An Information technology controls evaluation prototype for financial institutions in Kenya
Muiyuro, Anthony Mwangi
In today’s dynamic and ever complex world, automation has become a competitive edge that many organizations have embraced. Introducing greater efficiencies and cutting edge capabilities, technology has become a key driver of business growth and innovation. Due to this high level of technology adoption, this rapid and ever changing business environment has become a breeding ground to some of the most detrimental threats, attacks and disruptive incidents. These emerging threats can only be managed by having relevant and effective IT controls that will maintain the confidentiality, integrity and availability of the information assets. The financial services sector has been at the edge of introducing new technology driven products and services that promise greater efficiencies, faster transaction processing and enhanced security. However, the financial services space is faced by ever-escalating IT risks from various threats. To effectively leverage on these technical capabilities and effectively manage the inherent IT risks, an effective and comprehensive risk driven control framework must be identified, established and enforced to commensurate the business’ risk appetite and achieve the business goals. The current problem experienced by organizations is enforcing an effective IT controls framework with continuous evaluations to ensure control effectiveness and fit for purpose. This research explored an approach to rolling out an IT controls system based on the NIST 53-800 framework that would be subject to periodic assessments by control owners to gauge its effectiveness for onward improvements and optimization. This research explored quantitative methods in data gathering and analysis with a target study population of the Kenyan financial institutions. The researcher employed convenience sampling and selected seven key financial institutions with a mature controls environment. This study has proposed an evidence based IT controls framework tailored to improve the Governance and oversight within IT in Financial institutions. The prototype was developed using the Rapid development approach embedding the v-process in the iterative build. The prototype developed gives oversight and visibility of all the IT controls enforced in the organization(s) and provide a way to continually monitor control effectiveness, control deficiencies and the remedial actions. Data from the respondents was analyzed to deduce the conclusion to this research. The developed prototype attained a 98% accuracy level in assessing IT controls and provided management a platform for control evidence evaluation to determine control effectiveness.
Thesis submitted in partial fulfillment of the requirements for the Degree of Master of Science in Information Technology (MSIT) at Strathmore University
Controls Assessment System, Information Security Risk-Control, Information Security Risk Management, IT Control Gaps, Prototype Accuracy, Prototype Performance