ISACA Kampala Chapter

ISACA Kampala Chapter Welcome to the ISACA Kampala Chapter

Our Vision: "Trust in, and Value from Information systems"

ISACA ( Information Systems Audit and Controls Association) is a world wide association of IS governance professionals. The association currently focuses on assurance, security, and governance and provides globally recognised certification in assurance (Certified Information Systems Auditor"CISA"), security (Certified Information Security Manager "CISM"), and governance (Certified in the Governance of Enterprise IT "CGEIT"). The association is one of individual members, often the sole practitioner of information systems auditing, security, and/or governance in his or her company. The membership of the ISACA reflects a multiplicity of backgrounds and skills that make the information systems governance field challenging and dynamic

You don’t need to be a data scientist to win with AI—you need AI literacy:knowing what AI can/can’t do, how to use it re...
12/01/2026

You don’t need to be a data scientist to win with AI—you need AI literacy:

knowing what AI can/can’t do, how to use it responsibly, and how to turn use-cases into outcomes.

Why this matters

🌍 Digital public services, mobile money, and e-commerce are scaling fast—teams that speak “AI” make better, faster decisions.

🛡️ Regulators and boards now expect explainability, privacy, and control—not hype.

Core skills to build

🧭 Problem framing: turn a business pain into an AI-ready task (inputs, constraints, success metrics).
✍️ Prompting & tooling: structure prompts, chain tasks, and pick the right tool for the job.
🔍 Verification: fact-check outputs, cite sources, and keep a “human in the loop.”
🔒 Data stewardship: PII hygiene, consent, and minimal data to get the job done.
📜 Governance basics: model risk, bias awareness, and audit trails.

Quick ways to start this month

📝 Create a team prompt library (templates for reports, summaries, emails).
🧪 Run a 1-hour use-case sprint: pick one workflow, measure “before vs after.”
🧰 Standardize tools: one approved chat assistant + clear do/don’t data rules.
📚 15-minute weekly AI huddle: share wins, misses, and better prompts.

Guardrails (keep it safe)

🚫 No sensitive client or citizen data in public tools.
🔐 Use device-bound MFA and role-based access on any AI platform.
🧾 Keep rationale logs for material decisions produced with AI.

Measure progress

⏱️ Time saved per task
📈 Adoption rate by team
🧠 Number of reusable prompts/use-cases created

Bottom line: AI literacy is the new spreadsheet skill—table stakes for every role.

💬 What’s one task you’ll “AI-assist” this week—report drafting, data cleanup, or meeting notes?

📌
10/01/2026

📌

📌📌
09/01/2026

📌📌

Tech won’t save a weak culture. In high-risk environments like banking, Zero Trust works only when people and processes ...
08/01/2026

Tech won’t save a weak culture. In high-risk environments like banking, Zero Trust works only when people and processes live it daily—then the tools amplify it.

Why this matters (EA context)

🔄 SIM-swap, insider collusion, and social engineering adapt faster than policies.
📱 Mobile & agency banking widen the attack surface beyond HQ walls.
🤝 Regulation is rising—boards now expect resilience, not checklists.

What Zero Trust culture looks like

🧠 Assume breach: every access is verified, every time—no sacred networks.
🔐 Least privilege by design: time-bound, task-bound, just-in-time access.
📜 Non-negotiables: no shared creds, no “break glass” without ticket + reason.
🗣️ Call it out: phishing/abuse channels that protect staff who report.

Quick wins you can ship this quarter

⛔ Block by default: disable legacy protocols (POP/IMAP, SMBv1), geofences for admin logins.
🧾 Access with evidence: named owner + rationale + expiry for every elevation.
📱 Device binding + risk-based step-up for mobile/agency channels.
🧪 Live restore & revoke drills (keys, tokens, accounts) with auditable results.

Metrics boards understand

📉 Privileged accounts with standing access
⏱️ Mean time to revoke (MTR) on role change/exit
🧪 Restore/rollback success rate (quarterly)
🧩 % systems covered by MFA + device health checks

Bottom line: Zero Trust isn’t a product to buy—it’s a discipline to practice. Tools enforce it; culture sustains it.

💬 Your move: what’s the one behavior you’d make non-negotiable starting—🔐 no shared creds, ⏱️ 24-hr access expiry, or 🧪 monthly revoke drills?

Most post-mortems don’t read “firewall failed”—they read “someone approved the wrong thing.”Breaches often start with a ...
31/12/2025

Most post-mortems don’t read “firewall failed”—they read “someone approved the wrong thing.”

