DATA FLOW ANALYSIS (

Introduction
Data flow analysis assists in the following:
–Analyzing the business processes and identifying the leakage points
–Identify approved usage, movement and exposure points
–Identify type, classification, and risk of the information
–Identify sender & recipient rights
–Performing data flow analysis to identify critical information

The single point of contact for each Business Unit are expected to provide the list of key critical business processes and
Gaps identified during DFA will be highlighted & classified, based on which the recommendations will be provided

Classification Criteria
Secret: Secret information is the most sensitive form of information. It is so sensitive that disclosure or usage w
Extremely restrictive controls need to be applied (e.g., very limited audience and those who are authori
Examples include strategic plans, investment decisions etc.
Confidential: Confidential information is a sensitive form of information. This information is distributed on a “Need to
needs to be communicated to your organisation entities will fall in this category.
Examples include employee personal information, business plans, unpublished financial statements, Mi
etc.

Internal: Such information is the property of your organisation. Your organisation have the sole right over this in
have rights to the information, such as a plan member having access rights to their contract). This form
externally or with third parties.
Examples include staff memos, company newsletters, staff awareness program documentation or bulleti

Public: Sharing of such information does not have any impact on the confidentiality of the Information Asset an
comes from public sources or is provided by your organisation to the general public.
Examples include periodicals, public bulletins, published company financial statements, published press

Confidential
 DATA FLOW ANALYSIS (DFA)

ysis assists in the following:

business processes and identifying the leakage points
oved usage, movement and exposure points
classification, and risk of the information
er & recipient rights
ata flow analysis to identify critical information

nt of contact for each Business Unit are expected to provide the list of key critical business processes and the flow of involved data
d during DFA will be highlighted & classified, based on which the recommendations will be provided

tion Criteria
Secret information is the most sensitive form of information. It is so sensitive that disclosure or usage would have a definite impact on organisation’s b
Extremely restrictive controls need to be applied (e.g., very limited audience and those who are authorized to have such form of information).
Examples include strategic plans, investment decisions etc.
Confidential information is a sensitive form of information. This information is distributed on a “Need to Know” basis only. Any non-public information
needs to be communicated to your organisation entities will fall in this category.
Examples include employee personal information, business plans, unpublished financial statements, Minimum Baseline Security Configurations, Firewa
etc.

Such information is the property of your organisation. Your organisation have the sole right over this information (exception: subjects of the informatio
have rights to the information, such as a plan member having access rights to their contract). This form of information must be used within your organ
externally or with third parties.
Examples include staff memos, company newsletters, staff awareness program documentation or bulletins, Service Contracts, Backup Tapes and CDs, et

Sharing of such information does not have any impact on the confidentiality of the Information Asset and thus has a Very low Confidentiality rating. Th
comes from public sources or is provided by your organisation to the general public.
Examples include periodicals, public bulletins, published company financial statements, published press releases, etc.
 ganisation’s business.
tion).

c information, not confidential, that

ations, Firewall and Router Configurations,

he information in most cases will also

in your organisation and not shared

es and CDs, etc.

lity rating. This form of information

 DATA FLOW ANALYSIS -

Docume
(Type "a" for selectio

Sr No. Process Name Document Name Document Type of information XLS XLSX XLM CSV
Classification

1
2
3
4

5
6

7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

27

28

29
30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56
57

58

59

60

61

62

63

64

65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
W ANALYSIS - DOCUMENT DETAILS

Document Type Fixed Parameters

(Type "a" for selection & "r" for delesection)

DOC DOCX PDF TXT PPT PPTX EXE Other Fixed Critical Keywords
Format Template ?
ed Parameters
Critical Patterns Fixed File Fixed File Name Comment
Name?
Select Response

Yes
No

Yes
SR

Select Response

Yes

No
 Category Department 1 Department 2 Department 3

Default USB Policy:

Default CD-DVD Policy:

Default Policy for MTP Devices:

Policy for Printers:

Enforce Encryption:
List of register Device
Department 4 Department 5
 Category Department 1 Department 2 Department 3 Department 4
Backup

Code Repository

Email Application

Encryption
FTP
IM

Internet Browser
P2P

Screen Sharing
SSH
VoIP

System application

Other application

Browsing allowed
( Mention category/url's
or both)
Department 5
 Category Department 1 Department 2 Department 3

SMTP mail Policy

Allow all mails

Block all mails

Allow on listed doamins (Provide

list)

Block on listed domains (Provide

list)

Personal Gmail blocking

(Personal gmail to be blocked or
not)

SMTP Attachment Policy

Allow All
Block All

Allow some (Mention file name or

file type)

Block Some (Mention file name or

file type)

Gmail Attachemnt Policy

Allow All
Block All
Allow some (Mention file name or
file type)

Block Some (Mention file name or

file type)
Department 4 Department 5
Category Department 1 Department 2 Department 3

Upload on HTTP/HTTPS

Allow on all

Block on all

Allow on listed domain

(Provide list)

Block on listed domain

(Provide list)

File upload policy

Allow all
Block all

Allow some (Mention file

name or file type)

Block Some (Mention file

name or file type)
Department 4 Department 5
Category Department 1 Department 2 Department 3

Log all email

Log all file upload

Whitelisted domain for mail

Whitelisted domain for file

uplaod
Department 4 Department 5
Browser (Add category for Application (Add category Email Activity (Whitelist
incident reporting) for incident reporting) official domain)
 FTP File upload
Web File upload (Whitelist activity(Whitelist authorised
authorised domain) domain)