Why Data Flow Diagrams and Data Storage Inventories Are Important

For any organization, the first step in protecting your assets is understanding what you have. While most companies are pretty good at inventorying their physical assets (e.g. computers, devices, monitors), they are overlooking another critical asset they should be considering: their data. Understanding how what sensitive data flows throughout your network, who has access to it, and where it eventually winds up is just as important, so adequate security controls can be applied to protect this data. But as with a lot of things in security, this is easier said than done and many people don’t even know where to start. So let’s take a look at some considerations to help get you started with creating data flow diagrams and developing a data storage inventory.

Data Flow Diagrams

Before we get to where sensitive data is stored, it’s often helpful to understand where it enters your organization, what parts of your organization it passes through, and then finally identifying where it is stored. This is known as a data flow diagram when you draw it on a network diagram or something like that to visualize it. Usually through interviews and process walkthroughs, an organization can trace the lines of business and their processes, from where sensitive data is collected/received to where it leaves the organization or is stored. This can help identify problem areas, areas that need more security controls in place, or higher-risk vendors.

Data Storage Inventories

Just like spreadsheets or tools that collect inventories of your physical assets as an organization, you should consider your data an asset as well. Data is often the secret sauce that drives your business or gives you a competitive advantage. Additionally, sensitive data that is part of a breach or compromise can have significant ramifications on your organization in the form of fines, lawsuits, etc. So as part of the process of mapping out the flow of sensitive data in your organization, make sure you inventory all the exact locations where data is stored, what type of data you are storing, the business justification for storing that data, and a high-level summary of the risk to your organization, should that data be lost.

With this data, educated decisions can be made about where data storage is necessary, first and foremost. If it is, then consider the security controls you’re applying to each of these areas where data is stored and make sure it makes sense from a risk perspective (e.g. comparing the cost of securing the data with the cost to the organization following a breach of that data). Other details you could record with an inventory of data are things like the data owner or point-of-contact, the department responsible for that flow of data, the third-parties that have access to that data, whether that data is eventually pushed to an outside organization or is pulled by a third-party (indicating whether that third-party has access to your environment), and anything else you think might be important.


The identification process is important, but it’s what you do with this newly collected information that can make a huge difference in your security posture. Here are a few things to consider after you’ve gone through this process:

  • When it comes to sensitive data, if you don’t need it, don’t collect it and definitely don’t store it. The fewer locations you have important data, the easier it is to adequately protect that data. Make sure you’ve got a really good business justification for things like PII, ePHI, PCI, etc.
  • For the places you do need to store sensitive information, make sure you’ve got best practice security controls applied. This means applying things like the principle of least privilege to your access controls, only allowing employees with a justified business need to access sensitive information, and encrypting stored data adequately.
  • Use these data flows to identify high risk third-party vendors you work with, and consider additional scrutiny and due diligence to assess the security they are providing for sensitive data. Remember that if that third-party gets breached with sensitive data you own or access to your network, it is just like your organization getting breached.

As you may already understand from reading this high-level overview, this can be a difficult and time-consuming process. Organizational politics, scheduling interviews/walkthroughs, and clear documentation are all challenges you’ll need to overcome as part of the process. If you are considering this process, it may make more sense for you to bring in an objective third-party to facilitate this kind of assessment, and we can certainly help. Or if you are considering walking down this path yourself, feel free to reach out and we’d be happy to answer any questions you may have or provide recommendations.