Leveraging Technology to Support EUC Policy
Recently, Parimal Patel, Head of Quantitative Methodologies, Group Risk at Schroders, wrote an excellent blog outlining the key components of an End User Computing (EUC) policy. EUC policies are complex and relying upon time-pressured individuals to execute on the true spirit of such guidelines is not only a big ask, but also impractical.
Fundamental to EUC policy enforcement is visibility of the EUC landscape and its structure. Manually, creating a reliable and accurate inventory of EUC applications across the organization is near impossible. Often, EUC users are asked to fill forms to provide details of the EUCs they use and own, but invariably they only provide high-level information and may not even complete the template in entirety. Moreover, the document for completing the EUC inventory is usually another spreadsheet!
Utilizing technology to build an EUC policy
Foremost, technology systems can facilitate EUC policy adherence across the enterprise through the creation of a customized framework, based on the specific EUC policy of organizations. The template to capture the inventory is effectively delivered blank, which organizations can tailor based on their own requirements and EUC management goals. So the initial questions may be, what is the type of EUC (e.g. Excel, Access, Matlab file) and what is the material risk (i.e. operational, regulatory, financial, reputational) of the application to the organization, in addition to any other organization-specific questions.
Subsequently, based on the response to the various questions, further queries might be exposed – i.e. if the file is high risk, then there must be a suitable decommissioning plan inputted. Technology can ensure that this additional information is captured through mandatory fields to support EUC policy compliance.
As the questions are answered, department and ownership information is also captured using Active Directory. This allows an organization to create a consistent, holistic picture of the EUC landscape to provide a clear view of the key files that exist across the organization. For example, if there are 1000 files registered, there would be enough granularity to know that 100 are in the front office, of which 10 are critical and two are pricing models.
Of course, EUC policy controls cannot be based on a ‘point in time’ visibility of the EUC landscape. Technology supports a ‘living’ inventory, not one that is current and up-to-date just once a year at the time of the annual assessment. An EUC application that may have been medium risk at the start of the year, may become high risk later on – with the automation that technology systems provide, that change is automatically recorded and the required policy controls enforced.
Similarly, if a specific EUC owner leaves the organization, the files that need to be ‘re-homed’ can be easily flagged. Ever changing regulatory pressures means that changes to the policy may also be required, so new questions must be added to the inventory questionnaire. With technology, this can be automatically pushed out to users with a request for additional information.
All the registered EUC files can then be automatically subjected to change management and control standards based on the organization’s EUC policy to include version management, access supervision, and protection monitoring alongside audit trails for compliance and risk management. The system also facilitates remediation or decommissioning of EUCs based on the organization’s policy.
It’s worth noting that by ensuring users register EUC files, the ownership of the EUCs then sits with the business, which is their rightful home. EUC files must never be in the sole remit of individual users. Such a situation exacerbates the risks posed by business critical EUC files. The automation delivered by technology provides built-in safeguards for the business to pre-empt and mitigate any risks that emanate from the critical files. Embracing technology is the most reliable, trustworthy and time and cost effective way of enforcing business critical EUC policy.