What type of user access does your application offer (internal, external [Internet-facing], both, or neither)?
What is the basic authentication and authorization for the external-facing (Internet) portion of your application?
Are there anonymous users?
Is there a secure channel? What is that channel?
What type of data is contained in your application?
Does your application contain personal data?
How business-sensitive is the data managed by your application?
What function does your application fulfill? How critical is its role?
What is the authentication mechanism used by the client population?