Our customer had not clearly documented where customer data is received from, stored, processed, or transmitted across its major business processes. As our customer said, “Not knowing where the critical data flows and resides is akin to managing the company without full knowledge of our cash flows and funds on deposit.”
Without understanding your data flows, you may not be able to adequately mitigate the risks associated with managing confidential information such as your customer’s personally identifiable information.
To clearly document where customer PII is processed and stored by department; how and to where it is being transmitted; and who is accessing this information. And, to depict this information in both tabularly and visually. Note this was a business process-focused effort, not a systems-focused one.
We were able to identify and analyze the risks and current control measures, based on the responsible department (not on the underlying systems). This allowed our customer to prioritize risk mitigation based on where the effort would do the greatest good and then determine appropriate levels of controls. For example, our work showed that the customer service department performed the majority of PII handling. This meant that, all other things being equal, an hour spent there managing risk was likely worth more than spending that same hour elsewhere.