How drawing a simple picture can help to stop an information security breach or cyber security attack, which can help you to maintain the continued viability of your organisation.
An article published on LinkedIn by the National Cyber Security Centre reminded me how I am always amazed that so many organisations struggle to maintain decent and readily accessible network and data flow diagrams that show where their confidential data is processed, where it goes and where it is stored; this requirement is so fundamental for delivering an effective data governance programme and information security strategy, and mandated by numerous regulations and standards.
I use GDPR and PCI DSS as two easy to understand examples; PCI DSS has two explicit requirements:
Req. 1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks; and
Req 1.1.3 Current diagram that shows all cardholder data flows across systems and networks.
GDPR obliges you to prepare a data inventory to map your data flows so that you can understand exactly what personal data you are processing and what you are doing with it:
Article 30 Mandates you to keep records of data processing; and
Article 15 Mandates you to comply with data subject access requests (DSARs), where data subjects have the right to know exactly which of their personal data you are storing.
Without current easy to understand network diagrams it is almost impossible to maintain good information security and data protection or stay compliant with standards and regulations.
Every compliance audit and gap analysis should start with a current network diagram, to help define the scope of the audit and to determine how and where people, process and technology impact the security of data and information assets.
Understanding your starting point and how close this is to where you want to get to, is critical to determine acceptable risk and how vulnerable your organisation is to a cyber security attack resulting in a data breach and loss of confidential information.
Your starting point should be a network and data flow diagram identifying where your confidential data is and where it goes.
Consider the following if you need further evidence of the need for good network and data flow diagrams:
- Do you know if your current starting point is good enough to stop your data being compromised and stolen via a cyber security attack?
- Do you understand where your sensitive and confidential data is processed, transmitted, and stored?
- Do you know if your critical data and information assets are well enough protected by technology, policy and the people in your organisation who use and manage them?
- Do you have a picture of your systems architecture and the connections between different components, from which you can define where data resides, flows, and gets processed?
- If you suffered a cyber security attack and lost confidential data, would you know where to look to understand where your organisations systems had been breached and where the data was stolen from?
If your answer to any of these questions is 'no' or 'I don't know', now is a good time to make sure you have a network and data flow diagram describing your data and information security assets, which shows where your data resides, and to review the controls in place to protect it.
The article I mentioned earlier from the National Cyber Security Centre has some excellent recommendations, hints and tips, and I thoroughly recommend it as a checklist for success when reviewing and updating your network and data flows in a diagram.
Some of the key points made are:
1. To secure a system, you first have to understand it; good architecture diagrams are key to this.
2. A decent diagram is a starting point to understanding the basics of how systems works and how data and information flows; start with a basic high-level concept diagram which provides a summary.
3. Your system design and data flows should be documented, not locked in someone’s head, and a team of people will have several different versions of the diagram in their heads.
4. Keep diagrams simple, written in plain English and up to date.
At UKDataSecure we have the knowledge and experience required to support you in reviewing and updating your current network and data flow diagrams to support your information security strategy and programme; please get in touch at firstname.lastname@example.org or call 02380 972066 or 07824 445375 to talk more about this subject.