Cheap and cheerful approach to front up with for your next infrastructure security office hours:
- Get a diagram (every, damn, time)
- Break the diagram into trust zones
- Draw the data flows (all of them)
- Draw all communication flows
- label everything: asset, threat, control
Obviously, there's more to it, but i find this checklist makes me seem relatively prepared most of time, even when i haven't had a chance to do my homework.