The purpose of an application review is to analyze the combination of the server environment and the application program to determine the level of security controls provided and compare them to what is required. The security needs of the application are analyzed. The purpose of the analysis is to determine the security level of the application and its environment and compare it to the needs of the application and associated data.
This document provides questions which are designed to determine whether the application being evaluated should be operating on a specific server with other applications. The application review questions help with the evaluation of basic application security requirements, then determines the level of security controls applied to the application. If the application security requirements exceed the rated value of the application security controls, the security controls must be adjusted to meet the security requirements. If the level of the application security controls meet or exceed the application security requirements, no adjustment is required. The final step requires the evaluation of security controls and maintenance of the servers that the application operates on.
If the application security controls are at a lower level than the application security requirements and the application is active, the issues must be resolved immediately. If the application is not active, the issues must be resolved prior to making the application active.