An investigation into information security managerial practices in selected public sector organizations
Keywords:Information security, Information security guidelines, Public sector organizations, Security practices
The study aims to examine information security managerial practices in organisations. It was guided by three specific objectives: identification of information security practices critical to information assets management; establishment of implementation processes involved in the execution of structured information security governance; and evaluation of policies that influence information security best practices. In line with these objectives, security was acknowledged as a requisite element in protecting organizational information assets. The study covered two public sector organisations specifically, Uganda Wildlife Authority and National Forestry Authority. Focus was made on information security practices critical to managing information like human security, information classification, procedures for information labelling, compliance, standards, command and control techniques. These security practices were selected based on their importance in the protection of confidentiality, integrity and availability of information assets. Descriptive research design was adopted to describe the phenomenon under study. Being an in-depth inquiry, qualitative approach was used, survey questionnaires representing zero and one scores were designed to collect data. The respondents were purposively selected based on their knowledge in the subject area, cost-effectiveness and delivery of timely results. These respondents included information technology officers, administrative secretaries, data clerks and security guards. Findings from the field were analyzed and presented in meaningful tables. The research findings demonstrate that evaluation of users’ actions was hierarchical in nature; based on associations with tasks performed; information security practices are not aligned to guidelines set by National Information Technology Authority; there was need to establish appropriate measures to handle new information security risk in organizations. On the basis of these findings recommendations that reflect the importance of examining information security managerial practices in organizations were made.