Data Flow Diagrams

Overview

The goal of the Information System/Data Flow Diagram is to capture the main components of an Information System, how data moves within the system, user-interaction points, and the Authorization Boundary. 

Instructions for Asset Administrators:

  1. Think of this diagram as conceptual rather than technical – multiple systems can be abstracted together, and there's no need to detail every network connection. The Authorization Boundary describes the limits of the Information System – which pieces are currently being assessed. Information Systems often depend on other Information Systems, but those other Information Systems will be assessed independently, and their risk factored into the current Information System.
  2. Use one of the tools below to document your system's data flow.

    Microsoft Visio – Available to everyone at https://portal.office.com

 

Example

architecture-diagram-generic.png

Control References

  • NIST Cybersecurity Framework: ID.AM-3
  • NIST SP800-53: AC-4, CA-3, CA-9, PL-8
  • HIPAA Security Rule: 164.308(a)(1)(ii)(A), 164.308(a)(3)(ii)(A), 164.308(a)(8), 164.310(d)
  • PCI DSS 3.2.1: 1.1.2, 1.1.3
  • FERPA PTAC Data Security Checklist: Policy and governance
  • CJIS: 5.10
  • NIST SP800-171: 3.1.3

 

Print Article