An information assurance scheme (Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.) that doesn’t start with an inventory isn’t going to get very far.

What does the initial inventory consist of? It would be fairly easy to list the systems that need to be protected, but don’t you also have to count the following?

1. All physical locations where access to the systems is permitted
2. All physical points of entry to the systems (not just desktops and laptops, but also their associatedUSB ports, CD ROM/DVD drives, wireless networks and devices with wireless access). One should also now include Blackberries, PDAs and mobile phones, indeed all Bluetooth enabled devices operating near networks. All printers, scanners, copiers and fax machines.
3. All email accounts that can attach files from the system, including web-based email systems.
4. Number, identity and some history of all human resources with access to any of the above.

Okay, what have I missed so far?