Data flow analysis are perhaps a new(?) method for analysing right to the point the most important data assets. Just so we are all in the same page, we refer here as “Data assets” as end-assets… like Napoleon used to say, one example clarifies everything: Financial Data, Credit Card Number, Medical Files, Personal Information, Source Code, Intellectual Property, Etc are Data-Assets.
Now, the first bit of work is to identify this assets. In eramba we do that by using the Asset Management module, which basically helps you to systematically go trough every major business unit on your organisation in the search of this information.
One you identify the asset, you just need to categorize it as “Data-Asset” and eramba will reference this asset to the Data-Flow Analysis tool.
Once on the Data-Flow analysis tool, you are able to add analysis for each “state” of the data asset:
- When is created
- When is deleted
- When is shared
- When is discarded
The exercise is based on thinking what security controls (from the Security Control Catalogue) are used to protect or mitigate Risks on those assets on each stage.
eramba will notify you when you dont have controls (in this case on the “Deleted” stage) or the controls are faulty (they didn’t pass internal audits, or they are not productive). This analysis proved a “right to the point” sort of Risk Analysis, where it becomes evident when something is not being taken care properly.
It might be too much to say this is the absolute replacement from Asset based – Security Risk Analysis but if you aim at keeping things simple, or you dont feel ready to run a Risk Management program (is a lot simpler than it sounds) you should give this a try.
It’s also a first step (among many others) if you are dreaming with conquering the Data Loss Prevention (DLP) universe.
Good luck – Esteban