Track: Information Technology and Information Systems
Abstract
This study was motivated by the fact that many organisations in Tanzania and Africa in general fails to meet security requirements suggested through ISO 27001 security standards, due to the lack of a credible cyber-security policy. The purpose was to develop the policy framework suitable in the management of the cyber-security in organisation level. Also, the study determined the compliance of selected cases for study to procedures for cyber policy formulation and review. The study used the qualitative approach. It engaged the literature in the conceptualisation of the study, used the discussion between researchers to formulate themes of the new cyber-security policy, used the focus group to improve the cyber-security policy framework, and used a survey questionnaire to study procedures and the formalisation of the cyber-security policy. Fifteen (15) organisation were represented in the survey, while ten (10) participants from six (6) organisations and four (4) countries were engaged in a focus group discussion. Both purposive and convenient methods were used in sampling. This study formulated a framework for cyber-security policy with seven themes: Data security, Internet and network services governance, uses of company owned devices, physical security, incident handling and reporting, monitoring and compliance, and policy administrative issues. Moreover, the study confirmed that few organisations engages stakeholders in policy formulation and conduct the policy review at the interval not exceeding three years. Moreover, many organisations uses cyber-security policies without the authorisation of the top authority of their organisation. The study recommends the formulation of a comprehensive cyber-security policy through the use of the Lubua’s cyber-security policy. Further to this, the policy formulation procedure must be inclusive, and guided by existing organisation guidelines. The maximum of three (3) years is recommended for policy review. The formalisation of the policy document must be approved by the top authority of the organisation.