Does the application encrypt the document using only well-established encryption algorithms, avoiding weak encryption methods and encoding techniques?
Is all the sensitive data encrypted?
Are the keys used for encryption stored securely?
If the code does not include EncryptionMethod or EncryptedKey elements, has a policy already been established so that the recipient knows this information?
Does the recipient of the encrypted data actually need to access the data?
Does the application sign the document using only well-established encryption algorithms, avoiding weak encryption methods and encoding techniques?
Are the keys used for signing stored securely?
If encryption and signing are used together, have the parties agreed to a policy regarding whether encryption is applied before or after signing?