Partial fulfillment for award of Master of Science in Information Technology (MSIT)

While Information security is a major concern in the private sector, many public institutions have not given it equal attention. However, the Government has taken keen measures on embracing ICT, but the concentration has been on the productivity and efficiency leaving the systems vulnerable to various attacks. This research was intended to find out information security vulnerabilities in public institutions that are likely to be exploited to cause harm to Information systems. The security controls existing were evaluated to find out their efficiency, effectiveness and applicability. Different types of information security risks were researched with an aim of classifying them to risk levels accordingly. The study sought to find out how information systems are monitored in Teachers Service Commission (TSC) as a case study of public institutions. The research documented information systems, threats and associated risks with a view of proposing interventions to minimize impacts of risks. The research was done using action research to study the system and concurrently to collaborate with members of the system who helped come up with the framework. It focused on observation and structured interviews in gathering information about the present existing condition. Secondary data was also gathered from TSC in the form of documentation analysis and from literature review. The study presents a framework for mitigating information systems security in public organizations which describes the steps to manage systems vulnerabilities as part of dealing with information systems risks. The framework includes system identification to provide an overview and basic understanding of the system and its interconnections. Additionally, the framework includes scanning system threats and vulnerabilities, and the resulting risks levels and the management of the vulnerabilties which contains recommended safeguards to reduce the system’s risk exposure to an acceptable risk level once the recommended safeguards are implemented. Monitoring and of review of vulnerabilities should be carried out to evaluate the information systems in response to new vulnerabilities and technologies. While the study appreciates that no system can be made absolutely secure, the results led the researcher to conclude that defining information systems enables organizations to implement proper security measures on them. Mitigating system vulnerabilities helps organizations to decrease possible damage and loss due to Information Systems security attacks.This framework is therefore recommended for use in public institutions for safegurding information systems.