Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Newsletter 2020 Edition
Ibrahim GathunguCISA, CCNA, CEH - Head, Information Cyber Security Policy Regulation at Standard Chartered Bank, UK.
CONTENT
Leadershipinsights
05
10
13
7
15SheLeads Tech............................17Agile Auditing.............................
1818Top Scorers.................................
2019
Reaping ISACA Membership Benefits
212021 Calendar of Events...........
04Board Members........................03Foreword..................................
Editorial Team
David Ouma Oloo Fredrick Endeki George NjugunaMartin Kilungu Gladys MwangiDiana Koech
CommunITy Day
The 2020 Virtual Conference......
A Review of ISACA KE 2020 Events...........................................
Newsletter 2020 Edition
Foreword
3
Raymond Kiprotich Bett
CISA, CISM, CRISC,CSXF
President
The year 2020, has heralded a new normal in light
with the global pandemic. As a chapter we have
to quickly adapt and be agile in our undertaking.
We would like to thank you for taking time to read
our newsletter.
What we have seen is that our members who
were used to in person events quickly adapted to
online events that we offered. This has seen has
hold two purely virtual conferences with great
speakers both locally and abroad. Our annual
general meeting was online with elections being
held as well as majority of our trainings.
Behind the scenes as a board we have been
working on coming up with the next strategy for
the chapter that will see us adopt our key pillars of
membership, professional development and
advocacy. We have also been reviewing our
bylaws and we shall soon present to our mem-
bers for adoption.
While the future remains uncertain, we have gone
ahead to plan for 2021 that will see us introduce a
hybrid of virtual and in person events. We expect
to have an in person conference whose theme will
be “Enabling the Digital Age Beyond the Curve”.
Virtual talks and hybrid of in person and virtual
trainings will also be held in 2021..
Even as we come to terms of how this year has
been, one way to look at it was survival and for us
we thank our membership for sustaining us and
ensuring that our operations continue without any
glitches. Our partners have also continued to
support us and we look forward to greater collab-
orations in the near future.
Enjoy the insights in this newsletter provided by
our members and our partners.
We wish you a Merry Christmas and a Happy
New Year and we look forward to working with
you in the new year.
Newsletter 2020 Edition
4
2020 TO 2021 BOARD LINE UP
RAYMOND K. BETT BONFACE ASILIGWA MERCY OMOLLO
FREDRICK O. OUMA GLADYS KIMANI MARTIN KILUNGU
PAULA M. KIGEN VERONIVA ROSE
PRESTON ODERA
DENIS M. MUTINDA
PRESIDENT
TREASURER
SPECIAL PROGRAMSDIRECTOR
ADVOCACYDIRECTOR
CHIEF EXECUTIVE OFFICER
IMMEDIATE PASTPRESIDENT
CERTIFICATIONDIRECTOR
MEMBERSHIPDIRECTOR
VICE PRESIDENT SECRETARY
LeadershipInsightsIbrahim GathunguCISA, CCNA, CEH Head, Information Cyber Security Policy Regulation at Standard Chartered Bank, UK.
How would you describe the person you are? (in brief) I am a jovial person, a husband, father and a born again Christian. Career wise, I am a cyber security professional.
Give us a brief of your career progression
Education:
For High School, I was in Moi Forces Academy then joined USIU where I studied Bachelor of Science in Information Systems & Tech-nology and minored in Networking.I have also done professional certifications - CISA, CCNA, CEH, and ISO27001
Career:
I started off as an intern in the High Court of Kenya within the library section, then moved to Ernest & Young - Kenya for 4 years and initially I was in the Networking & System administration capacity then midway through I switched to consulting. I had a mentor at EY who guided me, and this was a great foundation for me.
I left EY and joined Safaricom’s Internal Audit function doing systems audit and I was involved in many projects.After Safaricom I joined PWC – Kenya where I lead in the Information & Cyber Security Consultancy unit.
I then left Kenya in 2016 and went to the United Kingdom and joined Deloitte as a Manager within their Cyber Security practice.
After 2 years I joined Standard Chartered Bank - UK initially as Senior Manager within Information and Cyber Security Governance Policy & Risk Team with a key focus on Policies & Controls then recently moved into the role of Head, Information Cyber Security Policy Regu-lation.
What does your role as Head, Information Cyber Security Policy Regulation at Standard Chartered Bank entail? How is it like working in a foreign country?
I lead the Information Cyber Security Policy Regulation across the group covering 60 countries. My role entails looking at all the regula-tions within these countries and aligning them to the company policy.
Working in a foreign country is great in that you get to experience in different ways and approaches of work and also experience of different cultures from all over the world. My biggest lesson is proac-tivity
What is your motivation? i.e. What drives you?
My motivation is to drive any solution driven approaches that make change stick in an organization.Am an optimistic person, I believe that in adversity there is opportunity.
I spend a lot of time with my family. I look forward to going hiking and camping after the COVID19 lockdown. I enjoy outdoors!One of the activities I do indoors is drawing.
How do you spend your time outside work?
What is the best book you have ever read? What are you currently reading?
