IG2 IG3

Document Data Flows

Control Group: 3. Data Protection

Asset Type: Data

Security Function: Identify

Description

Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Draft policy/procedure document

6

Obtain stakeholder review and approval

7

Communicate to affected personnel

8

Schedule periodic review and updates

9

Inventory all third-party service providers

10

Classify third parties by risk level

11

Conduct security assessments of critical vendors

12

Include security requirements in contracts

Tool Recommendations

Microsoft Purview Forrester Wave Leader, Data Security Platforms 2023

Data governance and compliance platform with DLP, information protection, sensitivity labels, and insider risk management

Microsoft · Per-user subscription (E5/standalone)

Netskope Data Protection Gartner MQ Leader, SSE 2024; Forrester Wave Leader, Data Security 2023

Cloud-native DLP and CASB platform providing inline data protection for SaaS, IaaS, web, and endpoint

Netskope · Per-user subscription

Symantec DLP Forrester Wave Leader, Data Security Platforms 2023

Enterprise data loss prevention covering endpoint, network, storage, and cloud channels with policy-based content inspection

Broadcom · Enterprise license

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Unmonitored Data Exfiltration Paths

Confidentiality

Without documented data flows, attackers exploit unmonitored data pathways to exfiltrate sensitive data through third-party integrations or service provider connections.

Third-Party Data Exposure

Confidentiality

Undocumented data flows to service providers mean sensitive data is transmitted to third parties without appropriate contractual protections or security requirements.

Vulnerabilities (When Safeguard Absent)

Undocumented Data Flow Architecture

Without data flow documentation, the organization does not know how data moves between systems, users, and third parties, making it impossible to secure all pathways.

No Visibility into Service Provider Data Handling

Without documented data flows including third-party providers, the organization cannot verify that data shared with vendors receives appropriate protection.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Record	Third-party risk assessment reports and scorecards	Annually per vendor
Document	Vendor contracts with security requirements	Per contract cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Data Classification and Handling Policy

Control 3

Related Safeguards in Control 3

3.1 Establish and Maintain a Data Management Process

3.2 Establish and Maintain a Data Inventory

3.3 Configure Data Access Control Lists

3.4 Enforce Data Retention

3.5 Securely Dispose of Data

3.6 Encrypt Data on End>User Devices

3.7 Establish and Maintain a Data Classification Scheme

3.9 Encrypt Data on Removable Media

3.10 Encrypt Sensitive Data in Transit

3.11 Encrypt Sensitive Data at Rest

3.12 Segment Data Processing and Storage Based on Sensitivity

3.13 Deploy a Data Loss Prevention Solution

3.14 Log Sensitive Data Access