End user computing: How to manage it securely

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

AnEnd User Computing (EUC) application is any automated tool developed, owned or operated outside of IT, with the purpose of supporting business operations and decision-making. This is not limited to, but usually comprises spreadsheets and databases.

EUCs continue to be fundamental to the production of management information and regulatory reporting because of the ease and speed of development.

Security is fast becoming a key risk in terms of reliance on EUCs due to the importance of the reports and the confidentiality of the data. The importance of having a clear mechanism for governance is now a critical part of any business operations.

Illustration of key EUC security risks

Large numbers of EUCs are developed, maintained and managed outside of the IT department. This may lead to support inefficiencies, backup concerns, and unrecognised key person risks.

Poor security management over key data compiled in EUCs may expose the organisation to financial, regulatory and operational risks depending on their issues. Access controls over EUCs are inherently weak which can result in loss of confidential information.

Other common risks and organisational challenges are:

  • Unauthorised access to sensitive spreadsheets
  • Lack of spreadsheet inventory
  • Data integrity issues
  • Unauthorised changes on key spreadsheets
  • Reliance on unreliable data

The ease of manipulation of data or logic calculations within EUC may increase the likelihood of fraudulent or rogue activity going unnoticed.

Trends and good practices
Financial Services organisations are increasingly trying to tighten the control around EUC risks mentioned above.
Technical solutions are now available to provide the level of control that will deal with these areas, but it is important to focus the use of these tools on the right areas, being a fundamental requirement of a clear and well structured governance framework.
What is Good EUC governance?
When an organisation implements good governance around end user computing, it is able to make the following statements about the way it manages its processes and data:

  • Ownership: I know who in my organisation is responsible for the security of each of the key spreadsheets used by my business.
  • Confidentiality: I know which of my spreadsheets contain confidential information and, I have properly secured them.
  • Availability: I know who in my organisation should have access to my key spreadsheets and I have ensured that only those people have access.
  • Escalation: Where I identify an issue with unauthorised access or change to my key spreadsheets, I will be made aware and I know who to report the issue to for resolution.
  • Security controls: I understand the security requirements of each of my key spreadsheets and I have implemented and documented controls that ensure that those requirements are met.
  1. Scanning the network using EUC software
  2. Conversations with the line managers in order to assess the results of the scanning process and identify any further EUCs. A key part of this process is the identification of sensitive or high risks EUCs.
  • Controls framework implementation

The definition of key EUCs should be documented on the EUC policy (i.e. high, and potentially medium, risk rated), they should have security controls. These controls should be defined based on 3 different factors:

  1. Confidentiality of the data (i.e. personal data)
  2. Potential material issues (i.e. variances on the EUC can have material impact on the business process)
  3. Reputational issues (i.e. non personal data from clients or providers which could be confidential)

The definition of key EUCs should be documented on the EUC policy.
The following security controls should be considered in the EUC framework implementation for the key EUCs:

  1. Access Control (i.e. create, read, update, delete). This control should be managed by the EUC owner, who also grants and removes access to users to the EUC. A good practice in this area is to leverage access controls in the active directory in order to reduce the risk of unauthorised access to high risk spreadsheets.
  2. Change Control. Changes in key EUCs should be approved by the owner. A good practice in this area is to record all changes in the EUCs and keep records of all changes in a log and previous versions of the EUCs.
  3. Input Control. The EUC owner should oversee the inputs on the EUC from applications or other EUCs. It’s good practice to identify all information sources which feed the EUC (i.e. applications or other EUC’s). This information could be documented in the EUC directory and/or the EUC inventory.
  4. Security in the archiving and backups folders. Due to the confidentiality previous versions of the EUCs should have the same security controls in terms of access that the live one. This activity is usually performed by IT.
  5. Security controls documentation. Any action taken regarding a key EUC (i.e. new users, recertification process) should be documented by the business owner. It is good practice to perform a recertification of users in high risk EUCs which have a large number of users have access to.
  6. Segregation of duties/roles and procedures. Segregation should be defined in the EUC policy and monitored by the EUC owner.
  • Periodical security assessment

It is a good practice to perform a risk assessment and gap analysis against expected controls for all EUCs in scope periodically.

  • Conclusion

Organisations have typically had an objective to reduce or remove EUCs, but it is becoming clear that with the ever increasing need for reporting to meet new business needs, end user computing will remain a fundamental part of business operations. Rather than attempting to remove it, organisations should understand its use and make sure that it is properly controlled.
Due to the importance of the EUC on the business process and confidentiality of the data it’s important to assess the EUC’s based on risk using a consistent approach, which should be defined on the EUC policy, and implement security controls around them based on the results of the risk assessment.
Angel Serrano is a member of the London Chapter of ISACA. Angel has been working for the last 8 years in PwC focusing on spreadsheet management. With a background including IT risk assurance and IT security management, he is an MBA and holds CISA, CISM and CRISC certifications.

Topics