The book that stands out is Outliers by Malcom Gladwell, there are some life lessons I learnt there that have been instrumental to my foundation.
At the moment am listening to various Podcasts.
5
You have been an active member of ISACA, how has this bene�ted you?
If you where to start all over again, what would you do di�er-ently?
What’s next for you in your work, where do you see yourself on the horizons?
Tell us about your lowest moment in life?
What is your parting shot?
What would you count as your biggest accomplishments?
Do you have any key mentors who have in�uenced your choices in life?
How do you balance your job demands and family life?
What is your advice to younger ISACA members and upcoming Professionals?
What would you say is the biggest lesson life has taught you so far?
ISACA has enabled me to network. The talks from different speakers in Government, Corporate & Business formed a great synopsis of the principles I wanted to apply.
There is nothing I would do differently. Contentment is a great gift. I am content and I look for ways I can further myself in my current circumstances.
My trajectory is to land into a Risk role which I am currently doing but would like to diversify. I am in this season where am learning new skills.
I want to continue investing in new skills, diversifying from cyber security to other risk types so that I can lead a fully-fledged Risk function.
This was in 2013 when we lost our first baby through a miscarriage, seeing my wife going through the turmoil was painful but I had to be the pillar of strength during the tough time and God is faithful that we were healed through that process.
Keep God first, Keep your focus, Be flexible!!
THANK YOU
At different stages, different things. Birth of my son changed my perspective about life.
Earlier on in my career I won employee of the year 2008, this motivat-ed me.
Yes, my first mentor was a partner at EY – Mr. John Geita.Earlier this year I reached out to all my mentors to appreciate them. From what they have shared with me I have also been able to mentor others.
Based on your experience, which initiatives would you advice ISACA Kenya Chapter to undertake in order to enhance its growth?
Regulatory conversations with the issuers for different industries to ensure they push for best practice.
I have a family and am deliberate with my time. I balance my calendar to include my personal commitments.
I would ask them to figure out their purpose and source of wisdom early. These two principles have been fundamental to my career and have given me focus.
Within ISACA, use the opportunities given to your advantage for your career as this platform gives you access to senior individuals within the sector.
We have to be deliberate with the resources that are placed in our hands. It’s good to dream, even if you can’t tell where life will take you and some things will fall into place because you dreamt big!!!
Newsletter 2020 Edition
6
According to experts, the fifth generation of the mobile network
already is one of the most important technologies of this decade and
it will become even more important in the future. Unfortunately, the
successful development of 5G in many states has been slowed down
by US sanctions against Huawei, one of the major providers of new
network equipment, motivated by unsubstantiated charges of espio-
nage and theft of personal data. To dispel doubts, Mika Lauhde, vice
president of cyber security and privacy at Huawei Technologies,
explains why the company's 5G infrastructure could improve the
national cybersecurity.
Cybersecurity is very important to all of us, because we are living in
an era where information and data is the most valuable asset. Data is
now more expensive than oil, for obvious reasons. That's why we are
very secure about our data privacy and personal information. Mika
Lauhde explains that cyberattacks are a potential threat to each of us
- wide scale viruses and phishing can be targeted to large audiences
of mobile device users, but criminals can also attack specific compa-
nies or individuals to harm their businesses or even create problems
for governments. So, it's very important to focus more on developing
and producing cyber secure technologies rather than fight for the
power and make cyber security a political issue.
standard operating procedures, best practices all the way to cyber
diplomacy are equally important. And sometimes more challenging.
Huawei's goal is to provide a new approach to cybersecurity and
national confidentiality, thereby enhancing every country’s digital
sovereignty. “We comply with all applicable African and European
legislations, and have looked at some legal aspects in a far more
responsible manner than other 5G network equipment companies,”
says Mika Lauhde.
Huawei's 5G networking equipment allows States to use their own
encryption algorithms, the encryption keys of which are not available
to outsiders or to other governments - only local mobile operators
are allowed for decryption when legally required to do so. Thus,
Huawei does not have access to data which is flowing through
Huawei’s equipment, and this is part of Huawei’s strategy of
supporting national data sovereignty of each country.
Huawei Develops Cyber secure Technologies based on Technologies and Standards not Politics
By Huawei Technologies Vice President - Mika Lauhde
7
Providing a new approach to cybersecurity and national con�dentialityMika Lauhde points out that information security is like an onion - it
has multiple layers. Mostly people might think that technology is every-
thing, but that is only one layer and, actually, sometimes the easiest
one. People are forgetting that ecosystem ownerships, patents,
regulations, laws, directives, cyber strategies, processes,
The Importance of Standards in Cyber SecurityHuawei advocates and promotes the establishment of cyber security
Standards that are globally recognized and agreed upon. Huawei
believes that trust needs to be based on facts, facts need to be
verifiable, and verification needs to be based on common Standards.
By using industry practices, certification is the most effective way to
address security issues. Certification is verification that everyone has
been reading the Standards in same way and it is therefore also
guarantees interoperability. This means that all different vendor
equipment’s can work seamlessly together. Therefore, Huawei has
been taking several actions in this area:
Huawei has established a sustainability management system based
on the International Standards Organization (ISO) standards, and
passed third-party certification to ensure that Huawei’s R&D and
production processes are trustworthy.
