This Control directly supports the implied Control(s):
Establish, implement, and maintain a network configuration standard., CC ID: 00530
This Control has the following implementation support Control(s):
Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams., CC ID: 13737
Establish, implement, and maintain a sensitive information inventory., CC ID: 13736
Include information flows to third parties in the data flow diagram., CC ID: 13185
Document where data-at-rest and data in transit is encrypted on the data flow diagram., CC ID: 16412
Disseminate and communicate the data flow diagrams to interested personnel and affected parties., CC ID: 16407
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
A diode (or server connected to the diode) deployed to control data flow in unidirectional gateways monitors the volume of the data being transferred. (Security Control: 0648; Revision: 3, Australian Government Information Security Manual, March 2021)
Identify connections that are used to transfer critical information (§ 8.2.8 Subsection 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
the communications route, (§ 8.2.8 ¶ 3 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
In order to guarantee the interoperability of cloud services, data regarding documented input and output interfaces and in recognised industry standards (e. g. the Open Virtualization Format for virtual appliances) is available in order to support the communication between different components and t… (Section 5.10 PI-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
Points of access to the entity's information assets from internal and external users and outside entities and the types of data that flow through the points of access are identified, inventoried and managed. The types of users and the systems authorized to connect to each point of access are identif… (S7.1 Manages points of access, Privacy Management Framework, Updated March 1, 2020)
Is there a process to ensure the diagram is kept current? (1.1.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
Is there a current diagram that shows all cardholder data flows across systems and networks? (1.1.3 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Is there a process to ensure the diagram is kept current? (1.1.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
Is there a process to ensure the diagram is kept current? (1.1.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
Is there a current diagram that shows all cardholder data flows across systems and networks? (1.1.3 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Is there a process to ensure the diagram is kept current? (1.1.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
Is there a process to ensure the diagram is kept current? (1.1.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
An accurate data-flow diagram(s) is maintained that meets the following: (1.2.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Shows all account data flows across systems and networks. (1.2.4 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Updated as needed upon changes to the environment. (1.2.4 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Updating all data-flow diagrams per Requirement 1.2.4. (12.5.2 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Updating all data-flow diagrams per Requirement 1.2.4. (A3.2.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Examine documentation and interview responsible personnel to verify that the data-flow diagram(s) is accurate and updated when there are changes to the environment. (1.2.4.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
Examine data-flow diagram(s) and interview personnel to verify the diagram(s) show all account data flows in accordance with all elements specified in this requirement. (1.2.4.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
An accurate data-flow diagram(s) is maintained that meets the following: (1.2.4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Shows all account data flows across systems and networks. (1.2.4 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
Updated as needed upon changes to the environment. (1.2.4 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
An accurate data-flow diagram(s) is maintained that meets the following: (1.2.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Shows all account data flows across systems and networks. (1.2.4 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Updated as needed upon changes to the environment. (1.2.4 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Updating all data-flow diagrams per requirement 1.2.4. (12.5.2 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Updated as needed upon changes to the environment. (1.2.4 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Shows all account data flows across systems and networks. (1.2.4 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
An accurate data-flow diagram(s) is maintained that meets the following: (1.2.4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Updating all data-flow diagrams per requirement 1.2.4. (12.5.2 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's geographically distributed (physical and virtual) applicatio… (DSI-02, Cloud Controls Matrix, v3.0)
Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections, reviewed at planned intervals, supported by documented business justification for use of all services, protocols, and ports allowed, including ration… (IVS-06, Cloud Controls Matrix, v3.0)
Create data flow documentation to identify what data is processed, stored or transmitted where. Review data flow documentation at defined intervals, at least annually, and after any change. (DSP-05, Cloud Controls Matrix, v4.0)
Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 3: Safeguard 3.8 Document Data Flows, CIS Controls, V8)
Organizational communication and data flows are mapped. (ID.AM-3, CRI Profile, v1.2)
The organization identifies, establishes, documents and manages a baseline mapping of network resources, expected connections and data flows. (DE.AE-1.1, CRI Profile, v1.2)
The organization identifies, establishes, documents and manages a baseline mapping of network resources, expected connections and data flows. (DE.AE-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Identifying the boundaries of the system and how it interfaces with other systems (¶ 2.113 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Data flow diagrams are in place and document information flow to external parties. (Domain 4: Assessment Factor: Connections, CONNECTIONS Baseline 1 ¶ 4, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Understands how databases interconnect throughout the entity. (App A Objective 3:6f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Identifies API request checkpoints for information leaving the network. (App A Objective 13:6i Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Determine whether management documents and maintains accurate representations (e.g., network diagrams, data flow diagrams, business process flow diagrams, and business process narratives) of the current IT and business environments and employs processes to update the representations. (App A Objective 5:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Maintains accurate network diagrams and data flow charts. (App A Objective 6.10.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Management should secure access to computer networks through multiple layers of access controls by doing the following:
- Establishing zones (e.g., trusted and untrusted) according to the risk profile and criticality of assets contained within the zones and appropriate access requirements within an… (II.C.9 Network Controls, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Current network diagrams and data flow diagrams, including changes to configuration or components. (App A Objective 1:3 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
Obtain and review the topology of the financial institution's network, and determine the components involved in the RDC process. Identify the network interfaces with customers using RDC and the technology controls in place. (App A Tier 2 Objectives and Procedures N.1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Obtain and review the financial institution's data flow or process flow diagram, including relationships with any third-party service providers (if applicable) and the relationships with RDC customers. Identify when the diagram was last updated, and assess whether it is consistent with the system cu… (App A Tier 2 Objectives and Procedures N.1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Organizational communication and data flows are mapped. (ID.AM-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
Organizational communication and data flows are mapped. (ID.AM-3, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Examine network topologies to understand data flows through the network. (T0291, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Prepare detailed workflow charts and diagrams that describe input, output, and logical operation, and convert them into a series of instructions coded in a computer language. (T0189, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Identify network components and their functionality to enable analysis and target development. (T0722, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Examine network topologies to understand data flows through the network. (T0291, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Prepare detailed workflow charts and diagrams that describe input, output, and logical operation, and convert them into a series of instructions coded in a computer language. (T0189, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Representations of the organization's authorized network communication and internal and external network data flows are maintained (ID.AM-03, The NIST Cybersecurity Framework, v2.0)
