The goal of the Information System/Data Flow Diagram is to capture the main components of an Information System, how data moves within the system, user-interaction points, and the Authorization Boundary. Think of this diagram as conceptual rather than technical – multiple systems can be abstracted together, and there’s no need to detail every network connection. The Authorization Boundary describes the limits of the Information System – which pieces are currently being assessed. Information Systems often depend on other Information Systems, but those other Information Systems will be assessed independently, and their risk factored into the current Information System.
The diagram on the Right focuses too much on system components, includes unnecessary information, and does little to explain how data moves through the system, which protocols are in use, or the boundaries of the system to be assessed.
Directional arrows indicating data flow and protocols are important to know during an assessment, because they can highlight which parts of the Information System need scrutiny during an assessment. For instance, system descriptions often might only say, “data is transferred from the customer to the Viridian Dynamics System”. In this case, if the diagram depicts the protocol as ‘FTP’, then the assessor can ask the appropriate followup questions.
You may use any tool you prefer to create your diagrams, but to ensure compatibility, please only send image files (jpg or png) or PDFs to the Information Security Office. We have had success with the following tools:
- Microsoft Visio – May be licensed under the Microsoft Select Plus agreement
- OmniGraffle – available for Mac OSX
- Microsoft Powerpoint
- Draw.io – free online tool. Since system diagrams may contain information related to security controls, please choose either Browser or Device to save your drawing, do not save to a cloud provider.