Information Security Management Systems In Public Universities In Kenya: A Gap Analysis Between Common Practices And Industry Best Practices

Abstract

This research is concerned with issues regarding information security management in public universities in Kenya motivated by the need for implementing effective information security management systems. Universities in Kenya are increasingly using information technology (IT) for essential business operations including administration, teaching, learning and research. These technology assisted initiatives however depend on availability of enabling infrastructure and ultimately on how well that infrastructure is secured and protected. The main aim of this research was to investigate current information security management practices in Kenyan public universities. To help information security practitioners in these institutions to implement effective information security management systems, a framework for information security management grounded on industry best practice guidelines and recommendations in information security management was proposed. The framework guided a comprehensive study to understand the information security control environment in public universities in Kenya. A descriptive survey targeting information security professionals and users of information systems was carried out in five public universities selected randomly. In total, 31 respondents participated in this survey representing a response rate of 58.5%. Descriptive statistics was used for data analysis. Additionally, binomial tests using SPSS were used to evaluate the relationship between dependent variable and the independent variables. Main data collection instrument was a questionnaire. The study findings indicate that the information security control environment in public universities is inadequate to deal effectively with information security threats. The main barriers to information security include enforcement of policies, lack of senior management support and lack of resources. This study has made tremendous contributions to the domain of information security management. Information security practitioners in public universities attempting to implement information security management systems can use the proposed framework to benchmark their ISM practices. Furthermore, the main issues, barriers and factors that influence information security management have been highlighted with recommendations about how to address them to secure information assets.