ISACA Kampala Chapter

ISACA Kampala Chapter Welcome to the ISACA Kampala Chapter

Our Vision: "Trust in, and Value from Information systems"

ISACA ( Information Systems Audit and Controls Association) is a world wide association of IS governance professionals. The association currently focuses on assurance, security, and governance and provides globally recognised certification in assurance (Certified Information Systems Auditor"CISA"), security (Certified Information Security Manager "CISM"), and governance (Certified in the Governance of Enterprise IT "CGEIT"). The association is one of individual members, often the sole practitioner of information systems auditing, security, and/or governance in his or her company. The membership of the ISACA reflects a multiplicity of backgrounds and skills that make the information systems governance field challenging and dynamic

Traditional GRC asks, “Are controls in place?”GRC 2.0 asks, “Are decisions informed, fast, and defensible?”Why this shif...
03/11/2025

Traditional GRC asks, “Are controls in place?”

GRC 2.0 asks, “Are decisions informed, fast, and defensible?”

Why this shift

⚡ Threats evolve faster than annual assessments
🏛️ Boards want outcomes (resilience, ROI), not just attestations
🤖 AI + cloud amplify both risk and velocity—decisions must keep up

Pillars of Decision-Intelligent GRC

🧠 Context-aware risk → link risks to business services, customers, revenue
📚 Evidence on tap → live telemetry, audit trails, decision logs
🤝 Human-in-the-loop → clear owners, escalation paths, approval checkpoints
🔐 By-design controls → policy-as-code, guardrails in CI/CD & cloud
📈 Continuous assurance → control health, drift, and exceptions monitored 24/7

What it looks like in practice

🗺️ Risk-to-service maps → “If Service X fails, impact = Y”
🧾 Decision records → who/what/why/when for major risk calls
🔁 Closed-loop fixes → issue → change → validation → learnings captured
🧪 Adversarial tests → red/purple teaming, chaos drills tied to risk scenarios
🔗 Vendor intelligence → third-party risk tied to real usage & data flows

Metrics that matter (beyond pass/fail)

⏱️ MTTD/MTTR for decisions (time to decide/respond)
🧮 Control reliability (% controls with real-time evidence)
🧭 Risk posture change (before/after a decision)
📦 Exception half-life (how fast policy exceptions close)
💬 Board clarity score (are risk decisions explainable in business terms?)

30-Day Starter Sprint

🗂️ Week 1: pick 3 critical services; map top risks + owners
🧰 Week 2: turn on live evidence for 10 key controls (dashboards > spreadsheets)
📝 Week 3: start a decision log for high-stakes changes/incidents
🧪 Week 4: run a 60-min tabletop; capture decisions, gaps, next actions

Where AI helps (safely)

🔎 Summarize evidence & policies for decision briefs
🧩 Suggest control gaps from incidents & telemetry
📌 Draft board memos; humans validate, approve, and own

Bottom line: GRC 1.0 proved you had controls. GRC 2.0 proves your decisions create resilience.

💬 Question: Which decision this quarter deserves a decision log + live evidence to make it faster and more defensible?

📌
01/11/2025

📌

Passing an audit tells you controls exist. Defense proves they work under pressure.Treat compliance as the floor, not th...
31/10/2025

Passing an audit tells you controls exist. Defense proves they work under pressure.

Treat compliance as the floor, not the ceiling.

Why this matters

⚡ Threats evolve faster than annual checklists
🏛️ Boards care about uptime, trust, and loss avoidance
☁️ Cloud & AI change configs daily—drift makes “point-in-time” meaningless

The shift: from paperwork to protection

🔁 Continuous monitoring over snapshot reviews
🧠 Risk-linked controls tied to business services and impact
🧪 Tested playbooks (tabletops, restores, failovers) instead of assumptions
🔐 By-design security (policy-as-code, least privilege, JIT access)

Practical moves (this quarter)

🧱 Turn on MFA + PAM + JIT for admins
📦 Treat backups as a product: immutable + offsite + restore drills
🔎 Instrument top 10 controls with live evidence (logs, alerts, dashboards)
🔗 Map critical services → risks → controls → owners
🧰 Run one 60-min tabletop and one access review; close gaps fast

Measure what defense looks like

⏱️ MTTD/MTTR (detect/respond)
🧮 Control reliability (% with real-time telemetry)
🧯 Incident containment time (first touch → isolation)
📦 Restore success rate (RTO/RPO met?)
🧭 Risk posture delta (before/after fixes)

Where AI helps (safely)

🔎 Summarize evidence into decision briefs
🧩 Spot control gaps from incident patterns
📝 Draft change/exception memos—humans approve

Bottom line: Compliance earns permission to operate. Defense earns the right to stay up when it matters.

