Risk Assessment Questionnaire

Why is this information asset important to the organization?

What is the agreed-upon description of this information asset?
Who owns this information asset?
What are the security requirements for this information asset?
Only authorized personnel can view this information asset, as follows:

Only authorized personnel can modify this information asset, as follows:

This asset must be available for these personnel to do their jobs, as follows:
This asset must be available for _24__ hours, __5__ days/week, __52_ weeks/year.

1. Others
This asset has special regulatory compliance protection requirements, as follows:

What is the most important security requirement for this information asset (Put Y/N to items
that apply, e.g. Confidentiality: Y, Integrity: N, Availability: Y)?
Confidentiality (Y/N):Y
Integrity (Y/N):Y
Availability (Y/N):Y
Is the application Internal or External facing?
If it is Internal, who has access to the application and how many users?
How many dynamic pages (or forms) does each user have access to? A dynamic page is
one that accepts user input. If multiple users have access to the same page, only count this
page one time.
Is the application web browser-based? (Yes / No). If not, please provide details (i.e., C, C#,
Java, Perl, etc)

Which technologies and programming languages are in use (.NET, ASP, XML, IIS,
WebLogic, SQL, Oracle, SOAP, Java, Visual Basic, JavaScript, etc)?
IP Address of the Web App Server?
What network transport protocols are used? Examples: HTTP, HTTPS, SMB, FTP, SMTP,
proprietary protocol, etc. HTTPS
Is encryption used for network transport (i.e., SSL or something different)? Yes, HTTPS
Do other application components use encryption (i.e., file system, file, database)?

Does the application implement any client-side components (i.e., Java applet or ActiveX
control)?
How are authentication and authorization performed (i.e., basic authentication, client-side
certificates, HTML forms, SiteMinder, GetAccess, Active Directory, LDAP, internally
developed)?
Does the application allow users to write data or do they have read-only permissions?
Does dynamic content come from a database? If so, what kind of database is used and how
does the server connect to the database?
Where is persistent data stored? Client, single server (database, binary file, text file), or
multiple servers? Please describe.
IP Address of the Database Server?
How may transactional elements/components (i.e., such as checking, savings accounts,
payment, change password, etc) does the application provide? Please provide details. No
financial transactions are processed in this system.
Are there different privilege levels or roles of users that can access the application (i.e.,
regular user, supervisor, administrator, superuser, etc)? (Yes / No). If Yes, please provide
additional breakdown of the levels of users. Can all users within a given level see the same
data sets, functions, and menus or is the data user specific?
How many servers and what type are supporting the application (i.e., Operating Systems,
web servers, application servers, database)? Please provide high-level breakdown.