ISACA KE Newsletter 2020 Edition 2020/ISACA_KE...CISA, CISM, CRISC,CSXF President The year 2020, has heralded a new normal in light with the global pandemic. As a chapter we have to

Newsletter 2020 Edition

Ibrahim GathunguCISA, CCNA, CEH - Head, Information Cyber Security Policy Regulation at Standard Chartered Bank, UK.

CONTENT

Leadershipinsights

05

10

13

7

15SheLeads Tech............................17Agile Auditing.............................

1818Top Scorers.................................

2019

Reaping ISACA Membership Benefits

212021 Calendar of Events...........

04Board Members........................03Foreword..................................

Editorial Team

David Ouma Oloo Fredrick Endeki George NjugunaMartin Kilungu Gladys MwangiDiana Koech

CommunITy Day

The 2020 Virtual Conference......

A Review of ISACA KE 2020 Events...........................................


Foreword

3

Raymond Kiprotich Bett

CISA, CISM, CRISC,CSXF

President

The year 2020, has heralded a new normal in light

with the global pandemic. As a chapter we have

to quickly adapt and be agile in our undertaking.

We would like to thank you for taking time to read

our newsletter.

What we have seen is that our members who

were used to in person events quickly adapted to

online events that we offered. This has seen has

hold two purely virtual conferences with great

speakers both locally and abroad. Our annual

general meeting was online with elections being

held as well as majority of our trainings.

Behind the scenes as a board we have been

working on coming up with the next strategy for

the chapter that will see us adopt our key pillars of

membership, professional development and

advocacy. We have also been reviewing our

bylaws and we shall soon present to our mem-

bers for adoption.

While the future remains uncertain, we have gone

ahead to plan for 2021 that will see us introduce a

hybrid of virtual and in person events. We expect

to have an in person conference whose theme will

be “Enabling the Digital Age Beyond the Curve”.

Virtual talks and hybrid of in person and virtual

trainings will also be held in 2021..

Even as we come to terms of how this year has

been, one way to look at it was survival and for us

we thank our membership for sustaining us and

ensuring that our operations continue without any

glitches. Our partners have also continued to

support us and we look forward to greater collab-

orations in the near future.

Enjoy the insights in this newsletter provided by

our members and our partners.

We wish you a Merry Christmas and a Happy

New Year and we look forward to working with

you in the new year.


4

2020 TO 2021 BOARD LINE UP

RAYMOND K. BETT BONFACE ASILIGWA MERCY OMOLLO

FREDRICK O. OUMA GLADYS KIMANI MARTIN KILUNGU

PAULA M. KIGEN VERONIVA ROSE

PRESTON ODERA

DENIS M. MUTINDA

PRESIDENT

TREASURER

SPECIAL PROGRAMSDIRECTOR

ADVOCACYDIRECTOR

CHIEF EXECUTIVE OFFICER

IMMEDIATE PASTPRESIDENT

CERTIFICATIONDIRECTOR

MEMBERSHIPDIRECTOR

VICE PRESIDENT SECRETARY

LeadershipInsightsIbrahim GathunguCISA, CCNA, CEH Head, Information Cyber Security Policy Regulation at Standard Chartered Bank, UK.

How would you describe the person you are? (in brief) I am a jovial person, a husband, father and a born again Christian. Career wise, I am a cyber security professional.

Give us a brief of your career progression

Education:

For High School, I was in Moi Forces Academy then joined USIU where I studied Bachelor of Science in Information Systems & Tech-nology and minored in Networking.I have also done professional certifications - CISA, CCNA, CEH, and ISO27001

Career:

I started off as an intern in the High Court of Kenya within the library section, then moved to Ernest & Young - Kenya for 4 years and initially I was in the Networking & System administration capacity then midway through I switched to consulting. I had a mentor at EY who guided me, and this was a great foundation for me.

I left EY and joined Safaricom’s Internal Audit function doing systems audit and I was involved in many projects.After Safaricom I joined PWC – Kenya where I lead in the Information & Cyber Security Consultancy unit.

I then left Kenya in 2016 and went to the United Kingdom and joined Deloitte as a Manager within their Cyber Security practice.

After 2 years I joined Standard Chartered Bank - UK initially as Senior Manager within Information and Cyber Security Governance Policy & Risk Team with a key focus on Policies & Controls then recently moved into the role of Head, Information Cyber Security Policy Regu-lation.

What does your role as Head, Information Cyber Security Policy Regulation at Standard Chartered Bank entail? How is it like working in a foreign country?

I lead the Information Cyber Security Policy Regulation across the group covering 60 countries. My role entails looking at all the regula-tions within these countries and aligning them to the company policy.

Working in a foreign country is great in that you get to experience in different ways and approaches of work and also experience of different cultures from all over the world. My biggest lesson is proac-tivity

What is your motivation? i.e. What drives you?

My motivation is to drive any solution driven approaches that make change stick in an organization.Am an optimistic person, I believe that in adversity there is opportunity.

I spend a lot of time with my family. I look forward to going hiking and camping after the COVID19 lockdown. I enjoy outdoors!One of the activities I do indoors is drawing.

