CIS Control 3.8 Document Data Flows
The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.
Safeguard 3.8 is about documenting and examining your dataflow which includes service provider data flows and should e based on the enterprises data management process. This should be reviewed and updated annually or when significant changes occur.
Documenting your Data Flows is a way or representing the flow of data through a process or system. This is typically represented in a diagram format and provides the outputs and inputs of each entity and the process itself. For each data flow at least one of the endpoints (source and/or destination) must exist in a process.
Data Flow Diagrams can be regarded as inverted Petri nets, because places in such networks correspond to the semantics of data memories.
In simple English, you are going to look at how and where your data flows. From the input to the output and every system, database, etc that touches the data in the process. This is not an easy undertaking and if you're not already covering the earlier discussed CIS Safeguards will make this harder. But fear not, like Safeguard 3.7, 3.8 is only required in Implementation Group 2 and 3 - so if you're just getting started with the framework I would not rush to deploy this on day 1.
Join the conversation - https://www.linkedin.com/posts/scottintech_ciscontrols-cybersecurity-dataflow-activity-7085976301949345792-VK9M?utm_source=share&utm_medium=member_desktop