National Information Security Policy


This document is the National Information Security Policy. The policy outlines the
mandatory minimum security controls that all public and private sector
organisations that use, own and/or operate protected computers, handle official
communications and personal data must apply to reduce their vulnerability to
cyber threats. The use of the security measures mandated by this policy would
increase the capacity of organisations to endure and recover from cyber attacks.

Applicability of National Information Security Policy
As noted above, this policy is mandatory for all public and private sector
organisations that use, own and/or operate protected computers, handle official
communications and personal data. In accordance with the Computer Misuse
Act 2011, the term “protected computers” refers to computers used directly in
connection with or necessary for Uganda’s security, defence, diplomacy; law
enforcement; communications infrastructure, banking and financial services,
public utilities; public key infrastructure and public safety. In this policy, “official
communications” encompass information that Ministries, Departments, Agencies
and Local Governments (MDALs) create and process during their day-to-day
business activities. Official communications have lower security sensitivity than
data handled by protected computers. However, the loss, theft and unauthorised
disclosure of “official communications” could have negative consequences on
the MDALs. Lastly, “personal data” covers data that relates to an individual. 

Critical Infrastruction (CI)
In this policy, “critical infrastructure” is the collective term for all systems used
directly in connection with or necessary for protected computer activities, the
handling of official communications and personal data. This policy adopts the
International Telecommunication Union (ITU)’s definition of critical infrastructure
(CI). Hence, in this policy, CI comprises of “key systems, services and functions
whose disruption or destruction would have a debilitating impact on public health
and safety, commerce, and national security, or any combination of these.”
According to the ITU, CI encompasses physical elements such as facilities,
buildings and equipment and virtual elements such as systems and data. The
ITU further observes that the physical and virtual elements of the infrastructure
include human aspects such as the protection of personnel and the mitigation of
the insider threat. This policy addresses all aspects of the ITU definition of CI
because it covers governance, information, personnel and physical security.

Critical Information Infrastructure (CII)
The ITU regards Critical Information Infrastructure (CII) as the virtual element of
critical infrastructure. The information and communication technologies (ICTs),
that form CII, increasingly operate and control critical national sectors such as
health, water, transport, communications, government, energy, food, finance and
emergency services; their physical assets and the activities of personnel.

Document Details

Document Type: 
Doument Author (Entity): 
Authoring Country: 
Originating Country or Trade Block: 
Year of Document: 
Date of Document: 
Saturday, February 1, 2014
Document Authors: 
NITA Uganda
Language (This Document): 

Legal Disclaimer: The content appearing on this site is for general information purposes only and made available on an "AS-IS" basis. The law is subject to change and no representation or warranty is made with regard to accuracy or fitness for a particular purpose.