How do you spend your time outside work?

What is the best book you have ever read? What are you currently reading?

The book that stands out is Outliers by Malcom Gladwell, there are some life lessons I learnt there that have been instrumental to my foundation.

At the moment am listening to various Podcasts.

5

You have been an active member of ISACA, how has this bene�ted you?

If you where to start all over again, what would you do di�er-ently?

What’s next for you in your work, where do you see yourself on the horizons?

Tell us about your lowest moment in life?

What is your parting shot?

What would you count as your biggest accomplishments?

Do you have any key mentors who have in�uenced your choices in life?

How do you balance your job demands and family life?

What is your advice to younger ISACA members and upcoming Professionals?

What would you say is the biggest lesson life has taught you so far?

ISACA has enabled me to network. The talks from different speakers in Government, Corporate & Business formed a great synopsis of the principles I wanted to apply.

There is nothing I would do differently. Contentment is a great gift. I am content and I look for ways I can further myself in my current circumstances.

My trajectory is to land into a Risk role which I am currently doing but would like to diversify. I am in this season where am learning new skills.

I want to continue investing in new skills, diversifying from cyber security to other risk types so that I can lead a fully-fledged Risk function.

This was in 2013 when we lost our first baby through a miscarriage, seeing my wife going through the turmoil was painful but I had to be the pillar of strength during the tough time and God is faithful that we were healed through that process.

Keep God first, Keep your focus, Be flexible!!

THANK YOU

At different stages, different things. Birth of my son changed my perspective about life.

Earlier on in my career I won employee of the year 2008, this motivat-ed me.

Yes, my first mentor was a partner at EY – Mr. John Geita.Earlier this year I reached out to all my mentors to appreciate them. From what they have shared with me I have also been able to mentor others.

Based on your experience, which initiatives would you advice ISACA Kenya Chapter to undertake in order to enhance its growth?

Regulatory conversations with the issuers for different industries to ensure they push for best practice.

I have a family and am deliberate with my time. I balance my calendar to include my personal commitments.

I would ask them to figure out their purpose and source of wisdom early. These two principles have been fundamental to my career and have given me focus.

Within ISACA, use the opportunities given to your advantage for your career as this platform gives you access to senior individuals within the sector.

We have to be deliberate with the resources that are placed in our hands. It’s good to dream, even if you can’t tell where life will take you and some things will fall into place because you dreamt big!!!


6

According to experts, the fifth generation of the mobile network

already is one of the most important technologies of this decade and

it will become even more important in the future. Unfortunately, the

successful development of 5G in many states has been slowed down

by US sanctions against Huawei, one of the major providers of new

network equipment, motivated by unsubstantiated charges of espio-

nage and theft of personal data. To dispel doubts, Mika Lauhde, vice

president of cyber security and privacy at Huawei Technologies,

explains why the company's 5G infrastructure could improve the

national cybersecurity.

Cybersecurity is very important to all of us, because we are living in

an era where information and data is the most valuable asset. Data is

now more expensive than oil, for obvious reasons. That's why we are

very secure about our data privacy and personal information. Mika

Lauhde explains that cyberattacks are a potential threat to each of us

- wide scale viruses and phishing can be targeted to large audiences

of mobile device users, but criminals can also attack specific compa-

nies or individuals to harm their businesses or even create problems

for governments. So, it's very important to focus more on developing

and producing cyber secure technologies rather than fight for the

power and make cyber security a political issue.

standard operating procedures, best practices all the way to cyber

diplomacy are equally important. And sometimes more challenging.

Huawei's goal is to provide a new approach to cybersecurity and

national confidentiality, thereby enhancing every country’s digital

sovereignty. “We comply with all applicable African and European

legislations, and have looked at some legal aspects in a far more

responsible manner than other 5G network equipment companies,”

says Mika Lauhde.

Huawei's 5G networking equipment allows States to use their own

encryption algorithms, the encryption keys of which are not available

to outsiders or to other governments - only local mobile operators

are allowed for decryption when legally required to do so. Thus,

Huawei does not have access to data which is flowing through

Huawei’s equipment, and this is part of Huawei’s strategy of

supporting national data sovereignty of each country.

Huawei Develops Cyber secure Technologies based on Technologies and Standards not Politics

By Huawei Technologies Vice President - Mika Lauhde

7

Providing a new approach to cybersecurity and national con�dentialityMika Lauhde points out that information security is like an onion - it

has multiple layers. Mostly people might think that technology is every-

thing, but that is only one layer and, actually, sometimes the easiest

one. People are forgetting that ecosystem ownerships, patents,

regulations, laws, directives, cyber strategies, processes,

The Importance of Standards in Cyber SecurityHuawei advocates and promotes the establishment of cyber security

Standards that are globally recognized and agreed upon. Huawei

believes that trust needs to be based on facts, facts need to be

verifiable, and verification needs to be based on common Standards.

