Core Functionalities

Data Flow Analysis

Table of Contents

Why this Chapter is Important 3

Basic Concepts 3
Data Assets 4
Data Stages 4
Data Flows 5
GDPR 6
Lifecycle (Status) 7

Data Flows Management 7

Basic Setup 7
Managing Flows 7
Deleting a Data Asset 8

Additional Features 9
Notifications 9
Filters 9
Reports 9
Why this Chapter is Important
Documenting data flows help us understand, for a specific data asset, all the possible
flows (e.g., transit, store, etc), who is involved, what risks exist and how we protect the
data. You aim to answer where the data resides, how it gets there, how it is created,
deleted, and for how long it is stored.

Many people use this module as a component of their GDPR documentation, as

understanding data flows, the risks at each stage, and controls implemented are an
essential step in the path for GDPR compliance.

WARNING - BEFORE READING THIS GUIDE MAKE SURE YOU HAVE READ AND
UNDERSTAND HOW BASIC GRC RELATIONSHIPS WORK IN ERAMBA AND YOU HAVE
NOT SKIPPED ANY PREVIOUS STEP

Basic Concepts
The following section describes basic concepts you need to understand in order to use
this module, which as you can see on the screenshot below includes two tabs:

● Data Assets
● Data Asset Flows

The general concept is that for every “Data Asset” you will define one or more “Data
Asset Flows” that describe how data is collected, stored, modified, etc and what risks,
controls, etc exist

Data Assets
The “Data Asset” tab will be empty unless you create assets at the Asset Management /
Asset Identification (is another module) and the asset has a specific type enabled called
“Data Asset”.
When an asset is created on this module (by clicking Add / New) you need to make sure
the asset has the type “Data Asset” - only those assets with this type show on the data
flow analysis module.

All assets that have the category data asset will be available at the data flow analysis

Note: to create an asset you will need to create a Business Unit under Organisation /
Business Units.

Once the asset has been created go to Asset Management / Data Flow Analysis and you
will see the asset on the default filter
Data Stages
We grouped the lifecycle of data in something we called “Stages”. We have the following
predefined stages for you to use:

Stage Name Example

Customer calls to our Call Centre, Customer completes Online Form, Bank sends
Collected
reconciliation transactions, Apache logs records, Etc.

Customer Representative Deletes Customer, Backup completed and old data erased, Old /
Deleted
Broken Disks are destroyed, Etc.

Modified Customer Representative Updates Record, Etc.

Paper Receipts Stored in Facility, Tape Backups Created, Data Stored in Operating Systems,
Etc.
Stored
Note: some confusion might happen in between store and create data. Creating data is
perhaps best understood as “collecting” data.

Transit Online Form sent over Internet, Data sent across Data Centers, Letters sent over post, Etc.

Data Flows
Since multiple actions are likely to happen within each stage, each one should be
documented independently as distinct “Flows”.

For example, you can collect the same asset in many ways (e.g., electronically, physical
paper, etc.), each one is a flow associated with the “Collected” stage.
For that reason multiple flows are possible associated for every stage. A general
representation of assets, stages and flows is shown on the diagram below.

Data Asset
Flow One

Created Flow Two

Deleted Flow ….

Modified

Stored Flow One

Transit Flow Two

Flow ….

Each flow does not simply aim at describing what happens with the asset in that
particular moment but also what GRC components surround them. The table below
describes what can be associated with each flow.

Module Item General reason to do so

Organisation / Business Units To describe what part of the organisation is in

related with this flow

Organisation / Third Parties Same as above, but for third parties

Risk Management / All three types of Risk To describe all potential risks in this flow

Control Catalogue / Internal Controls To describe all mitigation controls (for those risks)
that apply this flow

Security Operations / Project Management To describe what GRC improvements are being
executed

Control Catalogue / Security Policies To describe policies, documents, standards,

contractual templates, consent documents, Etc that
apply to this flow.

Describing flows in detail will allow you to explain in detail how data is protected in your
organization. Their status will be inherited by the asset with the goal of showing how
this GRC element is performing.
GDPR
GDPR is one of many regulations with the aim of pushing public and private
organizations to protect private data.

This module is not about how you become GDPR compliant. However, understanding
what data you manage, how it flows, what risks exist, what controls exist, etc., as well as
documenting that understanding is an essential step in demonstrating compliance with
GDPR.

For every flow you define, you can optionally define GDPR related attributes to further
clarify their GDPR context. To facilitate the task of knowing what needs to be described,
we defined a set of fields that reflect every requirement on the regulation.

You can then visualize GDPR attributes using filters on the “Data Flow Analysis” tab.
Lifecycle (Status)
On top of all the inherited statuses from all related GRC modules (controls, policies,
risks, etc), the module includes one additional status described in the table below:

Status Name Data Assets Data Flow Analysis

Incomplete GDPR Analysis The asset has “GDPR” enabled One or more flows types
under “General Attributes” (collected, stored, etc) have not
been defined

Data Flows Management

Basic Setup
To initiate the process of analyzing a data flow analysis you need to edit the item and
click on General Attributes and complete the “Data Owner” which will be the role later
used for notifications, visualizations, Etc.

You can optionally enable all GDPR questionnaire features for this asset. This means all
new flows created will include a set of GDPR related questions you must fill in.
Managing Flows
Once the general attributes are completed you can create as many flows as needed,
simply click on the menu for the item and on Flows. A window will open where you can
see all existing flows and add new ones by clicking on Add New.

The form for creating a flow is pretty simple, just remember that if you included GDPR
functions there is an extra form you need to complete where all fields are mandatory.

Deleting a Data Asset

Until you remove the “Asset” (from Asset Management / Asset Identification), you will
see the asset listed under the asset flow analysis module. You can remove all associated
flows by using the flow item and removing item by item.
Additional Features

Notifications
This section has no notifications.

Filters
Multiple system filters (you can't delete or edit them) are pre-defined on both tabs to
simplify access to data. Please see our filter guides to understand more about how
filters work.

Reports
The system comes with multiple system reports created (these can not be removed or
modified) and many more can be created to help managing the system. Please review
the report documentation to understand the full capabilities of this feature.