About a year and a half ago, I embarked on this great adventure within the Risk Advisory Services team at YHB. I never thought I would get to work with such a great group of smart, driven, client-focused individuals. Nor did I expect to be working with a community bank in rural West Virginia one week and then a BPO in the Philippines a few weeks later. Possibly one of the biggest surprises is how my background in academia translated into a need with our clients. A subject many of my accounting students disliked or struggled with took me outside of the textbook and into the reality of practical application. Three words my co-workers probably wish I’d stop talking about: Data Flow Diagrams (DFDs).
The FFIEC Cybersecurity Assessment Tool requires financial institutions to develop DFDs in order to meet baseline in Domain 4: External Dependency Management. In my first year, I found some banks were struggling through this Domain and frantically trying to understand what a DFD is. Admittedly, there is not a lot of clear guidance online. Our team realized this and wrote a white paper to help in understanding the underlying details of a DFD.
After my second audit season, I can say many of my clients are well on their way to documenting the flow of data inside and outside of their network. Most are in the initial phases, having completed one or two diagrams. Others have created data classification documents, mapped several business processes, and have a clear project plan in place.
While I may be a fundamentalist, in the back of my mind I hoped my clients would interject their own culture into these diagrams. I have been pleased to see the progress so many companies have made in developing their own data flow diagrams. I would like to share with you a few key learnings I have gleaned from this audit period.
- A Risk Based Approach: Do not go out and attempt to document the processes in the entire bank. Think about what the critical business processes are first. Ask the following question: “If my company were breached what data would cause the Bank to show up on the front page of the local newspaper?” The answer to that question is a great place to start.
- A team effort: IT folks are great at creating network diagrams, administering applications, and protecting the company’s network. They do not always know the ins and outs of every business process. Nor should we expect they do. The development of data flow diagrams can be facilitated by IT, but the business must drive the conversation.
- External Dependencies: At the heart of the data flow diagrams, within the context of the FFIEC CAT, is identifying the points at which the company no longer has control of the data.
- Encryption: Documenting the methods/tools used for encryption in-transit and at-rest can help identify potential weaknesses.
- Learn and Grow: Walking through this process is only going to make you a stronger group of individuals as you increase your understanding of how the company operates. It’s an opportunity I hope everyone embraces.
I have been somewhat surprised at the vast array of approaches undertaken. I appreciate everyone that has reached out to us for feedback or further guidance. Our team has a strong desire to make each company and contact better prepared for the unknown. Keep up the amazing work. YHB will always be here to assist you in this journey.
About the Author
Stephen has extensive experience in IT Audit and Advisory Services. His background includes internal and external IT Audit services for state and federal agencies and Fortune 500 companies in retail, manufacturing and financial lending. His expertise spans financial statement audits, SOX, project management, legal and compliance and data analytics. To further his commitment to IT Security, Stephen has also completed the ISACA®’s Cybersecurity Audit Certificate Program.