By using industry practices, certification is the most effective way to

address security issues. Certification is verification that everyone has

been reading the Standards in same way and it is therefore also

guarantees interoperability. This means that all different vendor

equipment’s can work seamlessly together. Therefore, Huawei has

been taking several actions in this area:

Huawei has established a sustainability management system based

on the International Standards Organization (ISO) standards, and

passed third-party certification to ensure that Huawei’s R&D and

production processes are trustworthy.

Huawei has established an information security management system

based on the ISO27000 series standards and passed the ISO 27001

Standard Certification.

Huawei has established a supply chain security management system

based on the ISO 28000 standards, as well as the TAPA and C-TPAT

requirements; passed the ISO 28000 certification (Chinese Supply

Center, European Supply Center, and Mexican Supply Center); and

obtained C-TPAT membership. (3) Huawei has optimized its develop-

ment and supply chain management practices by referring to the

Open Trusted Technology Supplier Standard (OTTPS) and is

conducting the OTTPS certification.

Huawei has incorporated internationally recognized cyber security

certification standards and requirements, such as CC and FIPS, into

product R&D, and actively invites third-party labs to certify Huawei

products. In April 2019, Huawei already obtained 242 product securi-

ty certificates, including 43 CC certificates, 6 CC EAL4+ certificates,

20 FIPS certificates, and 15 PCI certificates.

Assets of wireless and core networks, computing resource assets, as

well as accounts, passwords, logs, Configurations, and charging

data records (CDRs) operated and maintained by operators not

equipment’s vendors. Hackers attack wireless networks in an

attempt to steal and tamper with users' personal data or compromise

the availability of networks or computing resources. How equipment

vendors work together with operators to make this more difficult for

hackers is by implementing 3GPP specifications, "The SUPI should

not be transferred in clear text over NG-RAN except routing informa-

tion, e.g. Mobile Country Code (MCC) and Mobile Network Code

(MNC)." The Packet Data Convergence Protocol (PDCP) can be used

for the air interface and IPsec for transmission to guarantee the

confidentiality and integrity of users' personal data. 5G gNodeBs,

however, face wireless signal interference on external air interfaces

and attacks on protocols to compromise service availability. Some

5G core network elements, such as UDM, process and store users'

personal data. As a result, 5G core networks face breach of users'

personal data as well as attacks to compromise resource availability.

Because the central equipment rooms for core network deployment

generally adopt high-level security protection, the risks of malicious

invasion can be effectively mitigated.

In 2019, Huawei released a 5G Security white paper, that describes

the industry standards, Huawei's approaches, and joint efforts of

industry partners.


8

5G Security5G faces security challenges and opportunities brought by new

services, architectures, and technologies, as well as higher user

privacy and protection requirements, but it is good to recognize the

fact that 5G is the most secure telecommunications standard that the

industry has developed so far. The 3rd Generation Partnership

Project (3GPP) SA3 has comprehensively analyzed 5G threats and

risks in 17 security areas. Security architecture, authentication,

security context and key management, radio access network (RAN)

security, Security within NG-UE, authorization, subscription privacy,

network slicing security, relay security, network domain security,

security visibility and configurability, credential provisioning,

interworking and migration, small data, broadcast/multicast security,

management security, and cryptographic algorithms. Key assets of

5G networks include users' personal data and communication data,

hardware and software.

Why is 5G secure? How do experts from industry and standards

organizations ensure that 5G security risks can be effectively

managed in terms of security protocols and standards as well as

security assurance mechanisms?

Why is Huawei 5G secure? What technical approaches has

Huawei adopted to ensure cyber security of Huawei equipment?

How to ensure 5G cyber security, including Huawei's support for

cyber resilience and recommendations on how to deploy and

operate 5G networks in a secure manner.

This 5G security white paper can be downloaded here https://www.huawei.com/uk/trust-center/5g-cyber-security and focuses on the following:

How to continuously improve the 5G security level from the

perspectives of different stakeholders in order to address

future challenges.

Call for stakeholders to work together to ensure that 5G

security risks are controllable.

Huawei believes in strong African digital independence, competitive

mobile networks and a level playing field for all market players. Having

strong Standards-based approaches to security and privacy is critical

to doing that. Security is a journey not a destination. Therefore,

Huawei walks together with governments and operators now and in

the future of this journey.

9


A new perspective on Cybersecurity

Cyber Resilience:

From the onset of the COVID-19 pandemic, organizations have found

themselves at the forefront of forced digitalization as the routine

suddenly changed from working in an office environment to remote

work. Threat actors have been working overtime to take advantage,

with increased rates of phishing and ransom ware noted in recent

months. As people continue to work from home and organizations

move to hybrid business models, Cyber Resilience has arisen as a

critical component for the steadiness and efficiency of organizations.

There is no single authoritative definition for Cyber Resilience. What

can aptly describe this lack of a universally agreed-upon description is

a preference to adhere to the ‘the spirit of the law’ rather than ‘the

letter of the law.’ According to a recent whitepaper by Swiss Re

Institute, titled Cyber Resilience ESG Reporting: Transparency Imper-

ative or Security Nightmare, Cyber Resilience is defined as “an organi-

zation’s ability to sustainably maintain, build and deliver intended

business outcomes despite adverse cyber events. Organizational

practices to achieve and maintain cyber resilience must be compre-

hensive and customized to the whole organization (i.e. including the

supply chain). They need to include a formal and properly resourced

information security program, team, and governance that are

effectively integrated with the organization’s risk, crisis, business

continuity, and education programs.”

