Measures to protect unauthorised access to e-records

Although Kenya was not among countries affected by the WannaCry attack, it lost USD 21 million to cyber-attacks in 2017 alone, while in 2015 and 2016 Kenya lost, USD 150 and USD 175 million respectively (Kenya cybersecurity report 2016). According to a 2016 Kenya cybersecurity survey, there is an increased rate of cybercrime in Kenya. Most of the respondents (70.6%) experienced cybercrime in one way or another; out of these, 34% was through work, while 66% at personal level. Furthermore, network security threats are spread over the internet and are witnessed frequently, while their management is less advanced (Raaen 2017; Kenya Cyber Security Report 2015; Ministry of ICT, Kenya 2014; Mishra 2011; Yeh and Chang 2007). Lack of intrusion protection and detection to monitor network or system activities for malicious and unauthorised activities results to network security threats. These threats may include, but are not limited to, social engineering (obtaining confidential network security information through nontechnical means such as posing as a technical support person and asking for peoples passwords); Trojan horse programs (delivery vehicles for destructive code, which appear to be harmless or useful software programs such as games); access attacks (which exploits network vulnerabilities in order to gain entry to e-mail, databases or the corporate network); denial-of-service attacks (which prevent access to part or all of a computer system) unauthorised access.

extend access or privileges to material posted to its information technology recourses, consistent with the policy, applicable law or as the result of university disciplinary processes and irrespective of the originating access point. Asogwa (2013) corroborates this point that only authorised persons should have access to e-records, thus preventing information from being stolen or damaged. This practice ensures the protection of privacy and confidentiality and prevents inappropriate disclosure of information that could harm the organisation or infringe the privacy rights of individuals if records are not adequately managed.

Organisations are increasingly choosing not only to create records electronically, but also to store, retrieve and use them in computerised form for long periods (IRMT 1999). As presented in the review of literature in section 3.5 and 3.5.1 controls; therefore, must be applied from the outset if the e-records are to be secured as reliable sources of information over time. Moreover, because the control of e-records is dependent upon technology, records professionals must become more aware of how different technologies work and how they affect records and record-keeping.

When management chooses to put up measures of e-records security they do so by implementing one or more types of controls. For instance, they may use administrative or procedural controls, which consists of approved written policies, procedures, standards and guidelines (Mishra 2011;

ISO 2001). ISO (2001) explains that the objective of the policy should be the creation and management of authentic reliable and usable records, capable of supporting business functions and activities for as long as they are required. These procedural controls form the frameworks for running the business and managing people. They inform people on how the business is to be run and how the day to day operations are to be conducted and the policies should be communicated and implemented at all levels. Policy development has been emphasised by many scholars as key to good e-records management for they clearly set out the organisations expectations regarding individuals' roles and responsibilities, ownership, access control, security classification among others (Ambira 2016; Maseh 2015; Bigirimana et al. 2015; Asogwa 2013; Erima 2013; Kyobe et al. 2009; Kemoni and Ngulube 2008; Wamukoya and Mutula 2005).

Mishra (2011) and ISO (2001) further explain that laws and regulations created by government bodies are also a type of administrative control because they inform the organisation. They include, for example, Kenya's records management procedures manual for the public service (2010), the

constitution and cybercrime bill which provides guidelines on e-records security management. The administrative controls may also include university security policy, ICT policy, password policy, hiring policy and disciplinary policies. Logical controls or technical controls are also measures used to protect unauthorised access (Mishra 2011, ISO 2013). The logical controls may include the use of software and data to monitor and control access to information and computing systems.

This may include, passwords, antiviruses, network, and host-based firewalls, network intrusion detection systems, access control lists and data encryption and principle of least privilege.

Besides, physical control is a measure that is also used to protect unauthorised access to e-records.

Such physical controls help monitor and control the environment of the workplace and computing facilities. They also monitor and control access to and from such facilities. The physical controls may include doors, locks, heating and air conditioning, smoke and fire alarms, fire suppression systems, cameras, barricades, fencing, security guards, cable locks and separation of duties.

Security and records professionals need to focus on establishing security situational awareness within their respective organisations that is, the regular, repeatable development and communication of the organisation knowledge of its people, ICT infrastructure, threats, incidents and vulnerabilities (Kenya Cyber Security Report 2015). The Kenya Computer and Cybercrime Bill (2017) warns that a person who causes whether temporarily or permanently a computer system to perform a function by infringing security measures with intent to gain access and knowing such access is unauthorised, commits an offence and is liable on conviction, to a fine not exceeding five million Kenya shillings or imprisonment for a term not exceeding three years, or both.

