Some cybersecurity practitioners only drill down to the level of details of network diagram or even wiring diagram to identify adequacy of cyber protection.
The system landscape or architecture is no doubt an element to look at but just part of it. The holistic approach shall look like these:
- What is the purpose of the system
- How is information used – control machine, information for decision making of critical operation or solely display as-is
- What is the consequence if compromised
- What is the tolerable down time
- What are options to bring up service within this unplanned down time window
- How to strike the balance for freezing the compromised system for digital forensic vs system recovery in meeting service pledge
With these in mind, these diagrams are only useful to assess the attack path and the optimal countermeasures. And don’t criticize insufficient information in the diagrams without setting a reference standard – this should be objective rather than subjective.