Cyber Resilience is imperative and critical for all businesses regard-

less of the size, financial turnover, or the number of employees. With

technology now an integral part of everyday life, and many tasks

already transitioned from the analog to the digital space, it is now

more important than ever to protect our digital footprints and

presence from the continuously evolving cyber-threats. For cyber-

criminals, everybody is a potential target. Organizations are beginning

to realize that it is no longer a matter of if they will be attacked but

rather when. They need to ensure that security is at the core of every-

thing they do.

The common cyber threats in Kenya as per the Communication

Authority’s National Kenya Computer Incident Response Team Coor-

dination Centre (KE-CIRT-CC) are:

• Cybercrime

• Botnets

• Social Engineering

• Ransomware

ENJOY SAFER TECHNOLOGYTM

10

Notable mentions to Risk Management and Business Continuity and

Disaster recovery.

For an organization to be said to be cyber resilient in Kenya, it must

prepare, defend, and recover from the above, at the bare minimum.

To work towards cyber resilience, an organization can implement an

elaborate and strategic blueprint commonly referred to as a Cyber

Resilience strategy, which is the ideal scenario. However, in the

interim, an organization can take the following steps:

Cyber Resilience relies on People, Process, and Technology. With the

right balance of the three, any organization can attain sufficient cyber

resilience. It is a collaborative approach, involving key stakeholders in

the organization and extending to customers, suppliers, and partners

that have a clear understanding of the critical assets associated with

information. To achieve a sufficient level of successful cyber resiliency

for any entity, there is a need to first understand the information it

holds and prioritize what needs to be protected, all with business

profitability in mind.

• Ensuring Endpoint Protection

• Data Encryption and Backup

• Multi-Factor Authentication (2FA)

• Training all users on cybersecurity awareness periodically

One thing to keep in mind is that Cyber Resilience is not a remedy for

cyberattacks, it is about readiness and preparedness that will see an

organization recover faster with minimal interruptions.

For more than 30 years, ESET® has been developing industry-lead-

ing IT security software and services for businesses and consumers

worldwide. With solutions ranging from endpoint and mobile security

to encryption and two-factor authentication, ESET’s high-perform-

ing, easy-to-use products give consumers and businesses the

peace of mind to enjoy the full potential of their technology. ESET

unobtrusively protects and monitors 24/7, updating defenses in

real-time to keep users safe and businesses running without

interruption. Evolving threats require an evolving IT security compa-

ENJOY SAFER TECHNOLOGYTM

Ken Kimani, Channel Manager at ESET East Africa

Ken Kimani

Channel Manager at ESET East Africa

What is ISACA CommunITy Day?

It is a day that ISACA Chapters and staff exemplify ISACA’s purpose,

promise, and values with a day of service around the world. Not only

do we help individuals realize the positive potential of technology, but

together, we help people recognize the positive potential of ISACA's

global society.

ISACA Chapters around the globe organize local activities. Some

opportunities may be directly applicable to the business technology

profession, while others may be simply making the world a better

place.

ISACA Kenya members participated in the 2nd Annual CommunITy

Day on 3rd October, 2020.The activities this year were different due to

the COVID-19 Pandemic challenges of physical distancing, working

remotely and juggling shifting schedules and priorities. The members

came together both online and in person to volunteer in the communi-

ty day activities at Thika School for the Blind, Kiambu County and

Heritage of Faith and Hope Children’s Home in Mlolongo, Machakos

County by giving donations.

The day at Heritage of Faith and Hope Children’s Home in Mlolongo

started off with a tour of the institution by the members present where

they got to see “ISACA” the calf born in the inaugural ISACA Commu-

nITy Day. Thereafter other members joined online and the program for

the day started with welcoming remarks by the Heritage of Faith and

Hope Children’s Home followed by introductions and remarks by the

principal at the home and the ISACA Kenya President. The members

interacted with the children and took many photos! The Chapter

presented a donation of Kshs.100, 000 from members’ generous

donations & onsite a member (Paul Gimsay of United Nations) donat-

ed Kshs. 50,000. Other donations to the home included CommunITy

t-shirts for the children, shopping, clothes, food stuffs and a sack of

oranges.

The program at Thika School for the Blind, Kiambu County started off

with the online session where we had welcoming remarks from the

Deputy Principal Thika High School followed by introductions and

thereafter remarks by the principal, teachers and students at the

school. We also had remarks by the ISACA Kenya CEO and the Vice

President. The Chapter presented a donation of Kshs.100, 000 from

members’ generous donations. The members present were then

taken on a tour of the computer lab for the blind and interacted with

the children and took photos.

The day was a great success and the ISACA Kenya Board appreci-

ates all the members for their generosity and support.


Following is a collage of photos from the day

TechLeads

Kenya Chapter

Introduction.

SheLeadsTech is a global ISACA Program that seeks to increase the representation of women in technology leadership roles and the tech

workforce. The program was launched in Nairobi in October 2018 byMs Jo Stewart -Chair, Women’s Leadership Advisory Council and Alisha

Wenc – Manager, Corporate Programs. Both Jo and Alisha represented ISACA global during the event.

The program seeks to engage, empower and elevate women in technology. This is anchored on the three pillars and activities indicated below:-

This year started well and we had a lot of plans to continue with active engagement of our members and beyond through in-person events. We

managed to do this in the first quarter of the year, however we had to quickly adopt and engage more through online platforms as a result of the

COVID-19 Pandemic. Through online engagement we are able to have a wider reach with our programs and activities as we have been able to

engage with other chapters on their activities despite not being able to meet physically.


15

SheLeadsTech

Raising Awareness

Write a blog post

Share your story

Host an event

Be an ally

Preparing to Lead

Join a board

Attend a SheLeadsTech

event

Speak at a conference

Be a mentor

Building Global Alliances

Be a voice for change

Participate in a day of advocacy

Know your government

officials

Share our calls to action on your

social media

By Diana Koech - Communications Committee Member

What have we done so far?

Since January to date we have engaged our audiences through the

following SheLeadsTech Events i.e.

Widening your GRC Career Path - This was a webinar facilitated

by Dr. Nancy Onyango sharing on how members can continue

to add value to business and widen their careers from one

specific GRC related area. The event took place on 27th August

2020.

Cybersecurity Governance – In collaboration with Shehacks

Kenya, we organized a session to give back to the student

community interested in Cybersecurity and members of

Shehacks Kenya. We organized a webinar on 27th July 2020

where Elizabeth Ochieng’, Regional Associate Director – IT,

Deloitte Kenya presented on Cybersecurity Governance.

Transforming ICT Audit in the Digital Disruption Age - This online

event took place on 27th of May 2020. Our presenters were Urvi

Patel, Partner Risk Advisory Delloitte East Africa and Grace

Mburu, the Executive Director .

SheLeadsTech Online Webinar on Leadership in the time of

COVID-19. This was an event held on 15th May 2020 that saw

various ISACA Chapters in Africa collaborate. The speakers were

all female leaders drawn from various ISACA Chapters.

Online Webinar Technology Mentorship Session – The Jomo

Kenyatta University of Agriculture and Technology (JKUAT)

Technology and Engineering Students invited SheLeadsTech for

a mentorship session. The online event took place on 8th May

2020 and the speakers at this event included Noureen Njoroge

– Security Threat Intelligence Engineer and CISCO Systems and

President of North Carolina Women in Cybersecurity, Boniface

Asiligwa – Head of IT Security at KENTRACE and Chairman of

ISACA’S Education Committee, Veronica Rose – Advocacy

Director and Dorine Nalo, the SheLeadsTech Liaison. The

students were excited and learnt a lot and are looking forward to

more collaboration in future.

Succeeding Through Emotional Intelligence- This talk was

delivered by Mr. Stephen Olieka who has extensive experience in

Human Resource both in Technology and non-Technical fields.

The breakfast talk was held on 25th January 2020 at Nairobi

Safari Club.

Through collaboration with other SheLeadsTech Liaisons within

ISACA, the Kenya Chapter members were also invited to the following

SheLeadTech events

A day in the Life of a Shecurity Researcher - A webinar organized

in September 2020 by ISACA Accra Chapter and Presented by

Marcelle Lee, a Senior Security Researcher at Secureworks.

A day in the Life of a Security Professional – This online event

was organized by the ISACA London chapter with various

speakers on 22nd September 2020.

Key Achievements for our Women in Tech MembersDuring the year we have also seen some of our members and women

in technology make significant achievements.

Elizabeth Ochieng - has been an active member of the chapter

and has participated a lot in our events. Beyond that she was

recently appointed as the CISA CRISC and CGEIT Chief Trainer

following a rigorous process both locally and with APMG.

What are our Future Plans?

We intend to continue engaging with women in technology across the

divide and across borders. We would also like many of our members

to participate in our activities and so sensitization will continue even as

we expand our engagement. We are also keen to collaborate in this

endeavor as ISACA cannot achieve the objectives of the program on

its own and therefore we also intend to take SheLeadsTech to various

organizations by holding talks and events.

How can you be part of this?

There are many ways that you can be part of this program:-

At an organization / institution level – You can reach out to us to

have a SheLeadsTech event in your organization.

At a personal level - you can plug into our events and partici-

pate.

Volunteer to speak at a conference, deliver a talk or conduct

training.

Conclusion.

SheLeadsTech is a program focusing on women but we also need

the men as our allies in this journey and therefore, men are also

welcome to participate in our events. We believe that this program is

not just about women in technology but addresses the general skills

gap we are observing in technology. Together we can bridge the gap!


1.

2.

3.

4.

5.

6.

1.

2.

1.

2.

3.

