The FIRST step when defining responsibilities for ownership of information and systems is to require an inventory of information assets. An information asset is any data, device, or other component of the environment that supports information-related activities1. An inventory of information assets is a comprehensive list of all the information assets that an organization owns, controls, or uses2. By creating an inventory of information assets, an organization can:
Identify the types, locations, formats, and volumes of information assets3
Determine the value, sensitivity, and criticality of information assets4
Assign ownership and accountability for information assets5
Establish appropriate security controls and protection measures for information assets6
Monitor and audit the usage and lifecycle of information assets7
The other options are not as important as option D. While it is important to require an information risk assessment, identify systems that are outsourced, and ensure information is classified, these are subsequent steps that depend on the availability and accuracy of the inventory of information assets. Without an inventory of information assets, it would be difficult to perform a risk assessment, identify outsourced systems, or classify information according to its value and sensitivity. References :=
Information Asset - an overview | ScienceDirect Topics1
Information Asset Inventory - NIST CSRC2
How to Create an Information Asset Inventory - Infosec Resources3
Information Asset Valuation: A Methodology - ISACA4
Data Ownership: Considerations for Risk Management - ISACA5
Information Asset Protection - NIST CSRC6
Information Asset Management - NIST CSRC7
