| dc.description.abstract | The need for computer-based information systems in manufacturing is now increasingly inevitable given that, the number of transactions is high, the customers are many and geographically widespread, and the volumes in terms of raw materials, work-in-progress and stock are very large. In such cases, the manual methods of keeping track of customers, payments, orders, stock, debtors and creditors would be very difficult, complicated and very inefficient causing manufacturing firms to be susceptible to theft amongst other vices. However, with the increased introduction of computer-based information systems, manufacturing firms are now exposed to many risks that could result in the possibility of financial loss and reputational harm. This has resulted in increased pressure on businesses to understand the need for information systems security and implement information system security measures to protect these systems; hence the need for the study on computer based information systems security within the manufacturing sector.
Past studies on information systems security in Kenya have been done with a special focus on the financial sector; these studies have shown that financial institutions in general do not have comprehensive security programmes. They tend to focus only on specific information system security aspects. These aspects include input controls only or processing controls only or hardware controls only or software controls only or output and storage controls only or procedure controls only or physical facility controls only. Few have a combination of these controls but none have all the controls.
All the above notwithstanding, it should also be noted that the information systems used by institutions in the financial sector have a different focus from those used by companies in the manufacturing sector. While the focus in financial institutions is mainly customer account management and the flow of funds, manufacturing information systems tend to focus on raw materials, work-in-progress, finished stock, order processing and invoicing. The information systems security measures are expected then to vary from industry to industry and from firm to firm. In relation to this, the importance attached to different security measures or approaches are
also expected to differ-, _as would the challenges to implementing information system security.
Thus, what applies in one sector will not necessarily hold in another. Hence the need to research into computer based information systems security focusing specifically on manufacturing firms. With regards to the manufacturing sector, studies have been done in information systems security with a focus on manufacturing firms in the US and the UK. The results show that a majority of security professionals believe that their organizations are at risk of major cyber attack. As a result, most of the firms researched have a formal security program function in place and of those companies that have a formal security program, almost all of them have the approval of top management. However the studies also show that in comparison to the best practices of information system security, some of the firms' information system security programmes are lacking in that they do not consider all security aspects like: the importance of policies and procedures; security consideration in deploying new projects; security training and awareness for staff; monitoring, administering and evaluating security programs to determine success or failure; incident response management and contingency plans (disaster recovery plans) development and auditing.
In Kenya, most of the large private manufacturing firms have implemented different information system security measures. What these measures and their importance are, as well as the challenges faced in their implementation need to be known. It is with this in mind that this research was undertaken with the following 3 objectives: to identify information system security measures or approaches implemented in manufacturing companies in Kenya, to determine the relative importance attached to the different security measures or approaches and to identify the challenges to implementing information system security in manufacturing companies in Kenya.
To address the above objectives, data were collected from 120 large private manufacturing firms using questionnaires and analysed using various statistical tools. The sample was obtained through, first, stratified sampling on the basis of classification of manufacturing companies by industry as defined in the Directory of Industries published by the Kenya Industrial Research and Development Institute, to ensure that the final sample had representatives from each category. Then second, judgmental sampling within each stratum or category to ensure that all the sample members had computer-based information systems. Out of these 120 large private manufacturing firms, 100 responded to the questionnaires. The data collected were subjected to statistical analysis.
The findings of the study show that the majority of the large private manufacturing firms in Kenya appreciate the need for information systems security and have implemented a great number of measures or approaches which include: passwords, software licensing agreements, backup policies and procedures, different levels of access restriction, alternative power supply, virus management, email logs or filters, account deactivation of employees who have left the firm and temperature controlled room depending on the relative importance attached to the different security measures or approaches by the firm.
The study also showed that the following information systems security measures were highly ranked in terms of importance within the large private manufacturing firms in Kenya: A central policy/document core to the IS security programme, security reporting to senior management, information systems code of conduct/ethics, mechanisms to test for software fixes and proper configurations, Remote Access policies and procedures, training of employees on IS security, implementation of Disaster Recovery Plans(DRP), back up policies and procedures, procedures for destroying unneeded sensitive files, virus management processes, environmental security measures and firewalls.
Finally the mam challenges to implementing information system security m manufacturing companies in Kenya were noted to be inadequate legislation governing information systems security, lack of information systems security planning, lack of training on information systems security, lack of time to develop a comprehensive information systems security program and lack of information systems security guidelines.
The development of a comprehensive information security program is recommended which should include people and technology and should involve policies, procedures, audits, monitoring, and an investment of time and money.
The study is expected to be valuable in the formulation of policy and legislation with regards to information security and assist in the enhancement of leT based information systems security.
Some of the limitations encountered during the undertaking of this study were, first, the nature of this study required div1Itgi'hgsecurity related information; as a result, some of the members in the
sample considered it too sensitive and declined to respond to the questionnaire. Second, some of those who responded may not have given the exact security position given the sensitive nature of the information. Third, the study only incorporated responses from IT managers and their assistants. Perhaps richer responses would have been obtained if the study incorporated end-user responses. Fourth, there was lack of prior adequate information on information systems security in manufacturing which would have provided a strong foundation for the study. Finally, the time constraint made it impossible to collect more diverse data and increase the sample size. | en |
