Abstract

News media continue to report stories of critical information loss through physical means. Most information security programs include physical protection for information system infrastructure, but not for the physical (non-electronic) forms of the information itself. Thus organizations have persistent critical information vulnerabilities that are not addressed by even the most extensive of information systems security programs.

An Information Lifecycle Security Risk Assessment, as described in this paper, can be used to extend the reach of information security programs to encircle all forms of critical data from creation to destruction—even data in human memory form. Such an assessment can leverage existing data management and information systems security efforts. By incorporating both electronic and physical information elements, previously unaddressed information security gaps can be identified and mitigated. The end result should be a risk treatment plan which senior management can understand and approve, and which managers and security personnel can execute.

Keywords: Data lifecycle risk analysis; Electronic data security; Electronic document management; Enterprise data management; Information lifecycle security risk assessment; Information security risk assessment; Physical data security; Proprietary information protection; Records and information management

Article Outline

1. Information security redefined

2. Infrastructure focus also afflicts physical security

3. Need for a workable process

4. Information security stakeholders

5. Collaboration strategy

6. Information lifecycle

7. Information Lifecycle Security Risk Assessment

8. Protecting physical forms of data

9. Human protective measures

10. Lifecycle approach advantages

Vitae