Install and lock down firewalls. Change your passwords. Encrypt this. Encrypt that. Secure it all ad nauseam. And you're done. Right?
Well, not so much...
It takes a thorough understanding of how something works in order to fix it. In the case of security, that means understanding what it is you're trying to secure. The more experienced the security professional (or should I say jaded? ), the more likely you are to see him or her perform a data flow mapping as step zero of any infosec project. This exercise isn't just about plotting data points - you're performing a business process analysis and documenting how the business functions. You just happen to be focusing on how the data is stored, transmitted, secured, etc. in the process.
This is a prereq for any PCI security assessment, but it applies to all the other kinds of sensitive data. Does your business deal with SSNs? Protected Health Information? ITAR data? Or is perhaps your own corporate data of value to you?
If so - can you confidently say you know all the places you're currently storing, transmitting, processing, or otherwise touching ___-data? Can you identify all the security measures in place?
IBM Security Services PCI Blog
with Tags: analysis X
Andi Baritchi 27000216AA firstname.lastname@example.org Tags:  security flow analysis mapping data 519 Visits