Business Process Flow

The identification of systems impacted by organizational business processes.

It is critically important to understand an organization’s existing business processes to identify security risks. SecureState has developed a rigorous approach to identify critical business processes through interviews, observation, and validation.


A Business Process Flow is the first step for any associated Gap Assessment that also helps organizations identify the critical assets and business processes that are vital to the organization.  This process also assists in budgetary planning and strategic security roadmap development while often being the first step in the implementation of many enterprise wide solutions.  During the process, SecureState determines the
systems in-scope for regulatory compliance mandates while helping our clients better understand their own processes. 


SecureState’s consultants are experts in understanding both the technical aspects as well as the business aspects of an organization. Furthermore, our expertise lies in facilitating a number of white boarding sessions in order to map out application data flows. Our experienced team members have performed many of these assessments in order to help an organization implement better risk based security controls, in line with systems critical to their business processes.

Approach and Methodology

SecureState has developed a rigorous approach to identify critical business processes through interviews, observation, and validation.

The majority of fieldwork will involve interviewing various application or business process ‘owners’ (including executives, project managers, team leads, and supporting personnel) to document areas of control weakness. Since a number of infrastructure/process components can be used to support a particular application, SecureState will need to interview and observe each functional area. SecureState will corroborate the documented controls by asking leading questions. Please note that hands-on analysis will be conducted during the Validation and Testing phase.

SecureState will document the point of presence for each application. Including supporting infrastructure, input and output flows, and communications used. This will enable SecureState to get an overall view of potential control impact areas. SecureState will build a Visio Diagram that can be used by your organization for knowledge transfer and to gain a quick high level understanding of the various components used to support that process.

With this understanding, SecureState will develop a Control Matrix that outlines potential control weaknesses. This matrix will include potential impact, risk, timeframe, and resources needed to complete with recommended countermeasures and document where they impact the business process flow.

SecureState will document potential areas where additional validation and testing might be required. Typically, systems impacting business processes handling sensitive or critical data will require additional testing and validation depending on the type of data or process. Performing validation and testing for various application components increases the scope and changes deliverable output. Therefore, SecureState recommends prioritizing all validation and testing services for each application before performing specific tests. The cost is TBD, based on the flow of the applications.


Get Started!