Back

Include information flows to third parties in the data flow diagram.


CONTROL ID
13185
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Maintain up-to-date data flow diagrams., CC ID: 10059

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In case of external connections or wireless communication links (WLAN, UMTS, LTE, etc.) additional details on the external network (e.g. Internet, business partner, name of provider of data transfer as well as type of line, e.g. MPLS, leased line, VPN) should be included. (§ 8.1.4 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • whether the connection has an outside connection, and (§ 8.2.8 ¶ 3 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 3: Safeguard 3.8 Document Data Flows, CIS Controls, V8)
  • Data flow diagrams are in place and document information flow to external parties. (Domain 4: Assessment Factor: Connections, CONNECTIONS Baseline 1 ¶ 4, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • A network diagram of the transaction flow from the merchant end of the network, through any intermediary processors, to the financial institution, for all types of payment channels. (App A Tier 1 Objectives and Procedures Objective 2:4 Bullet 8, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Obtain and review the financial institution's data flow or process flow diagram, including relationships with any third-party service providers (if applicable) and the relationships with RDC customers. Identify when the diagram was last updated, and assess whether it is consistent with the system cu… (App A Tier 2 Objectives and Procedures N.1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Telecommunications documentation. Physical and logical telecommunications diagrams should be up to date. The physical diagram should display the physical layout of the facility that houses the LAN and/or WAN, and cable jack numbers should be documented on the physical diagram. Diagrams should also i… (§ 5.3.1 ¶ 1 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))