16

Dorine Nalo, CISA CDPSE

SheLeadsTech Liaison


Veronica N. Rose, CISA

Advocacy Director & Founder

Encrypt Africa

Getting started with Agile AuditingBefore we dive deeper into Agile auditing, I would like you to

understand what it is all about; Agile Audit is the mindset and

method that an Internal Audit Function (IAF) uses to focus on

the needs of stakeholders; accelerate the audit cycles, provid-

ing timely insight and reduce the waste of resources. By apply-

ing an Agile method, the productivity and added value of the

IAF can be increased and the lead time of an audit can be

reduced.

As internal auditors, we have been advocating for going agile,

being flexible, adaptive, and fast. We are increasingly turning to

the agile methodology to achieve this shift in approach

because taking an agile approach is helping the internal audit

functions become more strategic, increase efficiencies, and be

more effective overall, and this has the added benefit of

increasing our value as trusted advisors within the organization.

Internal auditors always work to identify, assess, and respond

to risk, those presenting opportunities and those which could

be disadvantageous to the health of the organization. In the

same regard, the agile audit process keeps our fingers on the

pulse of the organizations so we can adapt quickly to change.

However, while the concept of agile audit is not new, it’s often

seen as an all or nothing approach and too disruptive in itself to

fully adopt. Yet it is agile auditing’s distinctive flexibility that

allows internal auditors to adopt its practices, step by step,

rather than all at once.

Most Auditors who are familiar with traditional SDLC controls

recognize that some of the Agile values conflict with more

established methodology. The traditional controls are typically

implemented “after the fact,” and they rely heavily on documen-

tation neither of which works well with Agile methodologies. To

help close the gap between their knowledge of traditional

models and the Agile method, internal auditors should

acknowledge that agile audit is aimed at enhancing their work,

and by following this approach, auditors can help the team,

and the organization, execute its compliance responsibilities

effectively while making sure not to erode the value of Agile

methodologies.

Why Agile Audit is important to the audit.

Here is what to consider when adopting Agile Auditingfunction..

Focus is on continuous prioritization of focus areas and

thereby providing relevant insight i.e. it guarantees audit

quality.

Agile audit shortens the audit cycles and faster delivery of

(sub) product.

It encourages more interaction between the audit team and

the audit client which improves the management of expecta-

tions and increases the involvement of the audit client.

The approach of the audit itself is very flexible.

Internal Audit should shift from the following;

From publishing huge reports after a longer period of

auditing to timely reporting as a way of enabling business

units to address issues as they arise.

From rigidly planned activities (static audit plans) to quick

iterative activities & continuous auditing.

Perfect communication after a long process to frequent and

interactive communication during the process with audit

clients.

From establishing roles in a hierarchical system to empow-

ered roles in a more flexible system.

From following pre-set plans to responding to emerging

needs and address issues with management as they arise.

From auditing internal audit resources to resourcing to audits

and projects.

From control of the audit process to transparency in the

audit process.

From looking for faults in business processes to identifying

and reporting facts in a timely manner.

Last thoughtsInternal audit functions should focus on adding value in terms of

business alignment and governance. Understanding a project’s

objectives, as well as the risks associated with project methodology,

helps enhance the value internal audit can deliver. This can be

achieved by engaging the teams early enough to be on the same

page to better understand and control risk.

The main aim of adopting an agile audit should be based on the idea

that audit teams remain lean, flexible, rely more on technology or on

skills borrowed from other parts of the organization, and produce

slimmer, more visually designed reports that address deeper, current,

and strategic risks.

Ag

ile A

uditi

ng

17

A Review of ISACA KE 2020 ISACA Kenya begun 2020 with great ambitions, with plans to have

our flagship event - Our Annual conference, with a theme on Insights

and Trends shaping the Future of business.

Before we could convene, the future of business as we knew it, was

interrupted by COVID, and we promptly switched gears to adopt and

work with our members and stakeholders in embracing technologies

and solutions that could support remote working.

We were able to host a good number of webinars - Workshops,

evening talks and a Mini-Conference, where we had our speakers

tackle various insightful topics.

We also successfully carried out a CGEIT training with the newly

refreshed content, and we look forward to seeing an increase in the

number of members with this qualification.

We were also glad to see a big number of our members qualifying,

based on experience and skills, in the new privacy certification -

Certified Data Privacy Solutions Engineer (CDPSE).

Through our strategic partners and stakeholder’s ICT Authority of

Kenya, we were able to arrange for awareness workshops in:-

Cybersecurity,

Data Analytics, and

IT Audit

These enabled us hold half day sessions with over 2000 participants,

some of whom went on to pursue respective certifications.We have

held a successful Mini Conference in November where over 100

participated.

While the year has been challenging in some aspects, we look forward

to continued education of our members through different avenues.

There have been lots of lessons in the year 2020 - but never before,

has information security been as important especially due to remote

working adoption.

We encourage our members to keep an eye out on our website and

communication from our secretariat to be informed on upcoming

training sessions.


