Universities in the world today consider information to be their most important asset. They therefore ensure information security by taking appropriate measures to ensure no information is leaked or passed to unauthorized users hence compromising its security. To achieve this, universities should ensure that they have proper infrastructure, policies and standards which are in compliance with the international best practices. The aim of this paperestablished the effect of security controls on information system security implementation in public universities in Western Kenya. The study used the business model for information security. A descriptive survey that targets information security professionals was carried out in four public universities in Western Kenya. The population of the study consisted of ICT directors, network administrators, web administrators, user support technician and computer lab technician in the selected universities. Quantitative data was collected from a sample of thirty-nine information management team within chosen universities, which were purposively selected to form the study size. Descriptive statistics was used for data analysis and results were presented using tables. The study established that cybercrime is on the increase in public universities. The empirical findings from study highlight regular audits on Information security systems should be conducted in public universities to establish whether the security functionalities put in place are working as intended.