[AA1.4: 49] Use a risk questionnaire to rank applications.
To facilitate security feature and design review processes, the SSG uses a risk questionnaire to collect basic information about each application so that it can determine a risk classification and prioritization scheme. Questions might include, “Which programming languages is the application written in?”, “Who uses the application?”, and “Does the application have a mobile client?” A qualified member of the application team completes the questionnaire. The questionnaire should be short enough that it can be completed in a matter of hours. The SSG might use the answers to categorize the application as high, medium, or low risk. Because a risk questionnaire can be easy to game, it’s important to put into place some spot checking for validity and accuracy. An overreliance on self-reporting or automation can render this activity impotent.