A few years ago, I was called in to help with a crippling cyberattack on a company. In a crisis, it’s critical for a consultant to orient themselves as quickly as possible. This requires key information: The entry and exit paths, for example. Traditionally, this would involve reviewing network diagrams, data flow diagrams, and data maps. When I asked for these key documents, I got blank stares.
As a result, we lost valuable time with team members drawing pictures, documenting networks, identifying partners, vendors, remote links, and of course, all the associated paths that bad actors could use. Every minute you waste during a crisis reduces your chances of recovery and wastes valuable resources.
All of this waste could have been avoided with the creation of three documents. In any crisis, these documents’ value is radically disproportionate to the amount of time it would have taken to create them. In the worst-case scenario, the combined documents can take a few days. In the normal course of business, a few days is a manageable investment. In the case of a security breach, a few days might mean the difference between recovering or shutting down your business.
So what are these three documents? They are:
- Network diagrams
- Data flow diagrams
- Data map documents
Network diagrams can be completed in a few hours, so I’m always shocked how many companies don’t bother to create them. It’s just a picture of what servers/instances/services you have running in your environment. It shows all the systems that keep your business running. It includes details such as location, IP address, machine name, purpose — anything that would help you identify the system without your team being present.
Companies often combine the network and data flow diagrams. I like to separate them. You can see precisely where your data is stored, where it is transmitted and via which medium. Think of a road map with directions to and from the systems, suppliers and partners that shows how your data moves. This chart should include ports, logs, flow direction, location, and everything that will help detect where data is transmitted and stored.
Creating this chart requires tracking down every vendor or partner you work with and how you communicate with them. It’s not onerous, but it takes time. Start with a list from finance and work your way through each department to the outside world. You will use this list extensively in the last document.
The third document is tightly coupled to the data flow chart. Normally, the data map document fits well into a spreadsheet and includes fields such as:
- The product and company it belongs to.
- Location of the company and where they store their data.
- What info is being collected – name/address/driver’s license etc.
- The purpose for collecting the data – sales/compliance/financial analysis etc.
- Owner – who is responsible for the data?
- Who does the data belong to – customers/app users/prospects etc.
- Where do these people reside?
- How many records do you maintain? This is important for estimating penalties or losses.
- Who has access to this information, and where do they reside?
- The legal purpose for collecting the information.
- Data retention timeline for this information.
- Data protection measures in place for this information.
These fields will be dependent on your governance or compliance requirements. Some are consistently required. For example, you must list all the companies you are communicating with and what specific data you extract from them. A user should be able to say exactly which data fields a company has access to. In the event of a breach, you will clearly see what potential information a bad actor may have seen or taken.
Think about the ROI
Besides the head start these documents offer regarding governance and compliance, you also have a huge time advantage when (not if) something goes wrong such as losing your single network administrator or getting involved in a crippling attack.
In the example I started this piece with, we managed to stop the crippling attack and get the company back in business. While any recovery takes time, the extra time it took to recover caused a severe blow to their earnings. It took months for them to recover, but a portion of that time could have been avoided.
So remember the Big Three. If you have the internal resources to get them done or contract them out to a consultant like me to help, the ROI is significant. When you have to respond to a security incident, the value of these could be, to paraphrase that old MasterCard commercial, “priceless.”