new technologies pose. Also, internal audit needs to update its audit plans to ensure sufficient attention is directed toward the new technologies. This change in focus may require IT staff mitigation to include more IT resources to accommodate the increased use of these technologies.
RISKS AND MITIGATION STRATEGIES
The consumerization of IT poses both organizational and security risks. From an organizational perspective, uncontrolled proliferation of these devices can occur. The IT department needs to ensure usage of personal devices is controlled through policies, procedures, and central management systems. For the IT department to control these new devices, it will need to acquire and become acquainted with these newer technologies.
Increased security risks can occur through unencrypted transmission and storage of corporate data on employees’ personal devices. The organization can protect itself by placing requirements on their usage. Examples include requiring communication with corporate systems through the use of a virtual private network or similar connection, mandating disk encryption of laptop computers or the use of an encryption app for iPhones and iPads, requiring authorization to the corporate network prior to access to any cloud facility, and implementing centralized security management for these devices.
Assigning audit resources to monitor the IT department’s activities in a consulting capacity will assist in risk mitigation. Follow-up audits of the IT department’s efforts also will ensure senior management is aware of the risks and whether the IT department is ensuring appropriate risk mitigation strategies are in place and working effectively.
QUESTIONS TO ASK
Responses to the following questions will provide the internal audit activity basic background information about their organization’s consumerization activities, including their effects on the organization and the manner in which the IT department is coping with this paradigm shift. These questions also could be used as initial planning questions for an audit.
James Reinhard, CIA, CPA, CISA, is audit director at Simon Property Group in Indianapolis.
To comment on this article, email the author at firstname.lastname@example.org.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.