Huawei has established an information security management system
based on the ISO27000 series standards and passed the ISO 27001
Standard Certification.
Huawei has established a supply chain security management system
based on the ISO 28000 standards, as well as the TAPA and C-TPAT
requirements; passed the ISO 28000 certification (Chinese Supply
Center, European Supply Center, and Mexican Supply Center); and
obtained C-TPAT membership. (3) Huawei has optimized its develop-
ment and supply chain management practices by referring to the
Open Trusted Technology Supplier Standard (OTTPS) and is
conducting the OTTPS certification.
Huawei has incorporated internationally recognized cyber security
certification standards and requirements, such as CC and FIPS, into
product R&D, and actively invites third-party labs to certify Huawei
products. In April 2019, Huawei already obtained 242 product securi-
ty certificates, including 43 CC certificates, 6 CC EAL4+ certificates,
20 FIPS certificates, and 15 PCI certificates.
Assets of wireless and core networks, computing resource assets, as
well as accounts, passwords, logs, Configurations, and charging
data records (CDRs) operated and maintained by operators not
equipment’s vendors. Hackers attack wireless networks in an
attempt to steal and tamper with users' personal data or compromise
the availability of networks or computing resources. How equipment
vendors work together with operators to make this more difficult for
hackers is by implementing 3GPP specifications, "The SUPI should
not be transferred in clear text over NG-RAN except routing informa-
tion, e.g. Mobile Country Code (MCC) and Mobile Network Code
(MNC)." The Packet Data Convergence Protocol (PDCP) can be used
for the air interface and IPsec for transmission to guarantee the
confidentiality and integrity of users' personal data. 5G gNodeBs,
however, face wireless signal interference on external air interfaces
and attacks on protocols to compromise service availability. Some
5G core network elements, such as UDM, process and store users'
personal data. As a result, 5G core networks face breach of users'
personal data as well as attacks to compromise resource availability.
Because the central equipment rooms for core network deployment
generally adopt high-level security protection, the risks of malicious
invasion can be effectively mitigated.
In 2019, Huawei released a 5G Security white paper, that describes
the industry standards, Huawei's approaches, and joint efforts of
industry partners.
Newsletter 2020 Edition
8
5G Security5G faces security challenges and opportunities brought by new
services, architectures, and technologies, as well as higher user
privacy and protection requirements, but it is good to recognize the
fact that 5G is the most secure telecommunications standard that the
industry has developed so far. The 3rd Generation Partnership
Project (3GPP) SA3 has comprehensively analyzed 5G threats and
risks in 17 security areas. Security architecture, authentication,
security context and key management, radio access network (RAN)
security, Security within NG-UE, authorization, subscription privacy,
network slicing security, relay security, network domain security,
security visibility and configurability, credential provisioning,
interworking and migration, small data, broadcast/multicast security,
management security, and cryptographic algorithms. Key assets of
5G networks include users' personal data and communication data,
hardware and software.
Why is 5G secure? How do experts from industry and standards
organizations ensure that 5G security risks can be effectively
managed in terms of security protocols and standards as well as
security assurance mechanisms?
Why is Huawei 5G secure? What technical approaches has
Huawei adopted to ensure cyber security of Huawei equipment?
How to ensure 5G cyber security, including Huawei's support for
cyber resilience and recommendations on how to deploy and
operate 5G networks in a secure manner.
This 5G security white paper can be downloaded here https://www.huawei.com/uk/trust-center/5g-cyber-security and focuses on the following:
How to continuously improve the 5G security level from the
perspectives of different stakeholders in order to address
future challenges.
Call for stakeholders to work together to ensure that 5G
security risks are controllable.
Huawei believes in strong African digital independence, competitive
mobile networks and a level playing field for all market players. Having
strong Standards-based approaches to security and privacy is critical
to doing that. Security is a journey not a destination. Therefore,
Huawei walks together with governments and operators now and in
the future of this journey.
9
Newsletter 2020 Edition
A new perspective on Cybersecurity
Cyber Resilience:
From the onset of the COVID-19 pandemic, organizations have found
themselves at the forefront of forced digitalization as the routine
suddenly changed from working in an office environment to remote
work. Threat actors have been working overtime to take advantage,
with increased rates of phishing and ransom ware noted in recent
months. As people continue to work from home and organizations
move to hybrid business models, Cyber Resilience has arisen as a
critical component for the steadiness and efficiency of organizations.
There is no single authoritative definition for Cyber Resilience. What
can aptly describe this lack of a universally agreed-upon description is
a preference to adhere to the ‘the spirit of the law’ rather than ‘the
letter of the law.’ According to a recent whitepaper by Swiss Re
Institute, titled Cyber Resilience ESG Reporting: Transparency Imper-
ative or Security Nightmare, Cyber Resilience is defined as “an organi-
zation’s ability to sustainably maintain, build and deliver intended
business outcomes despite adverse cyber events. Organizational
practices to achieve and maintain cyber resilience must be compre-
hensive and customized to the whole organization (i.e. including the
supply chain). They need to include a formal and properly resourced
information security program, team, and governance that are
effectively integrated with the organization’s risk, crisis, business
continuity, and education programs.”
