Country
Uganda
Source
Report by Global Cyber Security Capacity Centre
Title
Cybersecurity Capacity Review of the Republic of Uganda - 2016
About
Dated 2016 | Article found on NITA.go.ug website as well as GCSCC site | Report Concluded : Overall, cybersecurity capacity in Uganda lies between an initial and formative stage of maturity. This expresses a state of maturity where some features have begun to grow and be formulated, but may be ad-hoc, while these can be clearly evidenced. As a conclusion, the Republic of Uganda is in the process of developing different aspects of cybersecurity capacity. The country is in the process of developing the national cybersecurity strategy, whilst the Uganda National Computer Emergency Response Team is already established and active.
Key findings
Summary of Results:
(1) Cybersecurity policy and strategy = Start Up | No official doc for Ugandan cybersecurity strategy | Has NISP and NISS, NISS - has no actionable direction that relate to cybersecurity - identifies risks but gives no goals. | NITA-U = lead org for cybersecurity, the CERT-Ug sits within. | National Info Advisory Group - housed by NITA-U. Advises government and gets evidence from banks and telecommunications sector. | MOD has cyber strategy and policy | Ministry of ICT (MoICT) is developing ICT strategy | Telecommunications Sector CERT - developed by Ugandan Communications Commission (UCC) | There is to be a Financial Sector CERT and MOD CERT. |
(2) Cyber Culture and Society = Start Up | Absence or min recognition of cybersecurity mindset within most government agencies. | There is a recognition of cyber risks and threats. | Recognition of the need to raise awareness. | No national awareness programme. | Business and Industry sector not too dissimilar - there are experts/SMEs - but not enough. | Employees may be aware of cybersecurity but all is at a low level. | Lack of trust with online services. |
(3) Cybersecurity education, training and skills = Start Up | A gradual increase in information security education and training | Educational institutions starting to offer information & cyber courses | Increase in ISO certified experts and incident handlers | Not part of national curriculum | Limited budget | Curriculum not meeting the demands of the market |
(4) Legal and regulatory frameworks= Formative | A number of legislations in place. | MoICT, Min of Justice and Constitutional Affairs (MoJCA) and NITA-U are jointly coordinating the drafting of Data Protection and Privacy Bill. | Future of EAC countries is to harmonise Data Protection and Privacy Law for all member states ( Kenya, Uganda, Tanzania, Rwanda and Burundi) | Limited capacity of law enforcement agencies - lack of expertise in digital forensics. | Ugandan Police - Cyber Crime Unit and Electronic and Counter Measures Department have the capacity, equipment, labs and training and are working with NITA-U and UCC. | Challenge for Law Enforcement Agencies of cross international border prosecutions. | Ugandan Financial Intelligence Authority (FIA) - signed up with INTERPOL to enforce anti-money laundering regulations. |
(5) Standards, organisations, and technologies = Formative | Info security standards are being adhered to by UG Government. | NITA-U adopted ISO 27001 standard. | MOD, law enforcement and national intelligence agencies - all follow national and organisational standards. | No total ISO compliance - not even in private sector. | No fully fledged C2 centre at National level. | CERT-Ug forms this function as an Incidence Response team. | There is a Communications Sector CERT and MIL CERT. | Coordination of all 3 a challenge. | Threat Intel agencies inform CERT-Ug | Private Sector inform CERT-UG and Comms Sector CERT. | Infrastructure Support - partially reliant from support from neighbouring countries.
Website
https://www.nita.go.ug/sites/default/files/publications/Uganda%20CMM.pdf