I’m looking for staff : Security, Governance, Risk and Compliance

Posted on September 01, 2012

Six more positions are available in the Enterprise Information Security Management team at Transnet, within the IT Security, Governance, Risk and Compliance competency areas.

We have a lot of challenging but interesting work ahead of us. If you want to learn a lot, apply what you have learned, be part of a hard working and performing team, then please apply :)

  • ICT Continuity Compliance Manager
  • IT Risk and Compliance Manager
  • Information Security Subject Matter Expert
  • Information Security Analyst (SME) x 2
  • Senior Security Analyst (inc Forensic & Incident)

These positions are all based in the Johannesburg CBD (Carlton Centre) and are manager or senior consultant level positions.

External applicants must apply by submitting CVs electronically to recruitment@transnet.net by 16h00 on 07 September 2012. Any questions regarding the positions should be sent to linneth.mpete@transnet.net.

Further details for each of the positions can be found here :http://lnkd.in/gyy9FR  (Google Plus)

We urge all our employees, clients, members of the public and our suppliers to report any kind of fraud or corruption at Transnet. Call the hotline toll free number: 0800 003 056 or email Transnet@tip-offs.com

ISACA Annual Conference 2010

Posted on August 30, 2010

Dates:   13 to 15 September 2010
Venue: Indaba Conference Centre, Fourways/Johannesburg

Over the last few years the ISACA SA Conference (#isaca2010) has drawn between 230 – 260 delegates. High profile local and international speakers provide delegates with insight into the latest developments in the IT, security and governance.  The 2010 conference has 3 streams of presentations and focuses on the latest strategies to address business, managerial, operational, auditing and security challenges associated with information technology and information systems. The conference topics are applicable to a wide range of attendees from CEO’s and CIO’s through security, audit, risk and IT professionals.

Follow @isacaza on twitter for #isaca2010 conference news and updates

Should you be interested in attending the conference use the online booking facility at the ISACA website or contact Nadine on admin@isaca.org.za.

See you there for another great conference.

Feedback on ISACA KZN chapter meeting control frameworks presentation

Posted on August 07, 2010

On Thursday evening (5th August) I presented at the ISACA KZN Chapter meeting. As Chapter coordinator I have the privilege of finding speakers and venues, and from time to time an arranged speaker has other commitments and so is unable to make the presentation. I always try and keep a “backup” presentation of my own and this time around it was my (our) “Tale of two cities – or control frameworks” presentation that was first presented at the IT Web security summit earlier in the year. This time I did the presentation without the assistance of my colleague from Jhb,  David Volschenk, as he had other work commitments  which prevented him traveling to Durban for the day.

It IT Web we had 45m for the presentation and Q&A so where fairly time constrained and did not have much time at all for discussion or questions. At the Chapter meeting we had much more time to go through the presentation at a leisurely place, have discussion around certain aspects and make it a much more interaction (and fun) session.

There were about 20 people present, representing the consulting firms (EY, PKF, Deloitte), public sector and private sector.

Off the top of my head (I was presenting rather than taking notes :) the main areas of discussion were around :

  • Getting executive buy in for the project
  • Getting adequate funding
  • Instilling change in an organisation where the maturity level is low and the corporate culture is such that the environment is generally poorly controlled
  • What the drivers are for the implementation of a control framework, and particularly King 3 and how it is changing perspectives (creating the fire)
  • The implications of King 3, and how they will drive change from the top (rather then it being left to middle management to drive failed projects)
  • The apparent lack of understanding of King 3 on the part of directors, and how negative statements having to be made in the Annual Financials with respect to King 3 compliance could affect their reputations and those of the organisations they represent (or what happens if they “lie” and put in statements of compliance when they aren’t compliant). Company directors really do need to start taking notice of this.
  • The implementation of control frameworks is a long term process, not a quick fix. Deciding 6 months ahead of the King 3 implementation deadline that the organisation needs to be compliant may be an impossible task

In “off the record” discussions after the presentation a number of consultants wanted to know if the failed company (Company B) was actually Company XYZ or Company ABC. The answer each time was know, it wasn’t that company, Company B was a combination of failed projects. That said, the names of companies mentioned by the other parties in each case also were not one of the companies involved in the combined “Company B”.  It seems there are a lot of failed control framework and security framework implementations out there.

I really enjoyed the presentation and the discussions that went with it. Thanks to all who attended for your attendance and participation. If you are interested in having further discussions around this, or have me meet with your directors to discuss further, please contact me.  j-j (at) worldonline (dot) co (dot) za or on Twitter.

Thanks to Ernst & Young for hosting the chapter meeting.

See you next time at PKF.


You can find a copy of the presentation in the original article or directly here. More on King 3 here. And get a copy of the King 3 report from the IOD website.

IT Governance: King III Breakfast

Posted on May 20, 2010

I attended a breakfast session this morning hosted by Ernst & Young exploring the IT governance requirements of King 3.

” King III has shifted the IT governance landscape. Alongside the enhanced IT governance requirements, it recommends adequate reporting to the board in order to assist the board to discharge its responsibility.

What is regarded as sufficient reporting? How can such a technical area be demystified so that the reporting makes sense without losing its substance and meaning? How often are reports to the board required? ”

The presenters were Leon du Rand an independent consultant and previous CIO of ABSA and Marius van den Berg a Director in Ernst & Young Advisory Services who chaired the King III IT Governance subcommittee.

Both of the speakers have tremendous insight into King 3 and IT governance. The presentation covered the King 3 principles, and spent a fair bit of time exploring the process for defining the board reporting, providing a methodology that can be used to achieve this.

The presentation brought home to me the vast size of the task of achieving compliance with the King 3 principles, and of how organisations still need to grapple with just how they are going to tackle this. Much responsibility is placed onto the directors by King 3, and one has to wonder just how much IT experience they have and how directors are going to co-opt this experience onto their boards so they can discharge their responsibilities.

Note : I am a long time employee of Ernst & Young

Some documents available on the EY website that you may find useful :


King III Implementation checklist 

King III Integrated Report Disclosure Checklist

ITWeb Security Summit 2010

Posted on May 19, 2010

I was up in Johannesburg last week to attend and co-present at the IT Web Security Summit 2010. The conference had some really good speakers (Joe Grand, Moxie Marlinspike, FX, Charlie Miller, and others) covering a wide variety of most interesting topics.

You can read some articles about the conference, the speakers and the presentations at the link above. Alex Kayle did a brief email based Q&A ahead of the presentation and wrote up the following article. It gives some idea of what the presentation is all about.

I was co-presenting with a colleague, David Volschenk on the implementation of Security and control frameworks. We took two hypothetical companies (combined from various client experiences) and compared the processes and experiences to contrast what worked and what didn’t across the organisations, while looking at the key drivers (of which King 3 is now a significant one). This was woven around Dickens’ “A tale of two cities” to bring a bit of a different angle into what otherwise could have been quite a dry topic. Take a look at the King 3 responsibilities on the Board of Directors if you haven’t already. They are quite onerous compared to King 2 (which pretty much ignored IT governance). The King 3 report is available for download on the Institute of Directors (IOD) website.

Our presentation on the day went down reasonably well to quite a full venue. Thanks to all those who attended, hope you enjoyed what we had to say.

The presentation has been uploaded for all those who may wish to check it out.

%d bloggers like this: