Which of the following is NOT a key component of an information security strategy?

In the context of an information security strategy, key components are those that directly relate to protecting an organization’s information assets and ensuring that security practices align with the business goals. Security governance, incident response, and compliance are integral elements of a comprehensive information security strategy.

Security governance involves establishing policies, procedures, and frameworks that guide the organization’s security practices and ensure they align with business objectives. It ensures accountability and effective resource management in security processes.

Incident response is the approach and framework used by an organization to prepare for, detect, and respond to security incidents effectively. This component is critical for minimizing damage and recovery time during security breaches, making it a vital part of any security strategy.

Compliance refers to adhering to legal, regulatory, and contractual obligations regarding information security. This aspect ensures that the organization meets required standards, which is crucial for maintaining trust and avoiding legal repercussions.

While building physical security measures can be an important aspect of an organization's overall security strategy, it is not considered a key component in the broader context of information security strategy. This is because physical security, while relevant, focuses more on safeguarding the physical premises and assets rather than directly managing information security risks and strategies like governance, incident response, and compliance do.