A framework for implementation of information security management in government ministries, a case study of ministry of youth affairs and sports, Kenya

Abstract

Not only is Information Security Strategy crucial to protect information systems, but it is central to organization survival. Today's organizations depend on information for their survival. Specifically, organizations depend on the systems and controls in place that provide for the ongoing confidentiality, integrity, and availability of their data and information. Many organizations are ill-equipped to define their security goals, let alone to make an explicit connection between their security goals and the strategic drivers of the organization. Threats to organizational information and information systems are increasing in occurrence and in complexity and this emphasizes the urgency for organizations to learn how to better protect their information and information systems Information security is subjective and contextual therefore, every organization‘s approach to a security strategy should be different and customized accordingly, because each organization has its own threats, risks, business drivers, and industry compliance requirements . To improve the governance of IT and comply with regulatory demands, organizations are using best practice frameworks implement information security. One of these IT governance frameworks is COBIT (The Control Objectives for Information and related Technology). COBIT provides guidance on what could be done within an IT organization in terms of controls, activities, measuring and documentation. This framework is however generic and require specific knowledge in order to enable customization and use in a local scenario. The research methodology that was adopted was a case study. The population of interest was officers in the Ministry of Youth Affairs and Sports working at the headquarters. Random sampling was used with targeted interviews to the officers in ICT department who are the custodians of Information systems in the ministry and the administration which provide policy guidelines for the ministry. Data was analyzed by the use of descriptive statistics such as frequency distribution tables, percentages, bar charts and pie charts top officials expressed firm commitment to implementing security in the ministry, there seemed to be no co-ordination between ministry staff and IT staff on the role of information which indicates a communication deficit. The key recommendations include the need for management to fully recognize that Information Communication Technologies are a critical asset and which should be restricted to authorized/legal use only; Information Communication Technology is a Business Issue – not a technology issue and need to be aligned with priorities, industryprudent practices and government regulations, and Information Communication Technologies are enterprise-wide business with associated risks, and therefore all staff should be involved in securing them. An implementation framework, The Control Objectives for Government Information Technologies (COGIT) was developed which the researcher recommended to government ministries as a reference model to Information security management