The first challenge to securing your data (or meeting compliance) is understanding where your data lives. An alarming number of people I speak with in the industry have no idea how bad their problem is because they only know where half of the data lives and goes.

HALF! That is a BIG problem.

Engaging in data flow mapping exercises can be painful. So painful, that you might be forced to look outside your organization for help!

Yes, VeriSign has a service that does this… OK, shameless plug complete.

Where do you start? In an article that I published last year entitled, “Data Flows Made Easy,” I detail an adaptation of the Design Structure Matrix that can be used to help map data flows in your organization. The first step you have to take is to interview your teams and figure out if the implementation teams that live in the real world of IT have implemented the same system that the designers that live in their perfectly architected world created.

The one drawback to relying only on interviews is that you are victim to the Garbage In, Garbage Out problem. If you have never gone through this type of exercise before, you can be sure that you will have some inaccuracies.

But, when you have gone through the process and have something like Figure 6 in the article, you should find one of the many DLP vendors that have a data discovery feature in their tool to validate that the diagram is complete. Or, you can engage someone like VeriSign to bring in partners and consultants to do this for you.

Trust, but verify.

If you use the data flow method that I have outlined in the article, you will find that your flows are much easier to maintain, and you will spend less time explaining complex Visio diagrams to auditors. Several top, global retailers have taken the concept and converted all of their data flows into this format. It’s the first step in our PCI Program Management offering, but could easily be used in any security or compliance program. It’s a two-dimensional matrix that is begging for someone to write a cool front end interface.

Oh, and to those of you that tried to download the latest Herding Cats and got a Forbidden message, I fixed that, and set the SGID bit on the directory so that should never happen again.

This post originally appeared on

Possibly Related Posts: