ISACA SA Annual Conference 2014 : 25/26 August 2014

Posted on June 03, 2014

Just some advanced notice that the ISACA South African Chapter Annual conference for 2014 has been announced.

The conference is taking place from 25 August 2014 To 26 August 2014 at Emperors Palace. Visit the conference page for details and online bookings or contact: Nadine Schreiber –

ISACA is also still looking for speakers so if you have something interesting to share please contact Nadine.

Conference web page


The Heartbleed bug : a short presentation given at the Kzn ISACA Chapter Meeting

Posted on June 03, 2014

I was honoured to be asked to make a (short) presentation at the May 2014 KZN ISACA Chapter meeting. The meeting went down well with probably around 25 people attending.

Attached is the PDF of the presentation.

I hope that some of the members present found it useful and that you, my readers, do too.

Feedback as always most welcome.

The Heartbleed Bug ISACA presentation v3


Security considerations for Cloud Computing (ISACA publication)

Posted on October 13, 2012

ISACA has released their latest book on cloud computing : Security Considerations for Cloud Computing, earlier in the week I received notification that my personal copy is with FedEx on it’s way to South Africa for me, one of the perks of being an expert reviewer on the panel for the publication.

This guide is Another publication in the Cloud Computing Vision Series, Security Considerations for Cloud Computing presents practical guidance to facilitate the decision process for IT and business professionals concerning the decision to move to the cloud. It helps enable effective analysis and measurement of risk through use of decision trees and checklists outlining the security factors to be considered when evaluating the cloud as a potential solution.

There are five essential characteristics, three types of service models and four major deployment models taken into account relative to cloud computing. To ensure a common understanding of these models, this publication describes the characteristics of each characteristic and model.

This guide is meant for all current and potential cloud users who need to ensure protection of information assets moving to the cloud.

If you are making any significant use of Cloud Computing I would recommend you get your hands on the publication. It’s free for members to download, otherwise $35 for a hard copy, $70 for non-members.


ISACA 2012 conference happening from 10-12 September 2012, registrations open soon

Posted on June 17, 2012

The ISACA South Africa 2012 conference is happening from the 10-12 September. Diarise the dates, get those purchase requisitions in. If you are wanting to present at the conference then mail Nadine ( – the speaker lineup is being finalised shortly so hurry up to make sure you don’t miss out.

The conference is being held at the Wanderer’s Club in Illovo. It’s right next door to the Protea hotel if you need accommodation, and is also served by the Gautrain and their buses, with a bus stopping right outside the hotel gates.

Hope to see you all there.

Bring your own device (BYOD) : workplace mobility presentation

Posted on May 24, 2012

I was privileged to speak at this month’s ISACA KZN Chapter meeting held last Monday at KPMG’s offices in Durban. Thanks to Terence (the local chapter leader) for the invite.

My topic was around workplace mobility, focusing on implementation challenges and leanings experienced  within the workplace. For this presentation I tried something a little different, using Keynote on the iPad to develop and present the talk. This resulted in a slide deck that looks a bit different from my normal style, with far fewer words, more pictures and I hope a smoother flowing more natural presentation. At the same time, it’s probably a bit more difficult for somebody who wasn’t at the presentation to get a lot of value out of the slide deck. If you download it and have questions, please go ahead and ask. It is presented below as a PDF since so few have Keynote.

Presentation here : BYOD workplace mobility v2 (download the PDF)

Daniel Cuthbert presenting at ISACA KZN Chapter meeting at Deloitte on 15 July 2011

Posted on June 28, 2011

The next meeting of the ISACA KZN Chapter will be held on Friday 15th July at Deloitte’s offices on La Lucia Ridge.  Please spread the word and make every effort to attend.

KZN regional chapter meeting

  • Date : 15 July 2011
  • Venue : Deloitte’s offices on La Lucia Ridge
  • Speaker : Daniel Cuthbert
  • Topic : “Doing it for the Lulz : Why Lulzsec has shown us to be an ineffective industry.”
    • Daniel will be talking on current activities in information security, web hacking and how to protect yourselves.

Confirmation of attendance

As always, please confirm your attendance with Nadine on 011-803 0803 or a few days ahead of time.


New ISACA audit programs: Cloud computing, Crisis mgt, Infosec mgt, Active Directory, Oracle eBusiness #in

Posted on September 02, 2010

ISACA has recently made 5 new audit programs available, 4 in August and one in July, bringing the total number of available programs to 31.

These new audit programs cover :

  • Cloud Computing Management Audit/Assurance Program (Aug 2010)
  • Crisis Management Audit/Assurance Program (Aug 2010)
  • Information Security Management Audit/Assurance Program (Aug 2010)
  • Windows Active Directory Audit Program (20 Aug 2010)
  • Security, Audit and Control Features Oracle E-Business Suite, 3rd Edition – Audit programs and ICQs (July 2010)

They are all available for download on the ISACA knowledge centre website.