Cyber Resilience is imperative and critical for all businesses regard-
less of the size, financial turnover, or the number of employees. With
technology now an integral part of everyday life, and many tasks
already transitioned from the analog to the digital space, it is now
more important than ever to protect our digital footprints and
presence from the continuously evolving cyber-threats. For cyber-
criminals, everybody is a potential target. Organizations are beginning
to realize that it is no longer a matter of if they will be attacked but
rather when. They need to ensure that security is at the core of every-
thing they do.
The common cyber threats in Kenya as per the Communication
Authority’s National Kenya Computer Incident Response Team Coor-
dination Centre (KE-CIRT-CC) are:
• Cybercrime
• Botnets
• Social Engineering
• Ransomware
ENJOY SAFER TECHNOLOGYTM
10
Notable mentions to Risk Management and Business Continuity and
Disaster recovery.
For an organization to be said to be cyber resilient in Kenya, it must
prepare, defend, and recover from the above, at the bare minimum.
To work towards cyber resilience, an organization can implement an
elaborate and strategic blueprint commonly referred to as a Cyber
Resilience strategy, which is the ideal scenario. However, in the
interim, an organization can take the following steps:
Cyber Resilience relies on People, Process, and Technology. With the
right balance of the three, any organization can attain sufficient cyber
resilience. It is a collaborative approach, involving key stakeholders in
the organization and extending to customers, suppliers, and partners
that have a clear understanding of the critical assets associated with
information. To achieve a sufficient level of successful cyber resiliency
for any entity, there is a need to first understand the information it
holds and prioritize what needs to be protected, all with business
profitability in mind.
• Ensuring Endpoint Protection
• Data Encryption and Backup
• Multi-Factor Authentication (2FA)
• Training all users on cybersecurity awareness periodically
One thing to keep in mind is that Cyber Resilience is not a remedy for
cyberattacks, it is about readiness and preparedness that will see an
organization recover faster with minimal interruptions.
For more than 30 years, ESET® has been developing industry-lead-
ing IT security software and services for businesses and consumers
worldwide. With solutions ranging from endpoint and mobile security
to encryption and two-factor authentication, ESET’s high-perform-
ing, easy-to-use products give consumers and businesses the
peace of mind to enjoy the full potential of their technology. ESET
unobtrusively protects and monitors 24/7, updating defenses in
real-time to keep users safe and businesses running without
interruption. Evolving threats require an evolving IT security compa-
ENJOY SAFER TECHNOLOGYTM
Ken Kimani, Channel Manager at ESET East Africa
Ken Kimani
Channel Manager at ESET East Africa
What is ISACA CommunITy Day?
It is a day that ISACA Chapters and staff exemplify ISACA’s purpose,
promise, and values with a day of service around the world. Not only
do we help individuals realize the positive potential of technology, but
together, we help people recognize the positive potential of ISACA's
global society.
ISACA Chapters around the globe organize local activities. Some
opportunities may be directly applicable to the business technology
profession, while others may be simply making the world a better
place.
ISACA Kenya members participated in the 2nd Annual CommunITy
Day on 3rd October, 2020.The activities this year were different due to
the COVID-19 Pandemic challenges of physical distancing, working
remotely and juggling shifting schedules and priorities. The members
came together both online and in person to volunteer in the communi-
ty day activities at Thika School for the Blind, Kiambu County and
Heritage of Faith and Hope Children’s Home in Mlolongo, Machakos
County by giving donations.
The day at Heritage of Faith and Hope Children’s Home in Mlolongo
started off with a tour of the institution by the members present where
they got to see “ISACA” the calf born in the inaugural ISACA Commu-
nITy Day. Thereafter other members joined online and the program for
the day started with welcoming remarks by the Heritage of Faith and
Hope Children’s Home followed by introductions and remarks by the
principal at the home and the ISACA Kenya President. The members
interacted with the children and took many photos! The Chapter
presented a donation of Kshs.100, 000 from members’ generous
donations & onsite a member (Paul Gimsay of United Nations) donat-
ed Kshs. 50,000. Other donations to the home included CommunITy
t-shirts for the children, shopping, clothes, food stuffs and a sack of
oranges.
The program at Thika School for the Blind, Kiambu County started off
with the online session where we had welcoming remarks from the
Deputy Principal Thika High School followed by introductions and
thereafter remarks by the principal, teachers and students at the
school. We also had remarks by the ISACA Kenya CEO and the Vice
President. The Chapter presented a donation of Kshs.100, 000 from
members’ generous donations. The members present were then
taken on a tour of the computer lab for the blind and interacted with
the children and took photos.
The day was a great success and the ISACA Kenya Board appreci-
ates all the members for their generosity and support.
Newsletter 2020 Edition
Following is a collage of photos from the day
14
TechLeads
Kenya Chapter
Introduction.
