Cheap and cheerful approach to front up with for your next infrastructure security office hours:

  • Get a diagram (every, damn, time)
  • Break the diagram into trust zones
  • Draw the data flows (all of them)
  • Draw all communication flows
  • label everything: asset, threat, control

Obviously, there's more to it, but i find this checklist makes me seem relatively prepared most of time, even when i haven't had a chance to do my homework.