A Framework For Enhancing Compliance In ICT Security Policy: Case Study KPLC

Abstract

At the dawn of Information Communication Technology (ICT), information has become very important asset for any modern organization. Therefore, protection of information has become a top priority for many organizations. Despite a well-documented guideline on the policies, they are either ignored or violated by the employees. Employees violation of Information security policies is due to negligence or ignorance of the IS security policies on the part of employees. The main objective of the study was to evaluate the knowledge that Kenya Power and Lighting Company employees have about the ICT Security policy. The factors affecting compliance to ICT security policy in Kenya Power and Lighting Company and the strategies that can improve compliance the ICT Security policy for Kenya Power and Lighting Company. The study used descriptive research. There were 102 participants who were randomly sampled from a population of two regions namely, Nairobi and North Eastern regions. The study utilized Qualitative and quantitative data where structured questionnaires were sent by e-mail to all the sampled respondents. The study established that 70% of the respondents were aware of the ICT security policy. The challenges experienced in compliance to ICT security policy were, sharing of the password and mishandling of company information among others. The study therefore concluded that there was knowledge of the ICT security policy among the employees of Kenya Power and Lighting Company (KPLC). Secondly, sharing password with unauthorized persons in the organization was rampant same as irresponsible handling of information by the employees especially among the lower cadre employees of KPLC. Lastly, the different level of organization: management, direct supervisory, co-worker socialization and self-efficacy have significant influence the compliance of ICT Security policy. The study recommended that the management of KPLC should intensify its supervisory practices. It also ensures the security policy procedures are adhered to and go further to give incentives to those found to be adhering to the regulations and sanctions to the defaulters.