Overarching: Location: Where are content and work located?
Option 1: Content and work are co-located at secure facilities.
Option A: Infrastructure not secured
Option B: Infrastructure physically secured
Option C: Infrastructure logically secured (encrypted tunnels)
Workers may be system-critical or non-system-critical as well.
Content and work co-located at secured facilities.
Content and work co-located at non-secured facilities.
Content at secured facilities, workers not.
Content at secured facilities, workers at a distant secured facility.
Content not secured, workers at secured facility.
Content not secured, workers not secured.
Decision:IF Standards, regulations, or policy mandates locations,
THEN Follow the standards, regulations, or policy mandates.
ALSO Where no conflict exists, choose from the alternatives per below:
Different enterprises locate content and work differently, and this has a wide ranging effect on how information protection is to be done.
Non-habitable locations require no local secured facility (from an information security standpoint), since there is no relevant threat, other than nature. In this case, the facility protection afforded to the system due to nature is is not substantially different from that required from an information protection perspective.
Habitable location Facility security should meet the standards of the risk levels involved, thus secured facilities are required at the High and Medium risk levels.
Infrastructure Not Secured is, by default, insecure outside of a facility. Thus if loss of infrastructure services has serious negative consequences, workers must be co-located with the system so that such failures don't realize those consequences. Of course this cannot apply when the workers cannot survive...
Infrastructure Physically Secured implies physical means are used to secure infrastructure. This is very expensive outside of a facility and is thus rarely used in that case.
Infrastructure Logically Secured implies some combination of cryptographic protection that affords integrity and/or confidentiality, some degree of path diversification for availability, logging for accountability, and/or some form of use control. Depending on particulars, some combination of these may be used.
Similarly, as risk goes up and time till harm goes down, except for remote facilities with only local consequences not producing serious harm to people or the environment, control becomes more critical, and workers must be located close enough to meet response times to mitigate High consequences and should be so located to mitigate Medium consequences.
For many environments, high risk with short time frames and complex decision-making processes implies the need for local control and the co-location of some content, controls, and the people who operate them. However, for other content, controls, and people, co-location may not be required. Some lights out facilities (e.g., automated warehouses and car parks) may fail safe and await human assistance, while others (e.g., chemical processing facilities) may produce hazards if not addressed in a more timely fashion with human intervention.
For non-critical workers, co-location introduces added risk. There is no reason for them to be co-located with the system except when it brings enough advantage to compensate for the added risks of more people closer to system. Thus, except for low risk situations, non-critical workers should not be co-located with the system. And in Medium and High risk situations, all workers should be in secured facilities when interacting with system.