Threat modeling will be something we need to do repeatedly.  We should have an up-to-date architectural overview of the system with ingress/egress points, who has access to different areas, what are the perimeters, and what communication paths are encrypted, etc.  

There is already some prior effort that can be updated/built upon.

https://lucid.app/lucidchart/23cb076f-7a56-42a8-9e0c-51fc5b7d6a85/edit?invitationId=inv_e969c801-00c5-42ea-abd7-233f9e2a3ef0&page=-Ae.k8G-l2j1#