General
When did we do our last data inventory check?
Secure Development
Do we follow secure SDLC? Is security looked into from the scratch?
What is the cycle of application testing?
What are the most major security vulnerabilities/flaws existing