ABSTRACT
We have gathered the required tools in preparation for an assessment. I’m going to assume that we understand our organization’s risk tolerance as it applies to systems of the type under assessment. Of all the possible threat agents, we have selected those that may have the most important impact on our organization’s mission and whose methodologies can be applied to systems of the type that we are considering. In other words, in preparation for the assessment, we’ve taken the time to screen out irrelevant threats and attacks. We understand the infrastructure, the execution runtime, and the deployment model for this type of system. Local variations from industry standards are understood.*
Hopefully, by this point in the book, you have a reasonably clear understanding of the information and considerations that you will need to bring to bear in order to assess a system? Presumably, you have a risk methodology with which you are comfortable? Presumably, you are becoming conversant in architecture representations, diagrams, communications flows? Hopefully, at this point, you’ve gained a feel for the art of decomposing an architecture?
