Shadow System Control Standard

Updated: May 15, 2025
Policy:
RUL01.06.01
Title:
Shadow System Control Standard
Category:
Governance and Administration
Sub-category:
Data Governance
Authority:
Chief Information Officer
Contact:

Director of Enterprise Data Services; (252) 328-9286
Related Policies:
Additional References:
History:

Approved by Chancellors EC April 28, 2025.
Previous Versions:

No previous versions available.

1. Purpose

The University of North Carolina Board of Governors (BoG) created policy 1400.1 with the purpose of fostering the efficient development and maintenance of strategically aligned information technology within known and acceptable levels of risk.  Section IV indicates the following:  The institution’s chief information officer shall be vested with such authority as is necessary to successfully oversee the information technology governance program and ensure the establishment and proper implementation and operation of the information technology governance program framework and principles.  The purpose of this document is to establish a standard for information technology as it relates to shadow systems.

2. General Statement

ECU has many information systems that serve as systems of record across campus. These systems host (process or store) Level 3 or 4 information, per the ECU Data Classification Levels. All institutional data requires appropriate oversight and access controls to protect various levels of data.

A shadow system is an information service for any application relied upon for business processes that are not under the control of a Data Steward. That is, the Data Steward is not aware of it and does not support it.

A shadow system is organized and used in a sustained, structured manner to replicate or replace the functionality of an official system of record, rather than serving a temporary, supplemental, or informal role.

  • The following are examples of Shadow Systems:
    • • A faculty-maintained database of student records outside of official university systems.
    • • A department using an unapproved cloud service (e.g., Google Sheets, Dropbox) to store and manage student advising data.
    • • A research team collecting survey data on personal laptops instead of an ECU-approved storage solution or device.
  • The following examples are not considered Shadow Systems:
    • • A short-term data export from a system of record (e.g., pulling Student Information System data into Excel for immediate analysis).
    • • Faculty storing personal copies of class grades in Excel for reference, provided that the information is not shared or stored long-term outside official systems.
    • • IT-supported third-party tools that have been reviewed and approved by the Data Stewards via the process outlined in the ‘Exceptions’ section below.
    • • University emails or Teams messaging (e.g., a faculty member emailing a student their exam grade).
    • • General student communications that do not contain Personally Identifiable Information or other sensitive information.
  • It should be understood that neither of these lists are comprehensive. If you have a question about any potential shadow database candidate that does not appear on either list, please contact the appropriate Data Steward.

3. Shadow System Controls for Level 3 & 4 Data

Any Shadow System that stores or processes Level 3 or Level 4 data, as defined by the ECU Data Classification, poses a risk to the university. These threats include the following: lack of user access controls, security risks, lack of visibility for auditing, no disaster recovery, outdated data, erroneous data, limited documentation, and lack of formal process testing. Due to the risk associated with this level of data, Shadow Systems with Level 3 and Level 4 data are prohibited from being used across campus. The authority for this is granted from UNC 1400.1 to the university’s Chief Information Officer.

4. Exceptions

Requestor should contact the appropriate Data Steward to discuss an exception to Shadow System Control Standard. If the requestor needs assistance with identifying Data Steward for the exception or assistance in determining if their system is a Shadow System, they may contact the IT Enterprise Data Management Support Services Team for assistance (edmss@ecu.edu). Upon confirmation from the Data Steward that an exception is required, the requestor will have to submit a Risk Acceptance to the Information Security Office via Team Dynamix. Risk Acceptances will be reviewed and routed to the appropriate Data Steward for approval. Data Stewards, at their discretion, may seek additional approvals from their Associate Vice Chancellors or Vice Chancellors. Exception requests must be appropriate given the risk, include the reason for the exception, and include mitigating controls in place or to be implemented in lieu of the controls in this document.

  • • Data Steward grants approval to requestor to support an ongoing business need.
  • • Requestor agrees to follow schedule established during review by Data Steward
  • • Requestor agrees to non-support from ITCS and Data Steward for their Shadow System

5. Roles and Responsibilities

The Information Security Office will be required to track approved exception requests and will provide current listings to Data Stewards upon request.

The Data Stewards and the Data Stewardship Committee are the person(s) with the primary responsibilities for reviewing and tracking shadow systems which contain Level 3 or 4 data.