How to keep track of sensitive data with a data flow map

Expert Bill Hayes describes how to create a data flow map to visualize where sensitive data is processed, how it transits the network and where it's stored.

Data flow maps are a recognized method of tracing the flow of data through a process or physically through a network. For instance, beginning with version 3.0, Payment Card Industry Digital Security Standard paragraph 1.1. 3 started calling for the use of a continually updated data flow map that depicts the flow of credit card data inside and outside the cardholder data environment.

Cybersecurity staff implementing data loss prevention products can also use data flow maps during the planning stages to identify the many types of secure data within their organization. The data flow map will depict sensitive information in all of its forms, origins, paths, exit points and storage locations. The map should show where sensitive information is processed, where it transits the organization's network and where it is stored. Protocols and encryption status of sensitive information should be also shown.

A good data flow map can be worked up from a baseline network diagram. This is a high-level diagram that depicts sites with symbols representing key network devices involved in sensitive information handling. Additional information applied to it should be thought of as overlays. For organizations where sensitive data is housed at multiple sites, bird's eye (high-level) and in-the-weeds (detailed) diagrams will be needed. This approach helps to make the flow of sensitive information more comprehensible without a high degree of abstraction.

What to show on a data flow map

The baseline network diagram should show where devices handling sensitive information exist on the network, how they are connected and their physical locations. Items that should be depicted in the diagram overlays should include network infrastructure devices, servers, endpoints, protocols and all data exit points (including firewalls, printers, CD/DVD burners, backup tape drives and endpoints where sensitive information can be copied to portable media).

Examples of these items include:

  • Firewalls
  • intrusion detection systems/intrusion prevention systems
  • All network security monitoring devices and any with existing DLP features
  • Security gateways for email and HTTP
  • Load balancers, especially ones containing Web application firewalls
  • Routers and switches
  • DNS servers and Active Directory servers
  • Wireless access points
  • Web servers
  • Application servers handling sensitive information
  • Email servers and all mail transfer agents
  • File servers
  • Database servers
  • FTP servers (also SFTP and scp)
  • Storage area networks
  • Backup servers with associated storage devices and media
  • A good data flow map can be worked up from a baseline network diagram. This is a high-level diagram that depicts sites with symbols for key network devices involved in sensitive information handling.
  • Remote access points such as virtual private network servers
  • Endpoints such as desktops, laptops, mobile devices
  • Printers (especially identify multifunction printers that contain hard drives and can fax or email documents)
  • Operating systems of each device handing sensitive information
  • Databases containing sensitive information
  • Applications processing sensitive information
  • All protocols handling sensitive information
  • Point-to-point secure data transmission methods used for data traversing and exiting the network
  • Network segments such as demilitarized zone, internal networks, network perimeter
  • Network demarcation points that mark the boundary between your organization and a service provider.

Data flow indicators on data flow diagram overlays should depict locations where sensitive information transits through and beyond the organization. The overlays should also show any changes in encryption status of sensitive information and all possible storage locations for sensitive information. Finally, all stages in the lifecycle of sensitive information should be noted where appropriate, including where sensitive information is created, where it is altered and where it is destroyed.

While making a data flow diagram can be daunting, breaking the job up into smaller tasks makes it simpler to implement and maintain. Use simple tables to show where sensitive information flows. Then use these tables to make your data flow diagram overlays. The end result will be something your organization can be proud of and will help it better protect sensitive information.

Next Steps

Discover how data classification is fueled by e-discovery, storage tiering

Learn how to conduct a data classification assessment

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing