II.C.13(e)     Rogue or Shadow IT

Management should have policies explaining that employees should not and are not authorized to use unsanctioned or unapproved IT resources (e.g., online storage services, unapproved mobile device applications, and unapproved devices). Security awareness or information security training should include procedures for identifying and reporting shadow IT.


Previous Section
II.C.13(d) Transit of Physical Media
Next Section
II.C.14 Supply Chain