Breaches often start with a decision error: the exception you granted, the vendor you onboarded too fast, the alert you muted.

Where decisions create risk

⚙️ Change approvals: rushed rollouts, no rollback
🔑 Access exceptions: “just for today” turns into standing admin
🤝 Vendor onboarding: unchecked data flows, weak contracts
🤖 AI usage: models answering from unvetted sources, no human override
🛠️ Control downgrades: disabling MFA “temporarily” for user convenience

Build decision intelligence (not just controls)

📝 Decision logs: who decided, options considered, evidence, expiry date
🧭 Guardrails: two-person rule for high-impact changes; pre-approved patterns only
📉 Blast-radius limits: time-boxed access, scoped rollouts, feature flags
🧪 Pre-mortems: “If this goes wrong, how will it fail and who gets hurt?”
🔁 Post-decisional review: did the outcome match the intent? adjust playbooks
📣 Escalation paths: easy “stop the line” when risk feels off

Quick wins

🧩 Add a decision section to change tickets (evidence + alternatives)
⏳ Make all admin exceptions auto-expire (JIT/JEA)
🧪 Run a 30-minute pre-mortem before the next major release
📈 Track a new KPI: time to rollback a bad decision

Bottom line: Systems don’t approve risky changes—people do. Strengthen how your organisation decides, and you’ll prevent breaches before they look technical.

💬 Question: What’s one decision you’ll start logging—with evidence and an expiry—starting today?

Automation is great—until a risky change needs human judgment.Which control keeps accountability intact: A/B/C/D?Vote be...
30/12/2025

Automation is great—until a risky change needs human judgment.

Which control keeps accountability intact: A/B/C/D?

Vote below.

Our biggest wins won’t come from working in silos.In a region where banks, telcos, fintechs, gov agencies, and universit...
29/12/2025

Our biggest wins won’t come from working in silos.

In a region where banks, telcos, fintechs, gov agencies, and universities share customers, rails, and risks, collaboration compounds value—faster than any single player can.

Where collaboration beats rivalry

🤝 Shared security: cross-institution threat intel cuts fraud dwell time from weeks to hours.
🚀 Market growth: interoperable rails (mobile money, instant payments, USSD/WhatsApp) expand the pie for everyone.
🧠 Talent pipeline: co-designed curricula + co-ops turn graduates into contributors on day one.
📦 Standards & trust: aligned controls (COBIT/ISO/NIST), common KYC, and clearer APIs reduce onboarding friction.
💡 Local innovation: joint sandboxes for GovTech/FinTech/HealthTech turn regional pain points into products.

What to start this quarter

🧾 “First 5 IOCs” pact: members share the top indicators after any incident—no PII.
🧪 Regional pilot squads: one bank + one MNO + one PSP + one regulator run a 30-day fraud takedown drill.
🎓 Study pods: rotating CISA/CISM/CGEIT circles across chapters and universities.
🔗 Open playbooks: publish 1–2 reusable runbooks (e.g., ransomware response, SIM-swap containment).
🧭 Boardroom brief series: co-authored one-pagers translating risk → business impact for EA boards.

How to know it’s working

⏱️ Time-to-block after intel drops (down).
📉 Repeat-attack rate across members (down).
🔁 API partner time-to-onboard (down).
🎯 Graduate-to-hire conversion and time-to-productivity (up).
🧩 Shared assets shipped (playbooks, datasets, standards) per quarter (up).

Bottom line: Competition drives speed; collaboration drives scale and resilience. In East Africa, the leaders will be those who build together—and win together.

💬 Question: If we could align on one shared playbook, what should it be—fraud, incident comms, or disaster recovery?

Address

Uganda Institute Of/Communication And Information Technology (UICT), Plot 19-21 PortBell Road, Nakawa, Sat-Com Block 2
Kampala
256

Opening Hours

Monday 09:00 - 17:00
Tuesday 09:00 - 17:00
Wednesday 09:00 - 17:00
Thursday 09:00 - 17:00
Friday 09:00 - 17:00

Telephone

+256392893965 and +256 787467646

Website

https://www.isaca.org/

Alerts

Be the first to know and let us send you an email when ISACA Kampala Chapter posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Contact The Practice

Send a message to ISACA Kampala Chapter:

Shortcuts

Share

Share on Facebook Share on Twitter Share on LinkedIn
Share on Pinterest Share on Reddit Share via Email
Share on WhatsApp Share on Instagram Share on Telegram