News media continue to report stories of critical information loss through physical means. Most information security programs include physical protection for information system infrastructure, but not for the physical (non-electronic) forms of the information itself. Thus organizations have persistent critical information vulnerabilities that are not addressed by even the most extensive of information systems security programs. An Information Lifecycle Security Risk Assessment, as described in this paper, can be used to extend the reach of information security programs to encircle all forms of critical data from creation to destruction-even data in human memory form. Such an assessment can leverage existing data management and information systems security efforts. By incorporating both electronic and physical information elements, previously unaddressed information security gaps can be identified and mitigated. The end result should be a risk treatment plan which senior management can understand and approve, and which managers and security personnel can execute.