Analysis should include
security policies
assurance levels
system-level and component-level safeguards
penetration testing.