The FIRST step in developing an information security management program is to:

A. identify business risks that affect the organization.

B. clarify organizational purpose for creating the program.

C. assign responsibility for the program.

D. assess adequacy of controls to mitigate business risks.

Explanation:

In developing an information security management program, the first step is to clarify the organizations purpose for creating the program. This is a business decision based more on judgment than on any specific quantitative measures. After clarifying the purpose, the other choices are assigned and acted upon.