The Institutionalisation of Information Security Management Practices in selected Organisations in Uganda

Abstract

The study aimed at examining the extent to which information security management practices were institutionalised in corporate organisations. Evidence shows that failure by organisations to entrench the information security management practices (ISMPs) into organisations’ structures opens the gateway for attacks, threat actors and information breaches to cause harm to information assets with ease. The study explored the phenomenon in its social setting hence the adoption of descriptive research design as the research methodology. The institutional theory was adopted as a new dimension in examining information security management in organisations. This theory suggests that control gears like coercive, normative, mimetic and management commitment could be used to effectively entrench security guidelines in organisations. Methodical scrutiny of the institutionalisation process: development, implementation and maintenance, and evaluation were also carried out. The researcher relied on human experience to make sense of the institutionalised processes. Extant literature was reviewed, and survey questionnaires were developed based on the eleven ISMPs and administered to purposively selected respondents from the two organisations. The eleven ISMPs covered include state of information security policy, asset management, secure information sharing, supply chain security, access management, network security controls, portable and removable media security, remote access security, protective monitoring of information systems, implementation of information security back-ups, and security accreditation by professional bodies. Data analysis was done using SPSS. Findings indicate that organisations have not fully incorporated all the eleven ISMPs covered as best practices and standards. Based on the results from the field, answers to the research questions were partly realised. Recommendations like the implementation of ISMPs to check deficiencies identified, customisation of security guidelines to protect information assets and institutionalisation of security practices at all levels were suggested. Overall, the study was a positive step towards the institutionalisation process of ISMPs in organisations