SheLeadsTech is a global ISACA Program that seeks to increase the representation of women in technology leadership roles and the tech
workforce. The program was launched in Nairobi in October 2018 byMs Jo Stewart -Chair, Women’s Leadership Advisory Council and Alisha
Wenc – Manager, Corporate Programs. Both Jo and Alisha represented ISACA global during the event.
The program seeks to engage, empower and elevate women in technology. This is anchored on the three pillars and activities indicated below:-
This year started well and we had a lot of plans to continue with active engagement of our members and beyond through in-person events. We
managed to do this in the first quarter of the year, however we had to quickly adopt and engage more through online platforms as a result of the
COVID-19 Pandemic. Through online engagement we are able to have a wider reach with our programs and activities as we have been able to
engage with other chapters on their activities despite not being able to meet physically.
Newsletter 2020 Edition
15
SheLeadsTech
Raising Awareness
Write a blog post
Share your story
Host an event
Be an ally
Preparing to Lead
Join a board
Attend a SheLeadsTech
event
Speak at a conference
Be a mentor
Building Global Alliances
Be a voice for change
Participate in a day of advocacy
Know your government
officials
Share our calls to action on your
social media
By Diana Koech - Communications Committee Member
What have we done so far?
Since January to date we have engaged our audiences through the
following SheLeadsTech Events i.e.
Widening your GRC Career Path - This was a webinar facilitated
by Dr. Nancy Onyango sharing on how members can continue
to add value to business and widen their careers from one
specific GRC related area. The event took place on 27th August
2020.
Cybersecurity Governance – In collaboration with Shehacks
Kenya, we organized a session to give back to the student
community interested in Cybersecurity and members of
Shehacks Kenya. We organized a webinar on 27th July 2020
where Elizabeth Ochieng’, Regional Associate Director – IT,
Deloitte Kenya presented on Cybersecurity Governance.
Transforming ICT Audit in the Digital Disruption Age - This online
event took place on 27th of May 2020. Our presenters were Urvi
Patel, Partner Risk Advisory Delloitte East Africa and Grace
Mburu, the Executive Director .
SheLeadsTech Online Webinar on Leadership in the time of
COVID-19. This was an event held on 15th May 2020 that saw
various ISACA Chapters in Africa collaborate. The speakers were
all female leaders drawn from various ISACA Chapters.
Online Webinar Technology Mentorship Session – The Jomo
Kenyatta University of Agriculture and Technology (JKUAT)
Technology and Engineering Students invited SheLeadsTech for
a mentorship session. The online event took place on 8th May
2020 and the speakers at this event included Noureen Njoroge
– Security Threat Intelligence Engineer and CISCO Systems and
President of North Carolina Women in Cybersecurity, Boniface
Asiligwa – Head of IT Security at KENTRACE and Chairman of
ISACA’S Education Committee, Veronica Rose – Advocacy
Director and Dorine Nalo, the SheLeadsTech Liaison. The
students were excited and learnt a lot and are looking forward to
more collaboration in future.
Succeeding Through Emotional Intelligence- This talk was
delivered by Mr. Stephen Olieka who has extensive experience in
Human Resource both in Technology and non-Technical fields.
The breakfast talk was held on 25th January 2020 at Nairobi
Safari Club.
Through collaboration with other SheLeadsTech Liaisons within
ISACA, the Kenya Chapter members were also invited to the following
SheLeadTech events
A day in the Life of a Shecurity Researcher - A webinar organized
in September 2020 by ISACA Accra Chapter and Presented by
Marcelle Lee, a Senior Security Researcher at Secureworks.
A day in the Life of a Security Professional – This online event
was organized by the ISACA London chapter with various
speakers on 22nd September 2020.
Key Achievements for our Women in Tech MembersDuring the year we have also seen some of our members and women
in technology make significant achievements.
Elizabeth Ochieng - has been an active member of the chapter
and has participated a lot in our events. Beyond that she was
recently appointed as the CISA CRISC and CGEIT Chief Trainer
following a rigorous process both locally and with APMG.
What are our Future Plans?
We intend to continue engaging with women in technology across the
divide and across borders. We would also like many of our members
to participate in our activities and so sensitization will continue even as
we expand our engagement. We are also keen to collaborate in this
endeavor as ISACA cannot achieve the objectives of the program on
its own and therefore we also intend to take SheLeadsTech to various
organizations by holding talks and events.
How can you be part of this?
There are many ways that you can be part of this program:-
At an organization / institution level – You can reach out to us to
have a SheLeadsTech event in your organization.
At a personal level - you can plug into our events and partici-
pate.
Volunteer to speak at a conference, deliver a talk or conduct
training.
Conclusion.
SheLeadsTech is a program focusing on women but we also need
the men as our allies in this journey and therefore, men are also
welcome to participate in our events. We believe that this program is
not just about women in technology but addresses the general skills
gap we are observing in technology. Together we can bridge the gap!
Newsletter 2020 Edition
1.
2.
3.
4.
5.
6.
1.
2.
1.
2.
3.
