Tips for Fantastic Data Flow Diagrams to Capture Networks Handling CUI

A Data Flow Diagram or DFD is a visual representation of the flow of data or information within a certain system. A DFD allows you to understand the transmission of information (delivered to and provided by) by the people taking part in different processes of a system. Any organization can utilize the power of DFDs, and it becomes even more important when it comes to controlled unclassified information. By creating and understanding CUI data flow diagrams, you can amend and improve your policies to control your data flow CUI. In this article, we’ll discuss DFDs in detail and how to create them to capture networks handling CUI.

DFD Symbols

DFD symbols are standardized notations such as short-text labels, arrows, circles, and rectangles. These symbols describe the data inputs, the flow direction of a process or system, outputs, sub-processes, and storage points. 

Data flow diagrams

Source: PT SlideShare

External Entity

The external entity is also known as actor, sink, source, or terminator, is an outside process or system that either receives or sends data back and forth in a diagrammed system. It means it’s either the destination or source of information. That’s why an external entity is mostly placed on the edges of DFD.

Process

Process manipulated the information or its flow by modifying it and generated output. It’s achieved with the help of different mathematical computations to change the data flow or its values. A process usually starts from the top left and finishes on the bottom right of the data flow diagram.

Data Store

Data store, as the name suggests, stores or holds the data to use later. It can be a document or file that the system needs to process. Data store receives the data from data inputs and forwards it as data output. 

Data Flow

Data flow is denoted by a single line with the arrowhead, and it’s the path that the data takes from an external entity to process and then to a data store. 

Best Practices to Create DFDs

In order to start creating DFDs, there are certain practices that you need to keep in mind, which are as followed:

  • Every process must have one input and one output at least.
  • Every data source must have one data flow in and one data flow out at least.
  • The data that’s stored in the “data store” must go through a “process.”
  • All the processes in your data flow diagram must be linked to another data store or process.

Different Levels of DFD

Data flow diagrams can range from complex granular to linear and simple overviews of any process or a system. They can have multiple levels that start with “level 0 (most common type)”.

Level 0

Level 0 DFDs are “context diagrams” that primarily focus on high-level functions or processes. They are designed to be simple as they allow you to understand the straightforward and simple (data flow to or from data sources) overview of a system or process. 

Level 1

Level 1 data flow diagrams are known as process decomposition DFDs, which also represent the broad overview of a system. But they offer more details as compared to level 0 DFDs as they break down every single process node of your system into sub-processes.

Level 2

Level 2 data flow diagrams offer even more details about any system by breaking down every process of level 1 into multiple granular sub-processes.

Level 3

Level 3 diagrams are very complex DFDs, and they’re (along with high-numbered) diagrams aren’t very common. They require a huge amount of details, and theoretically, such requirements destroy the very basic purpose of DFDs, which is to provide easy-to-understand information.

Tips to Create Effective Data Flow Diagrams

Data Flow Diagrams that are specially created to capture network handling CUI allow you to understand the location of your sensitive data and its protection level. Consider the practices mentioned below to create an effective data flow diagram to capture network handling. 

Identify Boundaries

The first step is to identify all the boundaries of your network’s environment that store sensitive data. It’s also important to identify all the possible network segmentation points that your system uses and the system components that store, process, or transmit sensitive data. Moreover, you must also determine the boundaries between untrusted and trusted networks (both wired and wireless).

Locate Network Protection

You’ll need to locate all the network protections such as router ACLs, IDSs, firewalls, etcetera surrounding your network’s systems that store, process, or transmit data. 

Once you have successfully identified your network’s boundaries and located network protection, you’ll need to follow the complete data life cycle to create an effective DFD.

Data Creation Phase: External Entity

You’ll need to figure out all the points from where data comes into your organization. Then you’ll need to identify the business processes (such as call center, sales team, etcetera) and technical systems such as contact center, SFTP server, web server, etcetera) where the data is processed.

Data Sharing and Usage Phase: Process

Once you have determined how data is coming to your organization, the next step is to find out how and with whom it’s being shared and what system parts and people can use it.

Data Archive Phase: Data Store

At this point, you’ll need to find out all the places where and for how long data is stored. For example, in your cloud system for marketing for one year, in your local database for 10 years, etcetera.

Data Transmission Phase: Data Flow

In this phase, you’ll need to determine all the possible ways the data is transmitted in your system from one point to another. For example, how your employee X receives (input) the data and performs some computation (process) and then forward (output) it to other employees.

Final Words

Data flow diagrams are powerful tools. You can use them to obtain critical information about your organization’s sensitive data and its protection. We hope this guide will help you to create effective DFDs and rectify your network’s weaknesses by identifying affected system components.