ISACA Kampala Chapter

24/01/2026

📌

17/01/2026

15/01/2026

When citizens tap-to-pay, businesses move to cloud, and ministries digitize services—trust decides who participates and who opts out.

Why it matters in Uganda & East Africa

💳 Inclusion: Mobile money and e-commerce grow only as fast as users believe their data and funds are safe.
🏦 Investment: Boards, donors, and partners fund ecosystems with credible controls and transparency.
🚀 Scale: Startups with strong trust signals (privacy, uptime, dispute handling) cross borders faster.

Pillars of digital trust

🔐 Security: MFA everywhere, device binding, and continuous monitoring.
🧾 Privacy: Purpose-limited data use, consent that’s clear, and deletion on request.
📈 Reliability: SLAs met, incidents disclosed, lessons implemented.
⚖️ Accountability: Traceable decisions, auditable AI, independent assurance.
🗣️ User respect: Plain-language policies, fast support, fair redress.

Quick wins this quarter

✅ Publish a Trust & Safety page (controls, policies, incident contacts).
🧪 Run a live restore drill and share the RTO/RPO outcome.
🔍 Add transaction receipts + explainability to AI-driven decisions.
📣 Offer a simple breach-notice template and commit to timelines.

Measure what you treasure

📉 Fraud/chargeback rate • ⏱️ Mean time to recover • 🧑‍💻 MFA adoption • 📊 NPS/complaint resolution speed

Bottom line: In modern economies, money follows trust. Build it deliberately—and keep earning it daily.

What’s one trust signal your organisation can publish this month?

12/01/2026

You don’t need to be a data scientist to win with AI—you need AI literacy:

knowing what AI can/can’t do, how to use it responsibly, and how to turn use-cases into outcomes.

Why this matters

🌍 Digital public services, mobile money, and e-commerce are scaling fast—teams that speak “AI” make better, faster decisions.

🛡️ Regulators and boards now expect explainability, privacy, and control—not hype.

Core skills to build

🧭 Problem framing: turn a business pain into an AI-ready task (inputs, constraints, success metrics).
✍️ Prompting & tooling: structure prompts, chain tasks, and pick the right tool for the job.
🔍 Verification: fact-check outputs, cite sources, and keep a “human in the loop.”
🔒 Data stewardship: PII hygiene, consent, and minimal data to get the job done.
📜 Governance basics: model risk, bias awareness, and audit trails.

Quick ways to start this month

📝 Create a team prompt library (templates for reports, summaries, emails).
🧪 Run a 1-hour use-case sprint: pick one workflow, measure “before vs after.”
🧰 Standardize tools: one approved chat assistant + clear do/don’t data rules.
📚 15-minute weekly AI huddle: share wins, misses, and better prompts.

Guardrails (keep it safe)

🚫 No sensitive client or citizen data in public tools.
🔐 Use device-bound MFA and role-based access on any AI platform.
🧾 Keep rationale logs for material decisions produced with AI.

Measure progress

⏱️ Time saved per task
📈 Adoption rate by team
🧠 Number of reusable prompts/use-cases created

Bottom line: AI literacy is the new spreadsheet skill—table stakes for every role.

💬 What’s one task you’ll “AI-assist” this week—report drafting, data cleanup, or meeting notes?

09/01/2026

📌📌

08/01/2026

Tech won’t save a weak culture. In high-risk environments like banking, Zero Trust works only when people and processes live it daily—then the tools amplify it.

Why this matters (EA context)

🔄 SIM-swap, insider collusion, and social engineering adapt faster than policies.
📱 Mobile & agency banking widen the attack surface beyond HQ walls.
🤝 Regulation is rising—boards now expect resilience, not checklists.

What Zero Trust culture looks like

🧠 Assume breach: every access is verified, every time—no sacred networks.
🔐 Least privilege by design: time-bound, task-bound, just-in-time access.
📜 Non-negotiables: no shared creds, no “break glass” without ticket + reason.
🗣️ Call it out: phishing/abuse channels that protect staff who report.

Quick wins you can ship this quarter

⛔ Block by default: disable legacy protocols (POP/IMAP, SMBv1), geofences for admin logins.
🧾 Access with evidence: named owner + rationale + expiry for every elevation.
📱 Device binding + risk-based step-up for mobile/agency channels.
🧪 Live restore & revoke drills (keys, tokens, accounts) with auditable results.

Metrics boards understand

📉 Privileged accounts with standing access
⏱️ Mean time to revoke (MTR) on role change/exit
🧪 Restore/rollback success rate (quarterly)
🧩 % systems covered by MFA + device health checks

Bottom line: Zero Trust isn’t a product to buy—it’s a discipline to practice. Tools enforce it; culture sustains it.

💬 Your move: what’s the one behavior you’d make non-negotiable starting—🔐 no shared creds, ⏱️ 24-hr access expiry, or 🧪 monthly revoke drills?