16
Dorine Nalo, CISA CDPSE
SheLeadsTech Liaison
Newsletter 2020 Edition
Veronica N. Rose, CISA
Advocacy Director & Founder
Encrypt Africa
Getting started with Agile AuditingBefore we dive deeper into Agile auditing, I would like you to
understand what it is all about; Agile Audit is the mindset and
method that an Internal Audit Function (IAF) uses to focus on
the needs of stakeholders; accelerate the audit cycles, provid-
ing timely insight and reduce the waste of resources. By apply-
ing an Agile method, the productivity and added value of the
IAF can be increased and the lead time of an audit can be
reduced.
As internal auditors, we have been advocating for going agile,
being flexible, adaptive, and fast. We are increasingly turning to
the agile methodology to achieve this shift in approach
because taking an agile approach is helping the internal audit
functions become more strategic, increase efficiencies, and be
more effective overall, and this has the added benefit of
increasing our value as trusted advisors within the organization.
Internal auditors always work to identify, assess, and respond
to risk, those presenting opportunities and those which could
be disadvantageous to the health of the organization. In the
same regard, the agile audit process keeps our fingers on the
pulse of the organizations so we can adapt quickly to change.
However, while the concept of agile audit is not new, it’s often
seen as an all or nothing approach and too disruptive in itself to
fully adopt. Yet it is agile auditing’s distinctive flexibility that
allows internal auditors to adopt its practices, step by step,
rather than all at once.
Most Auditors who are familiar with traditional SDLC controls
recognize that some of the Agile values conflict with more
established methodology. The traditional controls are typically
implemented “after the fact,” and they rely heavily on documen-
tation neither of which works well with Agile methodologies. To
help close the gap between their knowledge of traditional
models and the Agile method, internal auditors should
acknowledge that agile audit is aimed at enhancing their work,
and by following this approach, auditors can help the team,
and the organization, execute its compliance responsibilities
effectively while making sure not to erode the value of Agile
methodologies.
Why Agile Audit is important to the audit.
Here is what to consider when adopting Agile Auditingfunction..
Focus is on continuous prioritization of focus areas and
thereby providing relevant insight i.e. it guarantees audit
quality.
Agile audit shortens the audit cycles and faster delivery of
(sub) product.
It encourages more interaction between the audit team and
the audit client which improves the management of expecta-
tions and increases the involvement of the audit client.
The approach of the audit itself is very flexible.
Internal Audit should shift from the following;
From publishing huge reports after a longer period of
auditing to timely reporting as a way of enabling business
units to address issues as they arise.
From rigidly planned activities (static audit plans) to quick
iterative activities & continuous auditing.
Perfect communication after a long process to frequent and
interactive communication during the process with audit
clients.
From establishing roles in a hierarchical system to empow-
ered roles in a more flexible system.
From following pre-set plans to responding to emerging
needs and address issues with management as they arise.
From auditing internal audit resources to resourcing to audits
and projects.
From control of the audit process to transparency in the
audit process.
From looking for faults in business processes to identifying
and reporting facts in a timely manner.
Last thoughtsInternal audit functions should focus on adding value in terms of
business alignment and governance. Understanding a project’s
objectives, as well as the risks associated with project methodology,
helps enhance the value internal audit can deliver. This can be
achieved by engaging the teams early enough to be on the same
page to better understand and control risk.
The main aim of adopting an agile audit should be based on the idea
that audit teams remain lean, flexible, rely more on technology or on
skills borrowed from other parts of the organization, and produce
slimmer, more visually designed reports that address deeper, current,
and strategic risks.
Ag
ile A
uditi
ng
17
A Review of ISACA KE 2020 ISACA Kenya begun 2020 with great ambitions, with plans to have
our flagship event - Our Annual conference, with a theme on Insights
and Trends shaping the Future of business.
Before we could convene, the future of business as we knew it, was
interrupted by COVID, and we promptly switched gears to adopt and
work with our members and stakeholders in embracing technologies
and solutions that could support remote working.
We were able to host a good number of webinars - Workshops,
evening talks and a Mini-Conference, where we had our speakers
tackle various insightful topics.
We also successfully carried out a CGEIT training with the newly
refreshed content, and we look forward to seeing an increase in the
number of members with this qualification.
We were also glad to see a big number of our members qualifying,
based on experience and skills, in the new privacy certification -
Certified Data Privacy Solutions Engineer (CDPSE).
Through our strategic partners and stakeholder’s ICT Authority of
Kenya, we were able to arrange for awareness workshops in:-
Cybersecurity,
Data Analytics, and
IT Audit
These enabled us hold half day sessions with over 2000 participants,
some of whom went on to pursue respective certifications.We have
held a successful Mini Conference in November where over 100
participated.
While the year has been challenging in some aspects, we look forward
to continued education of our members through different avenues.
There have been lots of lessons in the year 2020 - but never before,
has information security been as important especially due to remote
working adoption.
We encourage our members to keep an eye out on our website and
communication from our secretariat to be informed on upcoming
training sessions.
