To Investigate the Strength of Existing Information Security Policies among SACCOS in Kenya

In April 2016, Bandari Savings and Credit Cooperative Society lost Sh5 million through fraudulent ATM withdrawals (Nation Newspapers, April 8, 2016). These examples demonstrate weaknesses that may exist from security breaches and incidents caused by people, processes, and technology. Ministry of ICT and CAK are lacking specific Information Security Models tailored towards SACCOS in Kenya. This study therefore sought to assess the strength of existing information security policies among SACCOS in Kenya. The study adopted descriptive studies. The unit of observation was 135 SACCOS registered with SACCO Societies Regulatory Authority (SASRA) while the unit of analysis was 270 ICT personnel working in the 135 targeted SACCOS. The study targeted the SACCOS heads of IT department. The study used Nassiuma (2000) formula to get a sample size of 85 respondents. Purposive sampling was further used in selecting study participants in every SACCOS who were considered to be knowledgeable of the variables under study. The study utilized questionnaire as the survey instrument to collect both quantitative and qualitative data. The pilot study sample was drawn from Egerton University SACCO Society Ltd, Skyline SACCO Ltd, Boresha SACCO Society Ltd, Cosmopolitan SACCO Society Ltd and Wareng Teachers SACCO Society Ltd. The study adopted descriptive statistics. Descriptive data was presented by use of frequency tables. The study concluded that breaches among SACCOS for the last two years as a result of hacking incident, natural disaster, and damage by disgruntled employee have been somewhat insignificant. The study further concluded that security incidents and breaches are under reported. From the conclusion the study concluded that SACCOS need to reinforce training of its employees and strengthen their policies to achieve enhance information security. To ensure the security of information systems and data, financial institutions should have a sound information security program that identifies, measures, monitors, and manages potential risk exposure.