ISACA makes the material available at no cost as a benefit of ISACA membership. Anybody wanting to contribute material to share with fellow professionals can send it to ISACA via

ISACA Annual Conference 2010

Posted on August 30, 2010

Dates:   13 to 15 September 2010
Venue: Indaba Conference Centre, Fourways/Johannesburg

Over the last few years the ISACA SA Conference (#isaca2010) has drawn between 230 – 260 delegates. High profile local and international speakers provide delegates with insight into the latest developments in the IT, security and governance.  The 2010 conference has 3 streams of presentations and focuses on the latest strategies to address business, managerial, operational, auditing and security challenges associated with information technology and information systems. The conference topics are applicable to a wide range of attendees from CEO’s and CIO’s through security, audit, risk and IT professionals.

Follow @isacaza on twitter for #isaca2010 conference news and updates

Should you be interested in attending the conference use the online booking facility at the ISACA website or contact Nadine on

See you there for another great conference.

Howto : Small Business IT Governance Implementation #in

Posted on August 25, 2010

One of the key challenges of IT governance is how to break it up and make it understandable and implementable for small businesses. Cost/benefit is always a key challenge and unless there is a practical sensible way that adds value to the business then IT governance is not going to work in small business.

ISACA have released a nicely put together article in their J-Online section of the website. Small Business IT Governance Implementation  by Janeane Leyer and Katelyn Quigley provides useful practical advice on how to implement. In doing so the article provides three key questions in a simple framework and discusses six critical success factors for the implementation.


The largest risks to businesses today are failure to align information technology to real business needs and failure to use information technology to create value for the business. Effectively managed IT can provide small businesses with a competitive advantage, whereas ineffective management can impair the business as a whole. With recent increases in demand for cost reduction, the need for small businesses to actively manage their IT resources has never been greater.

This article will provide an overview of IT governance, discuss the benefits to small businesses, suggest a framework for implementation in small businesses and discuss critical success factors.

Download the article here.

ISACA Whitepaper “Securing Mobile Devices” #in

Posted on August 25, 2010

ISACA have released a whitepaper on the securing of mobile devices. This is the first in a series of documents which will eventually include audit/assurance programs for such devices. The overview of these documents can be found here.

Abstract of white paper

Mobile computing devices have become a critical tool in today’s networked world. Enterprises and individuals alike rely on mobile devices to remain reachable when away from the office or home. While mobile devices such as smartphones, laptops, personal digital assistants (PDAs) and Universal Serial Bus (USB) memory sticks have facilitated increased convenience for individuals as well as the potential for increased productivity in the workplace, these benefits are not without risks. Mobile devices have been, and continue to be, a source of various types of security incidents. These stem from issues such as device loss, malware and external breaches. As the availability of human resources and systems continues to be critical to society and business operations, it stands to reason that mobile device usage will continue to escalate as will the features that these devices offer. It is therefore imperative that proper risk management be applied and security controls implemented to maximize the benefits while minimizing the risks associated with such devices.

Download the whitepaper here. writeup on the whitepaper here.

ISACA SA Chapter meetings in October (Dbn, Jhb, Pta) #in

Posted on August 25, 2010

Three of the ISACA chapters are having meetings in October. Details are below and will be updated as confirmation of speakers is obtained. Don’t forget the #isaca2010 conference in September.

KZN regional chapter meeting

  • Date : 7 October 2010
  • Venue : PKF Offices in Umhlanga
  • Topic : To be confirmed

Pretoria regional chapter meeting

  • Date : 14 October 2010
  • Venue : To be confirmed
  • Topic : To be confirmed

Johannesburg regional chapter meeting

  • Date : 26 October 2010
  • Venue : To be confirmed
  • Topic : To be confirmed

Confirmation of attendance

As always, please confirm your attendance with Nadine on 011-803 0803 or a few days ahead of time.

Upcoming ISACA chapter meetings in East London and Jhb #in

Posted on August 13, 2010

There are two chapter meetings coming up in East London and Johannesburg in the next few days. Hope to see lots of people there. I personally hope to attend the Jhb meeting, travel plans allowing.

East London

Date: 18 August 2010 at 2:30 pm
Venue: PricewaterhouseCoopers , Palm Square office park , Acacia House , Bonza Bay Rd , Beacon Bay

1) Andrew William Mpofu will be presenting: “Information Security as a strategic business asset”
2) Chris Knox will be presenting: “Information Security Risk Assessment methodologies”
3) Networking & Refreshments


Date : 24 August 2010  5pm Registration with the event starting at 5:30pm

Venue : PriceWaterhouseCoopers offices in Sunninghill, Johannesburg

1) Jason Gottschalk will be presenting on “Access Governance – The precursor to Identity and Access Management”.

2) Gerhard Hechter, PKF will be presenting on “Taking risks cleverly / Business intelligence”


To confirm attendance to either of these meetings please contact Nadine on 011-8030803 or


Lastly, congratulations to all those who wrote and passed CISA, CISM and CISSP. I believe results for all 3 were released today.