Newsletter 2020 Edition
JAN – JUNE 2020
Exam Full Name CGEIT 1
CISA Mr. Mumo Mutisya, CISA 1
Mr. Jeffery Mwaura Kirumba 2
Mr. Andrew Muhoro 3
CISM Mr. Pascal Mavyuva Mutulu 1
Mr. Edwin Wanyama Ngero, CISM 2
Emmon Langat, CISM 3
CRISC Mr. Victor Muhia 1
Mr. Sammy Thiong'o Gichuhi CISA, CISM 2
Sharone Achieng Otieno CRISC 3
Ranking
Top Scorers for ISACA Exams
Ms. Christine Lilian Muhongo, CISA, CISM, CGEIT, CRISC
18
Gladys Kimani, CISA CISM
Certification Director
The 2020 Virtual ConferenceThis year’s mini conference whose theme was insights and trends shaping the future of business was well attended. With 104 delegates drawn
from different sectors and running for two days starting on 11th November till 12th November 2020. Key speakers drawn from both local and
globally gave presentations in their area of specialty. ISACA members earned a cool 12 CDP Hours
Some of the speakers for the conference were:
In his opening remarks, the CEO ISACA Kenya Mr. Preston Odera welcomed delegates and thanked them for enrolling for the conference. He
assured attendees that the chapter has made sure that trainings and conferences will continue to be there despite the pandemic. He encour-
aged non members to join and enjoy member benefits and to participate in chapter events to keep abreast with the latest happenings in the
globe.
Delegates had a unique opportunity to learn from a rich line up of speakers and industry experts from the region and beyond who shared the
latest insights in the world of cyber security, audit, emerging technologies and governance among other related topics.
The conference accorded attendees an opportunity to join with their peers in the industry to learn and deliberate on the latest insights and
trends shaping the future of business. Emceeing the conference was former chapter president Mr. Dennis Mutinda CISA and Ms. Gladys
Kimani CISA CISM, chapter Certifications Director day 1 and 2 respectively. Featured in were panel discussions at the end of each day presen-
tation. SheLeadsTech Liaison Ms Dorine Nalo CISA CDPSE and former Vice President Mr. Antony Muiyuro CISA CRISC CDPSE also an
associate director Cyber Security, Privacy & Trusted Tech at EY.
Giving his closing remarks, ISACA Kenya Vice president Mr. Boniface Asiligwa CISA, CISM, CRISC, CGEIT thanked the speakers for sharing
their insights on the conference theme and participants for participating. Other events are being organized by the chapter and more informa-
tion will be communicated in due course.
Newsletter 2020 Edition
19
Some of the topics discussed include:
Cybersecurity Amidst Covid -19 in Kenya. Perspective for the Regulator
Creating Secure 5G and IoT Ecosystems
Cybersecurity Strategies for Effective Business Engagement
Customer Experience and the Impetus of Data
Implementing Data Analytics and Selecting Key Risk Metrics
Managing Third Party Risks using COBIT and NIST Cybersecurity Framework
Newsletter 2020 Edition
Research has shown that professional associations position their
members to succeed and thrive in their areas of specialization, wheth-
er in formal employment or otherwise. Such Associations are a
resource members can draw upon to enhance their skills, expand
professional connections and experience a vibrant local, regional and
most times global community of colleagues.
In ISACA, members can explore a wide range of member programs,
educational opportunities, authoritative publications and discounted
products. These go a long way in enhancing the quality of their work.
Through hands-on trainings on various tools, frameworks and meth-
odologies including Computer Assisted Audit Tools (CAATs), profes-
sionals are able to advance and sharpen their skills.
By Joining ISACA, professionals especially those in mid-manage-
ment and entry level set themselves apart for future leadership.
ISACA does not require CISA or degree in ICT to Join, but interest
and the will to prepare for a successful career in a digital age.
Leadership Opportunities - You can serve on ISACA board
and committees, help author or review ISACA research
publications, write certification exam questions etc.
Speaking opportunities to share during conferences,
workshops and seminars.
Opportunities for mentorship benefiting both mentors and
mentees (coming soon)
Community and Leadership
Conferences and Training - Member discounts on more than
20 events annually
Free CPE - ISACA certified members can earn over 60 FREE
CPEs per year
CISA, CISM, CGEIT and CRISC certification at Member
discounted prices for exam and materials
Bookstore - Member discounts on ISACA publications and
research papers
Downloads - Members-only research discounts on preferred
materials
Knowledge Center - Exclusive access to one convenient
online location where members can access professional
knowledge. Network, learn and exchange ideas globally with
peers through communities, shared interest groups, discus-
sions and document sharing.