💬 Question: Which single control will you instrument for live assurance this month?

📊 Turn risk into decisions that move the needle.📅 Tue–Fri, Nov 25–28, 2025🕘 9:00 AM–5:00 PM EAT📍 National ICT Innovation...
31/10/2025

📊 Turn risk into decisions that move the needle.

📅 Tue–Fri, Nov 25–28, 2025
🕘 9:00 AM–5:00 PM EAT
📍 National ICT Innovation Hub

💵 Members: UGX 1,000,000 • Non-Members: UGX 1,200,000

👉 Book your seat today

🧭 Audit that stands up in the boardroom.📅 Mon–Fri, Nov 17–21, 2025🕘 9:00 AM–5:00 PM EAT📍 National ICT Innovation Hub💵 Me...
30/10/2025

🧭 Audit that stands up in the boardroom.

📅 Mon–Fri, Nov 17–21, 2025
🕘 9:00 AM–5:00 PM EAT
📍 National ICT Innovation Hub

💵 Members: UGX 1,000,000 • Non-Members: UGX 1,200,000

👉 Enroll now

🏛️ Govern IT at enterprise altitude.📅 Tue–Fri, Nov 25–28, 2025🕘 9:00 AM–4:00 PM EAT📍 National ICT Innovation Hub💵 Member...
29/10/2025

🏛️ Govern IT at enterprise altitude.

📅 Tue–Fri, Nov 25–28, 2025
🕘 9:00 AM–4:00 PM EAT
📍 National ICT Innovation Hub

💵 Members: UGX 1,000,000 • Non-Members: UGX 1,200,000

👉 Register now

AI risk isn’t one thing—it’s a stack.To manage it, see the layers clearly, then put the right controls at each layer.🧩 T...
29/10/2025

AI risk isn’t one thing—it’s a stack.

To manage it, see the layers clearly, then put the right controls at each layer.

🧩 The Layers

🗂️ Data Risk → biased, low-quality, or sensitive data leaks
🧪 Model Risk → hallucinations, drift, overfitting, prompt injection
🔗 Supply-Chain Risk → third-party models, datasets, APIs, plugins
🔐 Security Risk → model exfiltration, jailbreaks, poisoning, secret leakage
⚖️ Ethics & Legal Risk → unfair outcomes, IP misuse, consent & privacy violations
🛠️ Operational Risk → weak monitoring, no rollback, uncontrolled prompts
👥 Human Risk → over-trusting outputs, poor oversight, unclear accountability

🔍 What it looks like in real life

⚠️ A chatbot invents policy (hallucination) → citizens act on wrong info
⚠️ Fine-tuning on PII (privacy breach) → regulatory exposure
⚠️ Prompt injection via uploaded files (security) → data exfiltration
⚠️ Model drifts after deployment (accuracy drops) → bad decisions at scale

🛡️ Controls that matter

📚 Data governance → classification, minimization, consent, retention
🧱 Model safeguards → adversarial testing, red-teaming, guardrails, content filters
🧭 Usage policies → when/where AI may be used; human-in-the-loop checkpoints
🔐 Security hardening → secret vaults, egress controls, RAG with allow-listed sources
📈 Monitoring → drift/quality dashboards, incident playbooks, rollback plans
📜 Compliance → DPIAs/AI impact assessments, audit trails, vendor due diligence
🎓 People & training → prompt hygiene, verification norms, escalation paths

✅ Quick readiness checklist

☑️ Documented AI use cases with owners
☑️ Data sources approved & logged
☑️ Human review steps embedded (HITL)
☑️ Red-team tests before go-live
☑️ Monitoring + alerts for drift & abuse
☑️ Vendor SLAs for privacy, security, uptime

Bottom line: Treat AI like any critical system—govern the data, harden the model, monitor the behavior, and keep a human accountable.

💬 Question: Which layer in your AI stack needs the most attention this quarter—data, model, security, or operations?

AI isn’t here to take your job—it’s here to take your busywork.The win is human + machine: you keep the judgment, contex...
28/10/2025

AI isn’t here to take your job—it’s here to take your busywork.

The win is human + machine: you keep the judgment, context, and creativity; AI handles the repetitive, the large-scale, and the time-consuming.