JAN – JUNE 2020

Exam Full Name CGEIT 1

CISA Mr. Mumo Mutisya, CISA 1

Mr. Jeffery Mwaura Kirumba 2

Mr. Andrew Muhoro 3

CISM Mr. Pascal Mavyuva Mutulu 1

Mr. Edwin Wanyama Ngero, CISM 2

Emmon Langat, CISM 3

CRISC Mr. Victor Muhia 1

Mr. Sammy Thiong'o Gichuhi CISA, CISM 2

Sharone Achieng Otieno CRISC 3

Ranking

Top Scorers for ISACA Exams

Ms. Christine Lilian Muhongo, CISA, CISM, CGEIT, CRISC

18

Gladys Kimani, CISA CISM

Certification Director

The 2020 Virtual ConferenceThis year’s mini conference whose theme was insights and trends shaping the future of business was well attended. With 104 delegates drawn

from different sectors and running for two days starting on 11th November till 12th November 2020. Key speakers drawn from both local and

globally gave presentations in their area of specialty. ISACA members earned a cool 12 CDP Hours

Some of the speakers for the conference were:

In his opening remarks, the CEO ISACA Kenya Mr. Preston Odera welcomed delegates and thanked them for enrolling for the conference. He

assured attendees that the chapter has made sure that trainings and conferences will continue to be there despite the pandemic. He encour-

aged non members to join and enjoy member benefits and to participate in chapter events to keep abreast with the latest happenings in the

globe.

Delegates had a unique opportunity to learn from a rich line up of speakers and industry experts from the region and beyond who shared the

latest insights in the world of cyber security, audit, emerging technologies and governance among other related topics.

The conference accorded attendees an opportunity to join with their peers in the industry to learn and deliberate on the latest insights and

trends shaping the future of business. Emceeing the conference was former chapter president Mr. Dennis Mutinda CISA and Ms. Gladys

Kimani CISA CISM, chapter Certifications Director day 1 and 2 respectively. Featured in were panel discussions at the end of each day presen-

tation. SheLeadsTech Liaison Ms Dorine Nalo CISA CDPSE and former Vice President Mr. Antony Muiyuro CISA CRISC CDPSE also an

associate director Cyber Security, Privacy & Trusted Tech at EY.

Giving his closing remarks, ISACA Kenya Vice president Mr. Boniface Asiligwa CISA, CISM, CRISC, CGEIT thanked the speakers for sharing

their insights on the conference theme and participants for participating. Other events are being organized by the chapter and more informa-

tion will be communicated in due course.


19

Some of the topics discussed include:

Cybersecurity Amidst Covid -19 in Kenya. Perspective for the Regulator

Creating Secure 5G and IoT Ecosystems

Cybersecurity Strategies for Effective Business Engagement

Customer Experience and the Impetus of Data

Implementing Data Analytics and Selecting Key Risk Metrics

Managing Third Party Risks using COBIT and NIST Cybersecurity Framework


Research has shown that professional associations position their

members to succeed and thrive in their areas of specialization, wheth-

er in formal employment or otherwise. Such Associations are a

resource members can draw upon to enhance their skills, expand

professional connections and experience a vibrant local, regional and

most times global community of colleagues.

In ISACA, members can explore a wide range of member programs,

educational opportunities, authoritative publications and discounted

products. These go a long way in enhancing the quality of their work.

Through hands-on trainings on various tools, frameworks and meth-

odologies including Computer Assisted Audit Tools (CAATs), profes-

sionals are able to advance and sharpen their skills.

By Joining ISACA, professionals especially those in mid-manage-

ment and entry level set themselves apart for future leadership.

ISACA does not require CISA or degree in ICT to Join, but interest

and the will to prepare for a successful career in a digital age.

Leadership Opportunities - You can serve on ISACA board

and committees, help author or review ISACA research

publications, write certification exam questions etc.

Speaking opportunities to share during conferences,

workshops and seminars.

Opportunities for mentorship benefiting both mentors and

mentees (coming soon)

Community and Leadership

Conferences and Training - Member discounts on more than

20 events annually

Free CPE - ISACA certified members can earn over 60 FREE

CPEs per year

CISA, CISM, CGEIT and CRISC certification at Member

discounted prices for exam and materials

Bookstore - Member discounts on ISACA publications and

research papers

Downloads - Members-only research discounts on preferred

materials

Knowledge Center - Exclusive access to one convenient

online location where members can access professional

knowledge. Network, learn and exchange ideas globally with

peers through communities, shared interest groups, discus-

sions and document sharing.

Standards - Easy access to ISACA's Auditing Standards,

Guidelines and Procedures

ISACA provides various benefits to members including -:

Professional Development

Research and Knowledge

Martin Kilungu, CISA, CISM, CRISC, CEH

Membership Director - ISACA Kenya Chapter

Join @ www.isaca.org/Membership

20

Reaping ISACA Membership Benefits


21

2021 Calendar of events

Q1 2021Awareness session - Demystifying IT Governance Roles in a Dynamic Business Environment

Governance 21st January 2 hours Evening talk 18:00 - 20:00 Virtual 500 650 2

CISO Roundtable - Enterprise Cybersecurity Architecture in the Digital Age: Navigating Cybersecurity Leadership Challenges

