Universities in the world today consider information to be their most important asset. They therefore ensure information security by taking appropriate measures to ensure no information is leaked or passed to unauthorized users hence compromising its confidentiality, integrity and availability. This the universities should do by ensuring that they have proper infrastructure, policies and standards which are in compliance with the international best practices. The aim of this study was to investigate information system security implementation in public universities in Kenya. Different security challenges and controls; information security policies and frameworks were evaluated in the literature review. The specific objectives of the study were: To identify information security challenges in public universities, to establish the effect of organizational security policies on information system security implementation, to establish the effect of security controls on information system security implementation and to determine the effect of security management practices on information system security implementation. The study used the business model for information security (BMIS). A descriptive survey that targets information security professionals was carried out in four public universities in western Kenya. The population of the study consisted of ICT directors, network administrators, web administrators, user support technician and computer lab technician in the selected universities. Quantitative data was collected from a sample of 39 information management team within universities in western Kenya region which were purposively selected to form the study size. Descriptive statistics was used for data analysis. The results were presented using tables. The study established that cybercrime is on the increase in public universities. The empirical findings from study highlight that information security should be a continuous process since security challenges keep evolving. Regular audits on Information security systems should be conducted in public universities to establish whether the security functionalities put in place are working as intended. Regular audits will support the institutions to accomplish their goals.