To solve these problems we need to
Identify and characterise all Business Information flows within the organisation
Identify all the applications used to receive, read, process, and save or transmit information within the organisation
Analyse this data to find vulnerabilities and assess business information and application risk