Strategies for sound e-records security management

describing aspects of the organisation’s record policies or practices. According to the Kenya public (2010) and ISO (2001), organisation, ministries, public institutions should employ personnel with professional qualification and should ensure that they continuously organise training in order to improve their competencies, knowledge, skills, attitudes, and ability to assimilate new technology to enable them to undertake the reforms in the records management function effectively and efficiently. Despite this directive, many scholars and authors have lamented about the inadequacy of appropriate competencies and skills in e-records management and security management in organisations and institutions (Musembe 2015; Ngoepe 2014; Nengomasha 2013; Erima 2013;

Asogwa 2012; Sichalwe, Ngulube, Stilwell 2011; IRMT 2009; Kemoni 2008; Kemoni and Ngulube 2008; Wamukoya and Mutula 2005; Katuu 2004). Fourteen years ago International Council of Archives maintained that e-government services delivered using ICTs, will be compromised unless the issue of capacity building is addressed, noting that failure to address this issue could lead to reduced government effectiveness, increased operating costs, gaps in recorded memory, reduced public access to entitlements, erosion of rights, and weakened capacity for decision making (ICA 2004).

Kemoni (2009) asserts that to manage the e-records effectively in the East, Central and Southern Africa region, there is the need for governments and directors of National Archives within the region to implement recommendations proposed by various records and archives management researchers, scholars and practitioners. These recommendations include developing and implementing relevant records management policies and procedures, staff training in ICT skills, adopting e-records models, records and archives department working closely with ICT departments, upgrading ICT skills of staff, legislation to protect e-records, providing adequate funding for e-records management, using appropriate document management strategies and investing in more ICT infrastructure (Nengomasha 2009; Kaekopa 2007; Kemoni 2007;

Wamukoya and Mutula 2005).

In order to strengthen e-records security management in an organisation, it is essential to understand and rank threats in order to give priority accordingly to the threats and the systems that create/receive, store, maintain, process and transmit the e-records. There are several security strategies that can be employed to safeguard e-records such as installing and updating virus software, using firewalls, authenticating access, using security software, encryption, and use of public key (Ngulube 2010; Magi 2008; Katuu 2004). Tasmanian Archives and Heritage Office (2015) adds that physical security, password creation and protection, intrusion detection and prevention security classification labeling, encryption, security shredding and information security awareness as measures that can be used to protect e-record assets. The government of New Wales notes that it is essential for the universities to back up e-records on a regular basis to safeguard against loss of information due to equipment malfunction, human error, or other disasters. The backup routine should target the most critical e-records. Bennett (2011) adds that organisations should consider digital signatures, encryption of portable storage media, backup of the records and cloud computing as a records security measure. Kabata (2013) in his study on outsourcing records storage to the cloud, challenges, and prospects for African records managers and archivists, opined that, in a cloud environment, storage of records or information is outsourced to a third party provider and accessed by the organisation through a network connection. The author further states that established cloud providers dedicate resources to improve their network and application security process. They use defensive measures such as patch management, hardening of virtual instances and virus scanning, which can be implemented quickly across the cloud provider's infrastructure through use of virtualisation and automation which allows replication of security.

During the year 2017, the government of Kenya enacted the computer and cybersecurity bill to provide for offenses relating to computer systems; to enable timely and effective detection, investigation and prosecution of computer and cybercrimes to facilitate international cooperation in dealing with computer and cybercrime matters; and for the connected purpose.

In addition, audit trail is a security strategy that should be applied to ensure that procedures are being followed, controls are applied correctly, and a record is preserved and accessible. Audit trails provide a chronological record of system activities that document the sequence of changes and activities that impact records such as changes to record content and context (ISO 2001). However, ICA (2008) is of the opinion that audit trails should be captured for all actions on the system and any changes to records must be documented. Besides, security should be enforced at all levels of e-records processing, folder, and system levels. It should also be enforced across the online information transmission lines to protect the records against online threats like eavesdropping and information hijacking.

As explained in section 3.7 capacity building, competencies and skills are strategies to threats in e-records security, and personnel are known to be the weakest link in e-records security management chain and continue to pose the greatest security threat to e-records. Despite having in place sophisticated hardware and software security, most organisations including Moi university seem unable to stem employee against sharing of passwords, making conscious or unconscious errors, deleting, altering, opening folders over the other, and posting confidential information on social media (Marutha 2016; Asogwa 2012; Bey 2012; Parkerian model 1998). For this reason, training and awareness should be mandatory and given priority regularly. Besides, vetting of staff, incentives, sanctions, and penalties should be implemented as a way of enhancing e-records security management (Kenya Computer and Cybercrime Bill 2017; Kenya Cyber Security Report 2015; Parker 2002). Standards, policies, and regulations are also essential strategies in ensuring e- records security management to enhance the creation and management of authentic, reliable and usable records (ISO 2001). Ngoepe et al. (2010) add that an effective policy framework can form the basis for policy guidelines aimed at fighting cybercrimes, controlling access to information, planning for business continuity, complying with legal and policy requirements, developing and maintaining in-house software, controlling e-records transaction, detecting and responding to information security incidents and classifying information.

Additionally, organisations should develop and enforce policies and guidelines on e-records security management including creation and maintenance, access, access control, access privileges, security classification, appraisal, retention, and disposal (Marutha 2016; Asogwa 2012;

Marutha 2012; Mishra 2011; Sichalwe et al. 2011). ISO (2001) sums that organisations should ensure that the policies are communicated and implemented at all levels in the organisation (ISO 2001).

Dalam dokumen E-records security management at Moi University, Kenya. (Halaman 101-104)