Where the 10x shows up

💬 Drafts & Docs: first drafts, summaries, meeting notes in minutes—not hours
🔎 Research Co-pilot: scan policies/case law/datasets and surface insights fast
🧪 Analysis at Scale: classify, tag, reconcile, forecast—no spreadsheet burnout
🛠️ Automation Glue: trigger workflows (tickets, emails, updates) from plain language
🤝 Customer Ops: 24/7 assistants for FAQs while humans handle nuance
🧩 Coding & QA: generate snippets, tests, and refactors; engineers focus on design

Simple before/after examples

⌛ Before: 5 hours compiling stakeholder feedback → After: AI clusters themes in 8 minutes
⌛ Before: 2 analysts triaging tickets all day → After: AI routes/prioritizes; analysts solve edge cases
⌛ Before: Weekly 30-slide status deck → After: AI builds draft from project tools; you refine the story

Guardrails that make it real

🔐 Data hygiene: restrict sources; avoid pasting sensitive info
🧭 Clear SOPs: define what AI drafts vs. what humans approve
📏 Measure impact: track hours saved, cycle time, error rate, satisfaction
🎓 Upskill fast: short playbooks + lunch-and-learns beat long courses

Mindset shift

AI doesn’t replace people—it replaces friction. The value is you, multiplied.

Question: What’s one task you’ll delegate to AI this week to win back 2–3 hours?

Fraud no longer hides in spreadsheets — it hides in data patterns, moving faster than human analysis can keep up.But the...
27/10/2025

Fraud no longer hides in spreadsheets — it hides in data patterns, moving faster than human analysis can keep up.

But the game is changing. 🧠

Machine Learning (ML) is turning fraud prevention from a reactive chase into a predictive shield.

Here’s how 👇

1️⃣ Pattern Recognition at Scale
ML systems analyze millions of transactions in real time — spotting subtle anomalies that human analysts would never notice.

2️⃣ Adaptive Learning
Unlike static rule-based systems, AI models learn as fraudsters evolve — updating detection logic automatically as new attack behaviors emerge.

3️⃣ Behavioral Profiling
By studying customer behavior (location, device, timing, spending habits), AI can instantly flag what looks “off” — even when it’s the right password.

4️⃣ Anomaly Scoring
Every transaction or login attempt can be scored for risk.
High-risk events trigger real-time verification while genuine users move through seamlessly — balancing security and convenience.

5️⃣ Deepfake & Social Engineering Detection
Advanced ML models are now trained to detect fake audio, cloned identities, and unusual communication patterns — helping organizations spot fraud before damage occurs.

💡 Why it matters:

Fraudsters use automation.
So must defenders.
The future of fraud management lies not in more rules — but in more intelligence.

💬 Question:
How prepared is your organization to detect fraud that learns faster than your defenses?

CISM Bootcamp (Nov 25–28)🛡️ Lead security like a business.CISM Bootcamp runs Tue 25 – Fri 28 Nov 2025, 9:00 AM–5:00 PM E...
25/10/2025

CISM Bootcamp (Nov 25–28)

🛡️ Lead security like a business.

CISM Bootcamp runs Tue 25 – Fri 28 Nov 2025, 9:00 AM–5:00 PM EAT at the National ICT Innovation Hub.

✅ Build & govern enterprise security programs
✅ Turn risk into board-ready decisions
✅ Exam-ready coaching + manager-level playbooks

💵 Members: UGX 1,000,000 • Non-Members: UGX 1,200,000
🧾 Pay via Stanbic/MTN MoMo (on poster)
🖱️ Tap link to register: https://bit.ly/3WXut4w

CISA Bootcamp (Nov 17–21)🎯 Become the auditor execs rely on.CISA Bootcamp lands Mon 17 – Fri 21 Nov 2025, 9:00 AM–5:00 P...
25/10/2025

CISA Bootcamp (Nov 17–21)

🎯 Become the auditor execs rely on.

CISA Bootcamp lands Mon 17 – Fri 21 Nov 2025, 9:00 AM–5:00 PM EAT at the National ICT Innovation Hub.

✅ Master IT audit planning, ex*****on & reporting
✅ Align controls to risk, compliance & value
✅ Exam-focused drills + real case practice

💵 Members: UGX 1,000,000 • Non-Members: UGX 1,200,000
🧾 Pay via Stanbic/MTN MoMo (on poster)
🖱️ Tap link to register: https://bit.ly/3WXut4w

Address

Uganda Institute Of/Communication And Information Technology (UICT), Plot 19-21 PortBell Road, Nakawa, Sat-Com Block 2
Kampala
256

Opening Hours

Monday 09:00 - 17:00
Tuesday 09:00 - 17:00
Wednesday 09:00 - 17:00
Thursday 09:00 - 17:00
Friday 09:00 - 17:00

Telephone

+256392893965 and +256 787467646

Website

https://www.isaca.org/

Alerts

Be the first to know and let us send you an email when ISACA Kampala Chapter posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Contact The Practice

Send a message to ISACA Kampala Chapter:

Shortcuts

Share

Share on Facebook Share on Twitter Share on LinkedIn
Share on Pinterest Share on Reddit Share via Email
Share on WhatsApp Share on Instagram Share on Telegram