Back To Top

Data Flow Diagrams – Mapping Your Way To Better Security

Today’s business landscape is fast paced, and ever-changing. If you are always reactive instead of proactive, generally, you are losing. Despite this, there is one fact that never changes: threat-actors are always looking for a way in. For hundreds of years protecting your business was about physical security, and while still vital, the evolution of technology has made cybersecurity king.

I know what you are thinking, ‘there is that word again…cybersecurity. We have already addressed it with firewalls, encryption, anti-virus, etc.,’ and the truth is you most likely have implemented all of those items. But how do you know if you are truly secure, if you have not first identified the data in which you are protecting. Thus enters the data flow diagram.

A data flow diagram is an illustrative representation of where specific data resides and flows through an entity’s system, either your own or your vendors’ systems, during a business process. The key takeaways from this definition are as follows:

  • Data is identified both at rest AND in transit
  • Data may reside within your system AND at a vendor, both of which are entities
  • All of this is identified during a specific business process

The beauty of a data flow diagram is that it allows you to visualize the interconnected nature of internal systems and external vendor systems so as to ensure data security throughout the process lifecycle. If your payroll processor has you send and receive sensitive data, i.e. employee payroll information, over unencrypted channels, then not even the best internal cybersecurity posture in the world will protect your data during that phase of the business process. A breach in a similar customer related process would open the bank to financial and reputational loss, as well as a host of regulatory problems.

Data flow diagrams are focused on individual (or interconnected) business processes. It is understandable that an organization may have literally hundreds of business processes. That is why the development of data flow diagrams must be completed from start to finish, as opposed to just drawing some circles and squares on a piece of paper. The process is as follows:

  • Risk Assessments – Corporate governance, vendors, cybersecurity, and key business processes
  • Inventory Listings – Hardware, software, and data – both at rest and in transit
  • Develop the diagrams

The following white paper will provide an in-depth review of the history, the ‘why’, the process, and an example for the creation of data flow diagrams. Data flow diagram development is itself, a process, and an involved one at that. One that at the end of the day will require a significant investment of time from a significant number of people. A cost benefit analysis of the situation, however, will show a significant dividend via improvements in both data security and your overall cybersecurity profile maturity.



YHB’s Risk Advisory Services team provides you the tools to make your information technology and internal controls work for you.
Your IT controls should protect your data, and more importantly your clients’ data in a way that it is secure, available, and accurate. Internal controls outside of IT should also protect your assets from fraud and errors. RAS can provide a thorough review of your controls by experienced professionals. We are CPAs that have devoted our career to Information Technology and internal controls.


Lead Author:

Stephen Weber, MBA, CISA | Manager

Stephen has extensive experience in IT Audit and Advisory Services. His background includes internal and external IT Audit services for state and federal agencies and Fortune 500 companies in retail, manufacturing and financial lending. His expertise spans financial statement audits, SOX, project management, legal and compliance and data analytics. To further his commitment to IT Security, Stephen has also completed the ISACA®’s Cybersecurity Audit Certificate Program.

Expert Contributors: