Shadow System Control Standard

Effective Date: May 2024

Title of Standard: Shadow System Control Standard

Purpose of Standard: The University of North Carolina Board of Governors (BoG) created policy 1400.1 with the purpose of fostering the efficient development and maintenance of strategically aligned information technology within known and acceptable levels of risk.  Section IV: Part B, indicates the following:  The institution’s chief information officer shall be vested with such authority as is necessary to successfully oversee the information technology governance program and ensure the establishment and proper implementation and operation of the information technology governance program framework and principles.  The purpose of this document is to establish a standard for information technology as it relates to shadow systems.

Person(s) with Primary Responsibilities: Data Stewards and Data Stewardship Committee

Approved: Chief Information Officer

General Statement: ECU has many information systems that serve as systems of record across campus.  These systems host (process or store) Level 3 or 4 information, per the ECU Data Classification Levels. All institutional data requires appropriate oversight and access controls to protect various levels of data.  To address concerns with information stored in shadow systems across the university, we should first define these systems.  A shadow system is an information service for any application relied upon for business processes that are not under the control of data steward. That is, the data steward is not aware of it, and does not support it.

To provide clarity, excel data exports from system of record to perform a short-term business need or projects based are not within the scope of this standard.  For individuals that export data independently, they will need to understand the frequency in which the data is updated to realize the short-term value of that information.

Shadow System Controls for Level 3 and Level 4 Data: Any Shadow System that stores or processes Level 3 or Level 4 data, as defined by the ECU Data Classification, poses a risk to the university.  These threats include the following: lack of user access controls, security risks, lack of visibility for auditing, no disaster recovery, outdated data, erroneous data, limited documentation, and untested. Due to the risk associated with this level of data, Shadow Systems with Level 3 and Level 4 data are prohibited from being used across campus.  The authority for this is granted from UNC 1400.1 to the university’s Chief Information Officer.

Exceptions: Requestor should contact the appropriate Data Steward to discuss an exception to Shadow System Control Standard.  If the requestor needs assistance with identifying 
Data Steward for exception, contact should be made with IT Enterprise Data Management Support Services Team for assistance (edmss@ecu.edu ).  Upon confirmation from Data Steward that an exception is required, the requestor will have to submit a Risk Acceptance to the Information Security Office via Team Dynamix.  Risk Acceptances will be reviewed and routed to the appropriate Data Steward for approval. Data Stewards, at their discretion, may seek additional approvals from their Associate Vice Chancellors or Vice Chancellors.  Exception requests must be appropriate given the risk, include the reason for the exception, and include mitigating controls in place or to be implemented in lieu of the controls in this document.

• Data Steward grants approval to requestor to support an ongoing business need.
• Requestor agrees to follow schedule established during review by Data Steward
• Requestor agrees to non-support from ITCS and Data Steward for their Shadow System

Roles and Responsibilities
The Information Security Office will be required to track approved exception requests and will provide current listings to Data Stewards upon request.

References:

• UNC Policy 1400.1
• ECU Data Classification