Cybersecurity 26th January 3 hours Morning Talk 09:00 - 12:00 Virtual 750 900 3

IT Auditing for Beginners Audit 8th - 12th February 5 days Training Naivasha 72,000 78,000 35Applying Data Analytics in Audits (Data-driven Audits) Data Analytics 10th March 1 hour Lunch Talk 13:00 - 14:00 Virtual Free Free 1SheLeads Tech Talk SheLeadsTech Soft Skills 18th February 2 hours Morning Talk 09:00 - 11:00 Virtual Free Free 1CSX University Boot camp CSX Exposure 15th to 19th March 2 hours per day Evening 18:00 - 20:00 Virtual 10Cybersecurity - Hands-on Training Cybersecurity 22nd - 26th March 5 days Workshop Mombasa 72,000 78,000 35

Q2 2021Coast Circuit 19th -20th April 2 daysPre-Annual Conference:Track #01 - Cybersecurity: Cloud SecurityTrack #02 - Audit Workpaper AutomationTrack #03 - IT Governance: Board of Directors Perspectives into the Future

19th - 20th April 2 days Pre-Conference Mombasa 45,000 50,000 14

Annual Conference: Theme - "Enabling the Digital Age Beyond the Curve" 21st - 23rd April 3 days Conference Mombasa 52,000 58,000 21Dark Data and its Impact on the Audit Function Audit 6th May Lunch Hour Talk 13:00 - 14:00 Virtual Free Free 1IT AuditIing (Technical) Audit 10th - 14th May 5 days Training Kisumu 72,000 78,000 35Risk Management in Cloud Sourcing GRC 20th May 2 hours Evening talk 18:00 - 20:00 Virtual 500 650 2CISM Review Security Management 24th - 28th May 5 days Training 17:00 - 20:00 Virtual 12,500 15,500 15CISA Review Audit 24th - 28th May 5 days Training 17:00 - 20:00 Virtual 12,500 15,500 15ISACA Kenya Annual General Meeting Administrative 29th May 2021 1 day Virtual/Physical _ _ 3SheLeadsTech 3rd June Evening Talk Virtual Free Free 2Data Analytics Training (Hands on) 14th to 18th June 5 Days Hands on Workshop 35Boot camp - Nairobi/Mt Kenya Region 9th - 11th June 3 days Workshop Nairobi 3,000 5,000 21Hands-on Hacking - Red Team / Blue Team Cybersecurity 21st - 25th June 5 days Workshop Mombasa

Mombasa

72,000 78,000

72,000 78,000

35

Q3 2021Building an Agile Internal Audit Function Audit 8th July 2 hours Evening Talk 18:00 - 20:00 Virtual 500 650 2IOT and AI in the Cyber-sec Landscape Emerging Tech 22nd July 3 hrs Breakfast Talk 9:00 - 12:00 Virtual 750 900 3Data Analytics and Tools (Financial) Data Analytics 2nd - 6th August 5 days Training Mombasa 72,000 78,000 35Designing and Implementing Pragmatic Risk-based Solutions GRC 19th August 2 hours Evening Talk 18:00 - 20:00 Virtual 500 650 2Developing Privacy Strategies & Roadmap Aligned with Business Strategies

Data Privacy 2nd September 1 hour Lunch Talk 13:00 - 14:00 Virtual Free Free 1

SheLeadsTech Half Day conference 15th September 5 hours Half Day Conference 9:00 - 13:00 Virtual 1,000 1,500 5IT Auditing (Financial) Audit 20th - 24th September 5 days Training Mombasa 72,000 78,000 35

Q4 2021ISACA Community Day 2nd October Half Day Community Day

Culture and Ethics as Drivers of IT Governance Effectiveness GRC 14th October Evening Talk 18:00 - 20:00 Virtual 500 650 2Bootcamp - Nyanza Universities 24th - 25th October 3 days ISACA Awareness / SheLeadsTechPre-GRC conference: Track #01 - Business Continuity: Role of the BoardTrack #02 - COBIT or CGEIT Review Track #03 - Project Management: Board and Senior Management Roles

25th - 26th October 2 days Pre Conference

Kisumu

45,000 50,000 14

GRC Conference GRC 27th - 29th October 3 days GRC Conference Kisumu 52,000 58,000 21Evolving security and privacy of enterprise data Information Security 12th November Evening Talk 18:00 - 20:00 Virtual 500 650 20CRISC Review 23rd - 25th November 5 days Virtual 09:00 - 13:00 Virtual 20,000 25,000 12Facilitating Digital Transformation with Integrated Risk Management 3rd December 3 hours Breakfast Talk 9:00 - 12:00 Virtual 3,500 4,000 3ERP Auditing: Hands-on 14th -17th December 4 days Workshop Mombasa 50,000 55,000 28

Topic Thematic Area Date Duration Event Venue

Cost KShs including 16%

VAT (Non-members)

CPE hours

Cost KShs including 16% VAT (Members)

Documents

ISACA KE Newsletter 2020 Edition 2020/ISACA_KE...CISA, CISM, CRISC,CSXF President The year 2020, has heralded a new normal in light with the global pandemic. As a chapter we have to