178

requirements and privileges from e-records inception to disposal (Charles Darwin University 2017).

Security classification thus, dictates the access controls that should or must be applied to e-records to guarantee their security. From the literature reviewed access control is vital, since it helps to protect the assets of the organisation, prevention of illegal entry, enhancement of staff safety, reduction of security cost and facilities management among others. ISO 15489-2 (2001) asserts that the development of appropriate categories of access rights and restrictions is based on the organisation's regulatory framework analysis, business activity analysis and threat assessment where reasonable security and access will depend on both the nature and size of the organisation as well as the content and value of the information requiring security.

Access requirements must be considered to ensure access restrictions and/or access privileges. For instance, there are a variety of devices that can be installed to provide an input for authorised users to open a door or access a specific device, for example, users access cards, keypad input, and biometric information. E-records access controls/restrictions may include among others secure log-in credentials and process, access rights to the approved system, additional levels of security that may be applied to specific records within the system, and level of access (Charles Darwin University 2017; National Archives of Malaysia 2015; ISO/IEC 2014; ISO 2001). The findings indicated that the nature of the business activity determines access status, the role played and individuals’ ranking in the university or department. The findings thus, provide a positive attribute that the university practices access control. Unfortunately, the university did not have an access policy to provide directions and guidance on sensitive matters like a user permission register and how the distinction is made on user rights and privileges. The literature reviewed indicated that access policies and or user permission registered are vital and are ways of giving proper directions and or prosecuting those who go against the restrictions.

179

understanding of the business process and functions of the organisation. The assessment should be able to identify, quantify and prioritise potential e-records security threats against defined criteria for threat acceptance and objectives relevant to the organisation (City University of Hong Kong 2016; ISO/IEC 2013). Findings indicated that threat assessment in the university was achieved through both internal and external audits on the university business processes and that during the process the auditors identify threats to e-records, though it was not adequate in terms of frequency and absence of e-records security policy. The guiding issues on threat included new technologies and their challenges, a document that describes the available information systems, system functions, and boundaries, information about hardware and software, reports from both internal and external audits, self-evaluation, monitoring and through performance contract and quality assurance reports and information about the critical or vital records of the university. The findings from questionnaires generated mixed reactions with most of the respondents (63, 53.4%) indicating that the University never carry out threat assessments. Additionally, 18 (15.3%) reported that assessment is done once per semester, 15 (12.7%) indicated that assessment is done annually and 14 (11.9%) said it is done biannually. Only 8 (6.8%) specified that assessment is done twice per semester.

The evolution and advancement in ICT have brought with it benefits and threats to the technologies, devices used and information generated in equal measure. Though ICT infrastructure does not solve the problem of managing e-records security, availability of ICT is the essential underlying factor for managing e-records (Asogwa 2012; IRMT 2009). The findings indicated that Moi University experiences a number of threats. Foremost, is the lack of a proper e-records management programme to guide the development of policy and procedure in matters of e-records security. Lack of policies and lack of implementation of cascaded regulatory frameworks is also a threat that the university is experiencing. E-records security management at universities should operate within the framework of policies, rules, and procedures that give guidance to practice. The purpose of clear policies and procedures is to provide an environment conducive to proper e- records security. The policies are vital in an environment such as the universities, where the responsibility of e-records security management is distributed among the individual units with little or no centralised control (Bigirimana et al. 2015; Kyobe et al. 2009). The failure to capture and preserve e-records in eastern and southern African institutions of higher education have been attributed to the lack of policies and procedures among other factors (Kemoni 2008; Wamukoya

180

and Mutula 2005). These vital documents allow and help employees to understand their roles concerning the activities stipulated. Their absence indicates that there are no guiding principles and consequently personnel may act with negligence due to ignorance and or lack of awareness, and therefore end up deleting, unauthorised use and illegal sharing or leakage of e-records. This may lead to the university being denied justice in the event of a court case. The findings concur with the literature reviewed where authors, for almost three decades have decried the lack or inadequate policies and procedures in many institutions (Maseh 2015; Lappin 2013; Mutula 2013;

Wamukoya 2013; Williams 2013; Asogwa 2012; IRMT 2011; Nengomasha 2009; Kaekopa 2007;

Moloi and Mutula 2007; Makhura and Ngulube 2005; Sejane 2005; Wamukoya and Mutula 2005;

Wamukoya 1996).

The findings also indicated that personnel were also among the significant threats to e-records security; it was revealed that information leakage and sharing was on the rise including sharing of access privileges and passwords, staff collusion in manipulation and modification of e-records including student marks, stealing of computers and storage devices among others. The literature reviewed indicated that e-records are more vulnerable to undetected alteration, unauthorised disclosure of information, improper or careless handling, accidental erasure or mislabeling of storage devices and physical damage to hardware and software (Raaen 2017; Africa Cybersecurity report 2016; Greizter 2014; Ernest and Young 2013; Bey 2012; Dean 2012; Ngoepe et al. 2010;

Parker 2002; Parker 1998). Parkerian Hexad Model warns that employees are the primary or most prominent threat to e-records because they understand the technology and the e-records created and received as they are the creators. They sometimes accidentally delete files, enter inaccurate information, save over the wrong files, or edit the wrong files (Parker 2002). The findings further indicated that cyberspace has brought out challenges including cybercriminals (hackers and crackers) who as new technologies emerge, they concurrently or immediately invent and discover new ways to tap in the new technologies with the intention to steal and corrupt e-records for their benefit; thus, hurting organisations’ reputation. Also, cyber-attacks including viruses and worms were widely mentioned in the findings as a threat to e-records and the computer system that host them and storage devices. The literature reviewed showed that the globalisation process and the internet revolution has influenced cyberspace across national and international borders making it a complex challenge for any government to address issues of e-records security (Kenya Cybersecurity report 2016; Ministry of ICT, Kenya, 2014; Omotosho and Emuoyibofarhe 2014).

181

Cyber-attacks have become more organised and more expensive to the economies pausing potential risk and damage to the government administration and the private sector. The attacks include, but are not limited to network-based attacks, social engineering, threats to physical security, attacks targeted to specific applications, information theft and cryptographic attacks (North Atlantic Treaty Organisation (NATO 2010).

According to Kenya Cybersecurity report (2016), between 2012 and 2016 there has been a rapid change in technology and cybersecurity landscapes. According to the report in 2012 cybercriminals were opportunistic compared to 2016 when they are more focused and targeted with their skills. For instance, the literature indicated that the ransomware attack, which affected developed countries and few African countries, targeted organisations’ employees (Symantec special report 2016). Similarly, Kaspersky lab report (2016) noted that ransomware attacks increased where the service sector was prominently the most affected business sector at 38% of organisational infections. Manufacturing sector followed with 17% along with real estate and public administration at 10%. Looking at the two reports, Moi University being a service institution is a potential victim and therefore highly targeted.

Kenya Cybersecurity Report (2016) laments that, while there are high levels of investments in technology and automated processes in government services and private sector, there was no matching investment in cyber threat prevention tools. The report further indicates that 96% of the organisations surveyed spend less than USD 5,000 annually or none at all on cybersecurity-related products.