Many organizations are using End User Computing (EUC) in various forms to monitor their operational, functional and financial functions. Organizations take critical business decisions and make corrective actions on deviations generated from EUC produced reports. The majority of the applications are developed by internal business users of an organization, which introduces several risks on their customer data and financial data, as most of the business users lacks processes, compliance and regulatory knowledge. This article addresses risk assessment approach, critical process gaps introduced during development and maintenance of End User Computing applications and the risk mitigation plan.
What are the risks associated with End User Computing applications?
Confidentiality, Integrity and Availability (CIA) plays very important role in development, maintenance and availability of EUC application on daily execution for any business enterprise. The EUC applications are often developed using excel scripts, Microsoft Access database and other in-house developed tools.
The reports generated by End User Computing applications may contain summary of critical transactions, customer and financial data which could be distributed to unauthorized users using organization email. The End User Computing application produced report might be stored in business users' computers leading to confidentiality issue. Absence of strong and appropriate access control may allow end users or other potential violators can alter (Integrity) the End User Computing application generated reports which may lead to taking improper business decision. Many a times, the End User Computing application configuration items are either stored locally on end users computers or any shared location and it does not follow proper change management process. Again, absence of strong access control may cause accidental or intentional deletion of End User Computing application configuration items by end user / developers causing availability issue.
Risk Assessment Framework
This section describes about the risk assessment framework to be developed and used during the end user application development, maintenance, execution and disposal. The risk assessment framework has been defined considering following control areas:
- Data processing
- Report / Output file
- Business continuity
- Change management
- Incident / Problem management
- Access provision / de-provision
- Information security
- Report distribution
- Data privacy
- Disposal of end user computing application
- Disposal of data
Governance on End User Computing Application
This section describes governance / policies around end user computing applications to be developed to meet following scenarios.
- Absence of design document
- Absence of test plan and test case document
- Nonstandard End User Computing application configuration item name (The End User Computing Application developer use his / her own naming convention)
- Absence of configuration management system as the user store the end user application configuration items on their desktop
- Absence of logical separation between production and development environment
- Separation of duties does not exist as the developer may also deploy the End User Computing Application configuration items into production or execute against production environment
- Absence of periodic End User Computing Application access control review is serious threat as the End User Computing Application is executed against production database
- Absence of change management process
It is recommended that the End User Computing application business users, creator and executor should undergo periodic training on information security, organization policies, data privacy and compliance and this would help them to perform with cautious approach when working with customer’s data and any financial data. Perform cost benefit analysis and migrate user executed end user computing applications into an automated process and restrict execution access for critical data.
Authored by Ananda Narayanan G