People have asked if they could see examples of the two diagram types that are requested in the SRAQ. Below are an example of each, with the key pieces of information highlighted. (They are "based" on a real system, but the hostnames/IP addresses and some of the details were made up to protect the innocent). Your diagrams may not look exactly like these, but they should convey the same level of detail and amount of information to aid in the review process.
- Example Network Diagram
- Key pieces: Network segment subnet definitions, relevant hostnames/IPs, building routers and firewalls names if exist (switches unnecessary), OS/type of host, relationship to campus, Internet, or 3rd party networks.
- Example Data Flow Diagram (for sensitive and restricted information)
- Key pieces: The hosts in your system that store or allow sensitive/restricted information to be transmitted through them, as well as all entry points of that data into the system, and all exit points of that data out of the system, and any flow of data within subsystems. Arrows should denote the direction of data flow. The type of data should be noted. The type of transport protocol, encryption, and any relevant access controls of data in transit should be noted. The type of data storage, encryption, and any relevant access controls of data at rest should be noted. Lines denoting boundaries of firewalled segments should be noted.
- Note: the above diagrams created using MS Visio 2010. Stencils used were Basic Shapes, Network and Peripherals, Computers and Monitors, Data Flow Diagram Shapes