Standards - Easy access to ISACA's Auditing Standards,
Guidelines and Procedures
ISACA provides various benefits to members including -:
Professional Development
Research and Knowledge
Martin Kilungu, CISA, CISM, CRISC, CEH
Membership Director - ISACA Kenya Chapter
Join @ www.isaca.org/Membership
20
Reaping ISACA Membership Benefits
Newsletter 2020 Edition
21
2021 Calendar of events
Q1 2021Awareness session - Demystifying IT Governance Roles in a Dynamic Business Environment
Governance 21st January 2 hours Evening talk 18:00 - 20:00 Virtual 500 650 2
CISO Roundtable - Enterprise Cybersecurity Architecture in the Digital Age: Navigating Cybersecurity Leadership Challenges
Cybersecurity 26th January 3 hours Morning Talk 09:00 - 12:00 Virtual 750 900 3
IT Auditing for Beginners Audit 8th - 12th February 5 days Training Naivasha 72,000 78,000 35Applying Data Analytics in Audits (Data-driven Audits) Data Analytics 10th March 1 hour Lunch Talk 13:00 - 14:00 Virtual Free Free 1SheLeads Tech Talk SheLeadsTech Soft Skills 18th February 2 hours Morning Talk 09:00 - 11:00 Virtual Free Free 1CSX University Boot camp CSX Exposure 15th to 19th March 2 hours per day Evening 18:00 - 20:00 Virtual 10Cybersecurity - Hands-on Training Cybersecurity 22nd - 26th March 5 days Workshop Mombasa 72,000 78,000 35
Q2 2021Coast Circuit 19th -20th April 2 daysPre-Annual Conference:Track #01 - Cybersecurity: Cloud SecurityTrack #02 - Audit Workpaper AutomationTrack #03 - IT Governance: Board of Directors Perspectives into the Future
19th - 20th April 2 days Pre-Conference Mombasa 45,000 50,000 14
Annual Conference: Theme - "Enabling the Digital Age Beyond the Curve" 21st - 23rd April 3 days Conference Mombasa 52,000 58,000 21Dark Data and its Impact on the Audit Function Audit 6th May Lunch Hour Talk 13:00 - 14:00 Virtual Free Free 1IT AuditIing (Technical) Audit 10th - 14th May 5 days Training Kisumu 72,000 78,000 35Risk Management in Cloud Sourcing GRC 20th May 2 hours Evening talk 18:00 - 20:00 Virtual 500 650 2CISM Review Security Management 24th - 28th May 5 days Training 17:00 - 20:00 Virtual 12,500 15,500 15CISA Review Audit 24th - 28th May 5 days Training 17:00 - 20:00 Virtual 12,500 15,500 15ISACA Kenya Annual General Meeting Administrative 29th May 2021 1 day Virtual/Physical _ _ 3SheLeadsTech 3rd June Evening Talk Virtual Free Free 2Data Analytics Training (Hands on) 14th to 18th June 5 Days Hands on Workshop 35Boot camp - Nairobi/Mt Kenya Region 9th - 11th June 3 days Workshop Nairobi 3,000 5,000 21Hands-on Hacking - Red Team / Blue Team Cybersecurity 21st - 25th June 5 days Workshop Mombasa
Mombasa
72,000 78,000
72,000 78,000
35
Q3 2021Building an Agile Internal Audit Function Audit 8th July 2 hours Evening Talk 18:00 - 20:00 Virtual 500 650 2IOT and AI in the Cyber-sec Landscape Emerging Tech 22nd July 3 hrs Breakfast Talk 9:00 - 12:00 Virtual 750 900 3Data Analytics and Tools (Financial) Data Analytics 2nd - 6th August 5 days Training Mombasa 72,000 78,000 35Designing and Implementing Pragmatic Risk-based Solutions GRC 19th August 2 hours Evening Talk 18:00 - 20:00 Virtual 500 650 2Developing Privacy Strategies & Roadmap Aligned with Business Strategies
Data Privacy 2nd September 1 hour Lunch Talk 13:00 - 14:00 Virtual Free Free 1
SheLeadsTech Half Day conference 15th September 5 hours Half Day Conference 9:00 - 13:00 Virtual 1,000 1,500 5IT Auditing (Financial) Audit 20th - 24th September 5 days Training Mombasa 72,000 78,000 35
Q4 2021ISACA Community Day 2nd October Half Day Community Day
Culture and Ethics as Drivers of IT Governance Effectiveness GRC 14th October Evening Talk 18:00 - 20:00 Virtual 500 650 2Bootcamp - Nyanza Universities 24th - 25th October 3 days ISACA Awareness / SheLeadsTechPre-GRC conference: Track #01 - Business Continuity: Role of the BoardTrack #02 - COBIT or CGEIT Review Track #03 - Project Management: Board and Senior Management Roles
25th - 26th October 2 days Pre Conference
Kisumu
45,000 50,000 14
GRC Conference GRC 27th - 29th October 3 days GRC Conference Kisumu 52,000 58,000 21Evolving security and privacy of enterprise data Information Security 12th November Evening Talk 18:00 - 20:00 Virtual 500 650 20CRISC Review 23rd - 25th November 5 days Virtual 09:00 - 13:00 Virtual 20,000 25,000 12Facilitating Digital Transformation with Integrated Risk Management 3rd December 3 hours Breakfast Talk 9:00 - 12:00 Virtual 3,500 4,000 3ERP Auditing: Hands-on 14th -17th December 4 days Workshop Mombasa 50,000 55,000 28
Topic Thematic Area Date Duration Event Venue
Cost KShs including 16%
VAT (Non-members)
CPE hours
Cost KShs including 16% VAT (Members)