What type of user access does your application offer (internal, external [Internet-facing], both, or neither)?
What is the basic authentication and authorization for the external-facing (Internet) portion of your application?
Are there anonymous users?
Is there a secure channel? What is that channel?
Data Classification
What type of data is contained in your application?
Does your application contain personal data?
How business-sensitive is the data managed by your application?
Functionality
What function does your application fulfill? How critical is its role?
Architecture
What is the authentication mechanism used by the client population?