Risk Assessment Data Flow Analysis

In order to fully understand a company's security risks, we must first analyze the workflow of the sensitive data.

What is the Data Flow Analysis?

A thorough analysis of how an organization's users are utilizing their sensitive data in rest and in motion in ways that vulnerability scanning tools cannot detect. The purpose of this is to define boundaries for security responsibilities as well as confirm that data transmission is secure and protected from a compliance perspective.

Data Flow Analysis Phases

The Data Flow Analysis phase of the risk assessment is completed in two parts:

  1. Data Flow Questionnaires
    1. Typically sent to 30-50% of employees within the organization
    2. Designed to take approximately 10-15 minutes to complete by each team member
  2. Data Flow Interviews
    1. Interviews are conducted with 1-2 resources per department that store or transmit sensitive data. discovered in the questionnaire

Data Flow Process Flow


Client Approvals & List of Users

  1. Client Completes Approval Form
  2. Client Provides List of Users for Data Flow Questionnaire
Internal Client Management Email
  1. Choice provides email template to client management team
  2. Client Management team member sends email all Questionnaire users & alerts Choice team when complete
3-4 Choice Questionnaire Emails
  • Choice will send an initial email to all Questionnaire users provided
  • Choice will send reminder emails to users that have not completed Questionnaire
4-2 List of Interviewees
  • Choice will select users for Interviews based on Questionnaire answers
  • Choice submits the list of interviewees to management team for approval
  • Client Management team approves interviewees list
5-1 Conduct Interviews
  • Choice will reach out to each user to schedule interviews 
  • Choice team will conduct 10-15 minute interviews with each team member
Copy of Copy of Copy of Step 1 Data Review & Analysis
  • Choice team will review all data flow answers
  • Compile results in Executive Summary

Client On-boarding Responsibilities

  1. Gather a list of users that store or transmit sensitive data from each department
    1. 30-50% of your team, with a thorough representation of approximately 4 or more resources from each department
    2. We prefer a spreadsheet with first name, last name, email address & department 
    3. Companies with less than 20 users: Please provide a list of all users
  2. Check Your Email to review and Complete the Choice CyberSecurity Data Flow Questionnaire Approval Form provided
    1. At the end of the questionnaire, you will be prompted to provide a list of participants and their email addresses
  3. Once approved, we will send another email with the Management Email Template and unique form for you to Send Management Team Email to all Questionnaire users
  4. Alert Choice team when email has been sent to begin our email process approximately 2 business days after your email has been sent

Please DO NOT send the Data Flow Analysis Approval Form to your users. The approval questions at the end will confuse them and it is not designed to collect results from more than one team member.