Physical infosec

As we plummet rapidly towards our usual end of month deadline to deliver the next security awareness and training module, the scope is finally stabilizing. June's module will cover these four aspects:

1. Physical information assets meaning the hardware processing, communicating and storing information in all forms;
2. Physical information risks involving tangible, real-world threats, vulnerabilities and/or impacts;
3. Physical information security controls protecting various information assets;
4. Management of the above physical issues within the broader context of managing information risk and security, business management, compliance, corporate governance and so on.

Balanced delicately on the very edge of our scope is a fifth aspect: health and safety. It is our contention that workers, especially 'knowledge workers', qualify as valuable yet vulnerable information assets just as much as, say, databases. Workers receive, process and output information, in some cases generating and expressing new information (e.g. intellectual property such as creative concepts and designs). As such, protecting workers' health and safety is an information security issue, not merely a matter of ethics, compliance, productivity or whatever. 

In particular, workers' mental health is, we feel, directly relevant and well worth addressing. In practice, it's generally an issue for the workers themselves, plus corporate functions such as HR and/or Health And Safety, plus 'management' as a whole. 

Our intent in raising health and safety within the awareness materials is not to trigger corporate turf wars but to raise awareness, set people thinking and encourage collaboration. There are information risks here, so let's take a closer look to see what, if anything, we ought to be doing to understand, evaluate, treat and manage them, or to help/guide those who are responsible.