Mary Mueni Ngui Ms Ngui has over 11 years of experience in the risk management, audit and compliance. Mary has previously worked at other organizations such as Unilever Kenya Limited, Liberty Life Assurance Group thus helping her attain international experience in a multi-cultural environment. She graduated with a Bachelor of Commerce degree, First Class Honours from Strathmore University. She is also a holder of a MBA from Edinburgh Business School, Heriot-Watt University . Mary is a Certified Information Systems Auditor (CISA) and COBIT 5 Foundation and Assessor Certified

The following is an excerpt of an interview, where she shared her professional journey and ISACA experience to Fredrick Ouma CISA, a member of the Editorial team.

How long have you been a member or ISACA?I have been a member since the year 2010Which ISACA Courses have you completed , how was the study and qualification experience like? I enrolled for the CISA course and I must say that I put in a lot of hard work, preparation and discipline in order to pass the exams. What will you say you have achieved or gained from being a member of ISACA? Being a member of ISACA has made it easier for me to access relevant work materials, like best practice templates which I download and customize for my day to day duties. It has also given me an opportunity to network among my fellow professionals.What will be your message to both prospective and existing members of ISACA?ISACA members should take advantage of the ISACA website, it is rich with information which is relevant and can be applied at our workplace as information security professionals. For prospective members they can also start by taking ISACA courses such as CISA which provides knowledge and skills that meet the needs of current job market.

Mary Ngui, CISA is the Group Head of Risk & Compliance at Resolution Insurance

• MemberProfile• ThoughtLeadership Article:InfoSec lessonsfromthe KenyaElections• CBKCybersecurity Guidelines• Chapternews• UpcomingEvents

IN THIS ISSUE

Joshua Motari, CISA, Chair. Zipporah WahomeFredrick Ouma, CISA Christine Mukhongo CISM, CISACelestine Peter

EventoftheQuarter

EDITORIAL TEAM

GOVERNANCE RISK & COMPLIANCE (GRC) CONFERENCE

30thNovemberto1stDecember,GreatRiftValleyLodgeTheme: Transform or be Transformed

TARGETAUDIENCE CEOs,CIOs,CISOs,ITDirectors,AuditDirectorsandotherC-suiteExecutives

Mark ThomasPresident Escoute Consulting U.S.A

Dr. Katherine Getao, EBS.ICT Secretary Ministry of

ICT Kenya

Telephone: 020 51 00001Mobile: 0786249357,

0717 116518Email: events@isaca.or.ke

www.isaca.or.ke

FOR MORE INFORMATION

Members: Ksh. 65,000Non Members: Ksh. 70,000

Includes 1 night accomodation

CHARGESSPEAKERS

Kenya Chapter Newsletter Vol2/2017 Oct-Dec 2017

MemberProfile

Oscar OngeriFounder & CEO

G-Optimized Kenya

In August 2017 the Central Bank of Kenya (CBK) issued a guidance note on the minimum requirements that institutions shall build upon in the development and implementation of strategies, policies, procedures and related activities aimed at mitigating cyber risk. The main thematic areas of the Note is Governance , Awareness and Assessment that a financial institution will be expected to implement as well as report on a regular basis to the Regulator i.e.

1. Governance: The leadership of banks should deploy strategic controls to facilitate a proactive approach to cyber security2. Assessments: Internal and external auditors must undertake an in-depth approach to analyze their bank’s threat landscape3. Awareness:Banks should develop and maintain cyber security awareness programmes for relevant stakeholders:

Note: To create awareness and dissect the guidelines the Chapter held an evening talk with over 100 Information security professionals attending. The Presentation can now be accessed to the general public on www.isaca.or.ke

The Kenya 2017 General Elections Information Security Lessons to learn.

CBKIssuesnewguidelinesonCybersecurityforFinancialInstitutions

While technology adoption and process automation simplifies Organizational operations, it also increases security risk levels Cybersecurity risks and incidences have become a top priority for most organizations in this digital Age. The Kenyan Supreme Court in its ruling nullifying the presidential election as declared by IEBC (Independent Electoral and Boundaries Commission,) in August 2017 indicated that the integrity of the presidential results declared could not be verified. Among the issues attributed to this position was the failure of the ICT Infrastructure as deployed by the Commission. The IEBC largely used ICT systems and processes in the conduct of the elections i.e. Registration of voters, Election Day Identification, Results Transmission and Tallying. It is the final processes i.e. Transmission and Tallying that were subject of the Petition. During the hearing it was alleged that there was hacking and attempted manipulation of the transmission systems thereby affecting the final outcome. In this article we examine the main Information security risks raised and how, as information security experts can minimize and/or eliminate their effect on the integrity of our organizations’ ICT Infrastructure. We will briefly discuss Hacking, System logs and General system security administration.

Hacking, a term used to describe actions taken by someone to gain unauthorized access to a computer is one of the common threats to be aware of. Today, with the internetworking norm the question to ask is “when will I be hacked?” But not “will I be hacked?” Systems security is not a nice-to-have; it is a need-to-have. No matter the size of your Organization you need to invest enough on securing certain critical aspects of your IT network. It is worthwhile to note that the weakest point of any system is PEOPLE therefore much emphasis required on creating awareness.

10Tipstokeepoffhackers 1. Security awareness 2. Patch! 3. Security policy 4. Patch! 5. Policy implementation 6. Patch! 7. Regular Attack & Penetration testing8. Patch!9. Stay up to date10. Patch!

System Logs: By logging system events and analyzing the logs you can understand what transpires within your network since each log file contains many pieces of information such as intrusion attempts, mis-configured equipment, and many more that can

be invaluable. Provided you know what is normal on your network, you can easily identify what is abnormal by monitoring the logon activity. Log analysis & log management can be made more efficient by collecting and consolidating log data across the IT environment and correlate events from multiple devices in real-time. Logs should always be properly backed-up for future use when need arises.

