Information technology security policy framework for small and medium size enterprises in Nairobi
The adoption of Information Communication and Technology (I.C.T) has increased tremendously over the last couple of years, especially in Small and Medium Size Enterprises (SMEs). However, most SMEs do not realize the importance of Information Technology (I.T) security policies.This research sought to (a) establish degree of use of I.T security policies in SMEs and whether these policies are equal to the business needs of SMEs; (b) establish the security threats and challenges they are exposed to; (c) identify how the I.T security policies are developed; and finally, (d) propose a framework that can be used to guide SMEs in adoption of I.T security policies. To meet these objectives, the study used a descriptive research design; research instruments used were questionnaires, interviews and discussion forums (with both student colleagues and work mates). The study established that 90% of SMEs in Nairobi do not have I.T security policies in their enterprises. Further, of the 10% who have existing policies, 5.2% have security policies that match the enterprises’ business needs. The study further observed that 82% of the businesses strongly agreed that they are in need of a comprehensive I.T security policy to counter risks / threats. Out of all the respondents, 40% strongly agreed that their businesses regularly and frequently scan critical systems for security exposures.The study further used the size of the organization in terms of personnel, the technical environment of the organization, and the ISO 17799 security policy development methodology to develop a framework that addresses comprehensively the I.T security policy development for SMEs. According to the proposed framework, if the firm is not I.T proficient (or if it is I.T proficient but small), it should outsource I.T security policy development; else, it should develop the I.T security policy internally or outsource. The framework also provides the detailed components of the I.T security policy development and its implementation.