AN ISO 27001 BASED MODEL TO DETERMINE UNIVERSITY INFORMATION SECURITY MATURITY UNDER UNCERTAINTY

Abstract

The use of information technology and related process has permeated into organizations of all sizes. Moreover, in recent years, almost all organizations, if not all are involved in protecting their technology investment, if not for protecting cooperate image, then for ensuring provision of confidentiality, Integrity and availability of Information security ensures availability of services to stakeholders. Information security managers must be aware of their information security posture to better prepare in advance and minimise the risk of attacks. The study came up with a model based on ISO 27001 to aid universities in determining their level of maturity in information security. The study adopted specific clauses relevant to universities because of its unique organizational egocentric nature having varied categories of users and extensive research allowing it to serve as a plausible area of study compared to other organizations. The study adopted scientific approach to obtain data using simple random sampling with an online questionnaire distributed to respondents and analysed with SPSS. Secondly, design science approach was then adopted for realization of the web based model. From the output, foremost Reliability and validity of data collection for analysis was carried out which revealed a Cronbach Alpha of 0.917. The impact of Individual variable weights to university information security was then established, followed by inferential analysis showing how individually the different variables impact on the maturity model. From the regression, administrative factors impacted on overall security at .436, technological factors at -.157and physical factors .590respectively with statistic overall regression model significant at r²= .610, F (3, 116)=60.517; p <0.05. All the three factors were found to correlate significantly with the risk management mechanism and therefore taken into consideration for model design and development. Using Goal Question Metrics approach (GQM), individual variable weights were mapped to the model. To implement the model, design science approach was followed realizing a prototype of a web-based implementation available at www.matricuda.com/makupi. The functional model determined maturity in information security and produced relevant organizational specific report.