Which of the following is NOT typically a component of an information security program?

A comprehensive information security program is primarily focused on the protection of data and information assets within an organization. This involves various critical components that help in establishing a secure environment.

Policy development is a fundamental part of an information security program because it sets the framework for how data should be managed and protected. Without clear policies, employees may not understand their responsibilities toward information security, leading to vulnerabilities.

Security training is also crucial as it ensures that individuals within the organization are aware of security protocols and practices. By training employees on how to identify threats, handle sensitive information, and respond to incidents, the organization enhances its overall security posture.

Incident response is integral to an information security program as it encompasses the procedures for addressing security breaches or failures when they occur. A well-defined incident response plan allows an organization to react swiftly and effectively, minimizing damage and restoring operations.

On the other hand, while physical injury prevention is important in the broader context of workplace safety, it is not a component of an information security program. Information security specifically targets the protection of data and systems rather than physical health concerns, making this the correct answer.