3.5.1 Measures to protect intranet against external and internal cyber-attacks

The Internet is a mechanism for information dissemination and medium of collaboration and interaction between individuals and their computers without regard to geographical location. It symbolises a critical underlying technical idea, that of open architecture networking where the choice of any individual network technology was not dictated by a particular network architecture, but instead could be selected freely by a provider and made to interwork with the other networks through a meta-level internetworking architecture. Consequently, in open architecture networking, an individual network may be separately designed and developed, and each may have its unique interface, which it may offer to users and other providers including other internet providers.

Similarly, each network can be designed in accordance with a specific environment and user requirement of that network (Misha 2011; Leiner et al. 1997).

Most organisation especially institutions use extranet and intranet, which are both private. Extranet is a private network that uses internet protocols (IP), network connectivity and possibly the public communication system to securely share part of an organisations e-records and other information or operations with suppliers, partners, customers or other business (it is extended to users outside the company), while intranet which is of interest to this study, is a private network that uses IP, network connectivity and perhaps the public telecommunication system to securely share part of an organisation’s e-records and other information or operations with its employees. In addition, it acts as a core management tool that streamlines practices and provides a means of resource and knowledge sharing, visibility and marketing, management and also acts as a daily messaging channel to help drive the business effectively among employees, departments, and units worldwide (Marja 2011; Gupta 2007; Cutlip et al. 2006).

Intranets are designed to permit users who have access privileges to access the intranet of an organisation. Within an intranet, web-servers are installed in the network browsers technology to be used as the common front end to access information on servers such as financial, graphical, or text-based data (Daya 2014). Perhaps being private and only accessed by authorised users will give the impression that the intranet is secure. However, that is not the case as it requires sophisticated cybersecurity measures to protect it against external and internal cyber-attacks. Cybersecurity are the measures put in place to protect e-records and other assets from compromise, theft or loss by a determined external attacker or an insider threat within the organisation (Australian government 2017). The measures may include, but are not limited to:

Establish role-based access controls and implement system logging: role-based access control grants or denies access to network resources based on job functions. This limits the ability to individual users, or attackers to reach files or parts of the system they should not access. Therefore, the permissions based on the level of each job function needs to perform its duties and work with human resources to implement standard operating procedures to remove network access of former employees and contractors. Besides, limiting employee permissions through role-based access controls can facilitate tracking network intrusions or suspicious activities during an audit (NIST

computer security information center 2018; WaterISAC 2016; Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) 2013).

Use only strong passwords, change default passwords and consider other access controls:

Use strong passwords to keep your systems and information secure, and have different passwords for different accounts. Passwords should have at least eight characters because longer passwords are stronger. Including uppercase and lower letters, numerals and special characters will strengthen passwords too. United States Computer Emergency Readiness Team (US-CERT security tips (ST04-002) 2018; US-CERT security tips (ST05-012) 2018; Microsoft 2017; WaterISAC 2016).

Develop and enforce policies on mobile devices: The proliferation of laptops, tablets smartphones and other mobile devices in the workplace presents significant e-records security challenges. The mobile nature of these devices means they are potentially exposed to external, compromised applications and networks and malicious actors. Furthermore, contributing to this challenge is the increasing trend of organisations allowing employees to use their personal electronic devices for work purposes, known as the “bring your own device (BYOD) phenomenon (United States Computer Emergency Readiness Team (US-CERT) 2017; Microsoft 2017; US Department of Commerce, National Institute of Standards and Technology (NIST) 2016;

WaterISAC 2016; US Department of Commerce, National Institute of Standards and Technology (NIST) 2013).

Maintaining an accurate inventory of control systems devices and eliminate any exposure of the equipment to external users: this involves prohibiting a foreign machine to discourse directly to a machine on the organisations' network on the internet. A thorough assessment of the system should be conducted frequently (WaterISAC 2016; Glantz and Landine 2012; Gupta 2007).

Implement network segmentation and apply firewalls by classifying and categorising ICT assets, the e-records, and personnel into groups and then restricting access to these groups:

Access to network areas can be restricted by isolating them entirely from one another. Creating network boundaries and segments empowers an organisation to enforce both detective and proactive controls within its infrastructure (WaterISAC 2016; Kumar and Malhotra 2015).

Use secure remote access methods: The ability to remotely connect to a network can add a great deal of convenience for the end user. Though a secure access method such as a virtual private network (VPN) should be used if remote access is required (WaterISAC 2016; Microsoft 2009).

Other measures may include, but are not limited to, issuance and use of digital certificates or similar means of authentication, encryption of messages, inventory authorised and unauthorised devices, inventory of authorised and unauthorised software, secure configurations for hardware and software on laptops, workstations and servers (WaterISAC 2016; Kumar and Malhotra 2015;

Glantz and Landine 2012; Gupta 2007).

3.6 E-records confidentiality, integrity, availability, authenticity, possession/control and

Dalam dokumen E-records security management at Moi University, Kenya. (Halaman 89-94)