Of the three major aspects of system security (CIA), in many cases Availability has been given more emphasis than Confidentiality and Integrity (herein referred to as security).Using the just-concluded elections as an example, there was keen interest on whether the (Kenya Integrated Elections Management Systems, KIEMS) would be robust through the exercise or the Commission would be forced to revert to manual transmission and Tallying of results. According to 2015 Kenya Cyber security survey by Serianu, 79% of the respondent organizations were concerned about cybercrime while 21% were not. The same report revealed that 57% of the organizations relied on in-houseSystemAdministrators to handle security functions while 13% did not know who handled their security functions. System administrators play a role in systems security however in many instances they react after attacks have already occurred.

Few organizations identify with the 57%; it’s notable that many organizations have remained reactive to cyberattacks yet home-grown cybercriminals are becoming more skilled and targeted. Cumbered with a load of responsibilities such as system configuration, installation, ensuring system uptime and performance without exceeding budget among others they in most cases do not allocate Confidentiality and Integrity matters the priority they deserve. In order to stop the trend, Organizations need to change their defensive stance. Organizations should endeavor to engage (may even outsource) security specialists who focus on creating organization-wide security situational awareness thereby generating an understanding of the cyber security posture within the Organization; this leads to effective decision making at all levels. In addition the ISACA Kenya Chapter regularly organizes training, Conferences and other forums where we provide opportunities to discuss emerging trends and knowledge on the subject matter. Please refer to our events calendar.

©Christine Lilian Mukhongo is a CISA, CISM and Systems Auditor at the Kenya School of Law. She is also a member of ISACA Kenya Communications Committee.

Kenya Chapter Newsletter Vol2/2017 Oct-Dec 2017

Have a thought leadership article that you would like to share, please submit to the editorial team. Email: Communications@isaca.or.ke

Kenya Chapter Newsletter Vol2/2017 Oct-Dec 2017

Q3 SUMMARY IN PHOTOS AWARD

Courtesy visit to Central Bank of Kenya

Participants listening to one of the speakers at the Cyber Security Evening Talk

Courtesy visit to Communications Authority of Kenya

Guest Speakers at the Cyber Security Evening Talk

AwardwonbyISACAKenyaatAfricaCACS

ISACA Members at Africa CACS Conference

CHAPTER NEWS BYTES

SPECIAL ANNOUNCEMT

Kenya Chapter Newsletter Vol2/2017 Oct-Dec 2017

1. CybersecurityFundamentalsWorkshop  Date: 12th to 13th October 2017 Venue: Flamingo Beach Resort & Spa, Mombasa. Charges: Members Ksh. 60,000. Non-Members Ksh. 70,000. CPE Hours: 14 

2. DataClassificationasaToolofRiskManagement Date: 2nd November 2017 Venue: Nairobi Safari Club Charges: Members: Ksh. 1,000 Non-Members: Ksh. 1,500. CPE Hours: 2

3. COBIT5Foundation&Implementer Date: 6th -10th Nov 2017 Venue: Nairobi  Charges: Members - Ksh. 197,200 Non-Members - Ksh. 208,800  CPE Hours:  35 

4. ITAuditTechnical Date: 6th - 10th Nov 2017 Venue: Flamingo Beach Hotel, Mombasa. Charges: Members - Ksh. 92,80 Non-Members - Ksh. 98,600 CPE Hours: 35

5. CybersecurityWorkshop:RespondandRecover (WithLabAccess) Date: 16th to 17th November 2017 Venue: The Boma Inn, Nairobi Charges: Members - Ksh. 40,000 Non-Members - Ksh. 45,000 CPE Hours: 14

6. ITAuditFinancial Date:  4th - 8th December 2017 Venue: Diani Beach, Mombasa. Charges: Members: Ksh. 92,800 Non-Members: Ksh. 98,600 CPE Hours: 35

7. COBIT5Assessor Date: 13th - 15th Dec 2017 Venue: Nairobi Charges: Members - Ksh. 112,200 Non members - Ksh. 118,000 CPE Hours: 21

ISACA members are our greatest assets and are significant contributors to the value of ISACA membership. Every time you recruit a new member, you strengthen ISACA. The 2017 ISACA Member Get A Member Program is on, running from 1st August 2017 to 31st December 2017.

Themorecolleaguesyousignup,thebetteryourreward.Your efforts may also receive global recognition. Visit http://isacamgam.org/ for information on the amazing prizes, and FAQs. CurrentMembershipStatistics: Our chapter is growing, and our more members are earning certifications.

Members: 1318CGEIT: 13CRISC: 45CISA: 517CISM: 127

MembershipRenewalYou can now renew your membership for 2018. Start planning early to avoid the last minute rush.

June2017CISAMs Lucy Mumbi Kairu

Sept2017CISABoniface Mwenda Mbaabu

June2017CISM Kenneth Njenga Mararo

Sept2017CISM Micah Amge Njeule

June2017CRISC Ms. Rose Ngina Mutiso

Sep2017CRISC Winnie Chepkirui Bunei

Congratulations!

UpcomingCPEEvents

Email: Communications@isaca.or.ke @IsacaKenya Isaca Kenya Chapter Website: http://www.isaca.or.keEditorial: ©Communications Committee, ISACA Kenya Chapter

Feedback, Updates and Social

ISACA MEMBER GET A MEMBER

This is to notify ISACA Kenya members that we will be having our annualAGM at Nairobi Safari Club, Lilian Towers, on 11th November from 10.00am. Members who attend will earn 3 CPE hours.

toourExamtopperformers