Feedback on ISACA KZN chapter meeting control frameworks presentation

Posted on August 07, 2010

On Thursday evening (5th August) I presented at the ISACA KZN Chapter meeting. As Chapter coordinator I have the privilege of finding speakers and venues, and from time to time an arranged speaker has other commitments and so is unable to make the presentation. I always try and keep a “backup” presentation of my own and this time around it was my (our) “Tale of two cities – or control frameworks” presentation that was first presented at the IT Web security summit earlier in the year. This time I did the presentation without the assistance of my colleague from Jhb,  David Volschenk, as he had other work commitments  which prevented him traveling to Durban for the day.

It IT Web we had 45m for the presentation and Q&A so where fairly time constrained and did not have much time at all for discussion or questions. At the Chapter meeting we had much more time to go through the presentation at a leisurely place, have discussion around certain aspects and make it a much more interaction (and fun) session.

There were about 20 people present, representing the consulting firms (EY, PKF, Deloitte), public sector and private sector.

Off the top of my head (I was presenting rather than taking notes :) the main areas of discussion were around :

  • Getting executive buy in for the project
  • Getting adequate funding
  • Instilling change in an organisation where the maturity level is low and the corporate culture is such that the environment is generally poorly controlled
  • What the drivers are for the implementation of a control framework, and particularly King 3 and how it is changing perspectives (creating the fire)
  • The implications of King 3, and how they will drive change from the top (rather then it being left to middle management to drive failed projects)
  • The apparent lack of understanding of King 3 on the part of directors, and how negative statements having to be made in the Annual Financials with respect to King 3 compliance could affect their reputations and those of the organisations they represent (or what happens if they “lie” and put in statements of compliance when they aren’t compliant). Company directors really do need to start taking notice of this.
  • The implementation of control frameworks is a long term process, not a quick fix. Deciding 6 months ahead of the King 3 implementation deadline that the organisation needs to be compliant may be an impossible task

In “off the record” discussions after the presentation a number of consultants wanted to know if the failed company (Company B) was actually Company XYZ or Company ABC. The answer each time was know, it wasn’t that company, Company B was a combination of failed projects. That said, the names of companies mentioned by the other parties in each case also were not one of the companies involved in the combined “Company B”.  It seems there are a lot of failed control framework and security framework implementations out there.

I really enjoyed the presentation and the discussions that went with it. Thanks to all who attended for your attendance and participation. If you are interested in having further discussions around this, or have me meet with your directors to discuss further, please contact me.  j-j (at) worldonline (dot) co (dot) za or on Twitter.

Thanks to Ernst & Young for hosting the chapter meeting.

See you next time at PKF.


You can find a copy of the presentation in the original article or directly here. More on King 3 here. And get a copy of the King 3 report from the IOD website.

ISACA South Africa is now on Twitter #in

Posted on August 05, 2010

ISACA South Africa is now live on Twitter.

We intend to see how we can use Twitter to promote ISACA South Africa and our activities, including the annual conference and the regional chapter meetings. Follow us to keep up to date on ISACA happenings, especially around the conference coming up next month (13-15th September).

Follow us at : and ISACA International here :

And find ISACA South Africa’s website here :

Reports on DLP, Service Auditor Standard & Social Media Security

Posted on August 02, 2010

Social Media:  Business Benefits and Security, Governance and Assurance Perspectives (ISACA)

This week, ISACA released a white paper outlining the five biggest risks posed by social media in the workplace–and how to manage them without banning the technology.  The download page also includes links to a number of other usesful reports on social media by Forbes, Enisa, Web-strategist, and

Download the ISACA report here

New Service Auditor Standard (Replacing SAS70) : A User Entity Perspective (ISACA)

The International Auditing and Assurance Standards Board (IAASB) and the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) have recently approved new standards for reporting on controls at a service organization with a truly global constituency in mind. Under the approach adopted by the IAASB and the ASB, Statement on Auditing Standard No. 70 (SAS 70) will be replaced by two new standards:  an attestation standard that will guide service auditors in the conduct of an examination of, and the resulting reporting on, controls at a service organization and an auditing standard that will guide user auditors in consideration of internal control when processing is performed by a service organization. While these new standards are intended to be a communication from the service auditor to the user independent auditor that permit a user entity independent auditor to fulfill auditing requirements, management at user entities also has recognized its responsibility for designing and implementing internal control over financial reporting, whether performed internally or by a service provider, and acknowledged the benefits of SAS 70 reports as part of their risk management, vendor management or regulatory compliance processes. This paper will address the changes in the new standards and will focus on providing management of user entities with valuable practical guidance on their responsibilities to help ensure that they are ready for the changes.

Download report here

The 2010 Data Loss Prevention Report (Aberdeen Group

AberdeenGroup have temporarily made their 2010 data loss preventation report available for free download.

Report Intro:

Companies achieving top results successfully use content-aware technologies to identify sensitive data across multiple channels, and to invoke a range of remediation options to enforce established security policies. In doing so, they reap the substantial benefits of fewer incidents of data loss or data exposure, fewer audit deficiencies, and lower operational cost.

Download from here

%d bloggers like this: