UGANDA NATIONAL BUREAU OF STANDARDS

LIST OF DRAFT UGANDA STANDARDS ON PUBLIC REVIEW

S/No. STANDARDS CODE TITLE(DESCRIPTION) SCOPE

1. DUS ISO/IEC 29151:2017

Information technology -- Security techniques -- Code of practice for personally identifiable information protection

ISO/IEC 29151:2017 establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of personally identifiable information (PII).

In particular, this Recommendation | International Standard specifies guidelines based on ISO/IEC 27002, taking into consideration the requirements for processing PII that may be applicable within the context of an organization's information security risk environment(s).

ISO/IEC 29151:2017 is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100), including public and private companies, government entities and not-for-profit organizations that process PII.

2. DUS ISO/IEC 19752:2017 Information technology — Office equipment — Method for the determination of toner cartridge yield for monochromatic electrophotographic printers and multi-function devices that contain printer components

This document is limited to the evaluation of toner cartridge page yield for toner containing cartridges (i.e. all-in-one toner cartridges and toner cartridges without a photoconductor) for monochrome electrophotographic print systems. This document could also be applied to the printer component of any multifunctional device that has a digital input-printing path (i.e. multi-function devices that contain printer components). This document is only intended for the measurement of toner cartridge yield. No other claims can be made from this testing regarding quality, reliability, etc.

3. DUS ISO/IEC 24734:2014 Information technology — Office

This International Standard specifies a method for measuring the productivity of digital printing devices with various office applications and

equipment — Method for measuring digital printing productivity

print job characteristics. This International Standard is applicable to digital printing devices, including single-function and multi-function devices, regardless of print technology (e.g. inkjet, laser). Devices can be equipped with a range of paper feed and finishing options either directly connected to the computer system or via a network. It is intended to be used for black and white (B&W) as well as colour digital printing devices. It allows for the comparison of the productivity of machines operating in various available modes (simplex, duplex, size of substrates, etc.) and office applications when the test system environment, operating modes, and job mix for each machine are held identical. This International Standard includes test files, test setup procedure, test runtime procedure, and the reporting requirements for the digital printing productivity measurements.

4. DUS ISO/ 9241-400:2007

Ergonomics of human--system interaction -- Part 400: Principles and requirements for physical input devices

SO 9241-400:2006 gives guidelines for physical input devices for interactive systems. It provides guidance based on ergonomic factors for the following input devices: keyboards, mice, pucks, joysticks, trackballs, trackpads, tablets and overlays, touch sensitive screens, styli, light pens, voice controlled devices, and gesture controlled devices. It defines and formulates ergonomic principles valid for the design and use of input devices. These principles are to be used to generate recommendations for the design of products and for their use. It also defines relevant terms for the entire 400 series of ISO 9241. ISO 9241-400:2006 also determines properties of input devices relevant for usability including functional, electrical, mechanical, maintainability and safety related properties. Additionally included are aspects of interdependency with the use environment and software.

5. DUS ISO 9241-171:2008 Ergonomics of human-system interaction – Part 171: Guidance on software accessibility

This part of ISO 9241 provides ergonomics guidance and specifications for the design of accessible software for use at work, in the home, in education and in public places. It covers issues associated with designing accessible software for people with the widest range of physical, sensory and cognitive abilities, including those who are temporarily disabled, and the elderly. It addresses software considerations for accessibility that complement general design for usability as addressed by ISO 9241-110­, ISO 9241-11 to ISO 9241-17, ISO 14915 and ISO 13407.

This part of ISO 9241 is applicable to the accessibility of interactive systems. It addresses a wide range of software (e.g. office, Web, learning support and library systems). It promotes the increased usability of systems for a wider range of users. While it does not cover the behaviour of, or requirements for, assistive technologies (including assistive software), it does address the use of assistive technologies as an integrated component of interactive systems. It is intended for use by those responsible for the specification, design, development, evaluation and procurement of software platforms and software applications.

6. DUS ISO/IEC 23912:2005 Information technology -- 80 mm (1,46 Gbytes per side) and 120 mm (4,70 Gbytes per side) DVD Recordable Disk (DVD-R)

ISO/IEC 23912:2005 specifies the mechanical, physical and optical characteristics of an 80 mm and a 120 mm DVD Recordable disk to enable the interchange of such disks. It specifies the quality of the pre-recorded, unrecorded and the recorded signals, the format of the data, the format of the information zone, the format of the unrecorded zone, and the recording method, thereby allowing for information interchange by means of such disks. This disk is identified as a DVD Recordable (DVD-R) disk.

ISO/IEC 23912:2005 specifies:

- 80 mm and 120 mm nominal diameter disks that may be either single or double sided;

- the conditions for conformance;

- the environments in which the disk is to be operated and stored;

- the mechanical and physical characteristics of the disk, so as to provide mechanical interchange between data processing systems;

- the format of the pre-recorded information on an unrecorded disk, including the physical disposition of the tracks and sectors, the error correcting codes and the coding method used;

- the format of the data and the recorded information on the disk, including the physical disposition of the tracks and sectors, the error correcting codes and the coding method used;

- the characteristics of the signals from pre-recorded and unrecorded areas on the disk, enabling data processing systems to read the pre-recorded information and to write to the disks; and

- the characteristics of the signals recorded on the disk, enabling data processing systems to read the data from the disk.

ISO/IEC 23912:2005 provides for interchange of disks between disk drives. Together with a standard for volume and file structure, it provides for full data interchange between data processing systems.

7. DUS ISO 19109:2015

Geographic information -- Rules for application schema

ISO 19109:2015 defines rules for creating and documenting application schemas, including principles for the definition of features.

The scope of this International Standard includes the following:

- conceptual modelling of features and their properties from a universe of discourse;

- definition of application schemas;

- use of the conceptual schema language for application schemas;

- transition from the concepts in the conceptual model to the data types in the application schema;

- Integration of standardized schemas from other ISO geographic information standards with the application schema.

The following are outside the scope:

- choice of one particular conceptual schema language for application schemas;

- definition of any particular application schema;

- representation of feature types and their properties in a feature catalogue;

- representation of metadata;

- rules for mapping one application schema to another;

- implementation of the application schema in a computer environment;

- computer system and application software design;

- programming.

8. DUS ISO IEC 38500:2015 Corporate governance of information technology

This International Standard provides guiding principles for members of governing bodies of organizations (which can comprise owners, directors, partners, executive managers, or similar) on the effective, efficient, and acceptable use of information technology (IT) within their organizations.

It also provides guidance to those advising, informing, or assisting governing bodies. They include the following:

— executive managers;

— members of groups monitoring the resources within the organization;

— external business or technical specialists, such as legal or accounting specialists, retail or industrial associations, or professional bodies;

— internal and external service providers (including consultants);

— Auditors.

This International Standard applies to the governance of the organization's current and future use of IT including management processes and decisions related to the current and future use of IT. These processes can be controlled by IT specialists within the organization, external service providers, or business units within the organization.

This International Standard defines the governance of IT as a subset or domain of organizational governance, or in the case of a corporation, corporate governance.

This International Standard is applicable to all organizations, including public and private companies, government entities, and not-for-profit

organizations. This International Standard is applicable to organizations of all sizes from the smallest to the largest, regardless of the extent of their use of IT.

The purpose of this International Standard is to promote effective, efficient, and acceptable use of IT in all organizations by

— assuring stakeholders that, if the principles and practices proposed by the standard are followed, they can have confidence in the organization's governance of IT,

— informing and guiding governing bodies in governing the use of IT in their organization, and

— establishing a vocabulary for the governance of IT.

9. DUS ISO/IEC 18598:2016 Information technology – Automated infrastructure management (AIM) systems – Requirements, data exchange and applications

This International Standard specifies the requirements and recommendations for the attributes of automated infrastructure management (AIM) systems.

This International Standard explains how AIM systems can contribute to operational efficiency and deliver benefits to

a) cabling infrastructure and connected device administration,

b) facilities and IT management processes and systems,

c) other networked management processes and systems (e.g. intelligent building systems),

d) business information systems covering asset tracking and asset management together with event notifications and alerts that assist with physical network security.

10. DUS ISO/IEC 27033-1:2015 Information technology – Security techniques – Network security – Part 1: Overview and concepts

This part of ISO/IEC 27033 provides an overview of network security and related definitions. It defines and describes the concepts associated with, and provides management guidance on, network security. (Network security applies to the security of devices, security of management activities related to the devices, applications/services, and end-users, in addition to security of the information being transferred across the communication links.)

It is relevant to anyone involved in owning, operating or using a network. This includes senior managers and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security and/or network security, network operation, or who are responsible for an organization’s overall security program and security policy development. It is also relevant to anyone involved in the planning, design and implementation of the architectural aspects of network security.

This part of ISO/IEC 27033 also includes the following:

— provides guidance on how to identify and analyse network security risks and the definition of network security requirements based on that analysis,

— provides an overview of the controls that support network technical security architectures and related technical controls, as well as those non-technical controls and technical controls that are applicable not just to networks,

— introduces how to achieve good quality network technical security architectures, and the risk, design and control aspects associated with typical network scenarios and network “technology” areas (which are dealt with in detail in subsequent parts of ISO/IEC 27033), and briefly

addresses the issues associated with implementing and operating network security controls, and the on-going monitoring and reviewing of their implementation.

11. DUS ISO/IEC 27033-2:2012 Information

technology – Security techniques – Part 2: Guidelines for the design and implementation of network security

ISO/IEC 27033-2:2012 gives guidelines for organizations to plan, design, implement and document network security.

12. DUS ISO/IEC 27033-3:2010 Information technology – Security techniques – Part 3: Reference networking scenarios – Threats, design techniques and control issues

This part of ISO/IEC 27033 describes the threats, design techniques and control issues associated with reference network scenarios. For each scenario, it provides detailed guidance on the security threats and the security design techniques and controls required to mitigate the associated risks. Where relevant, it includes references to ISO/IEC 27033-4 to ISO/IEC 27033-6 to avoid duplicating the content of those documents.

The information in this part of ISO/IEC 27033 is for use when reviewing technical security architecture/design options and when selecting and documenting the preferred technical security architecture/design and related security controls, in accordance with ISO/IEC 27033-2. The particular information selected (together with information selected from ISO/IEC 27033-4 to ISO/IEC 27033-6) will depend on the characteristics of the network environment under review, i.e. the particular network scenario(s) and ‘technology’ topic(s) concerned.

Overall, this part of ISO/IEC 27033 will aid considerably the comprehensive definition and implementation of security for any organization's network environment.

13. DUS ISO /IEC 27033-4:2014 Information technology -- Security techniques -- Network security -- Part 4: Securing communications between networks using security gateways

This part of ISO/IEC 27033 gives guidance for securing communications between networks using security gateways (firewall, application firewall, Intrusion Protection System, etc.) in accordance with a documented information security policy of the security gateways, including:

a) identifying and analysing network security threats associated with security gateways;

b) defining network security requirements for security gateways based on threat analysis;

c) using techniques for design and implementation to address the threats and control aspects associated with typical network scenarios; and

d) addressing issues associated with implementing, operating, monitoring and reviewing network security gateway controls.

14. DUS ISO IEC 27033-5:2013 Information

technology -- Security techniques -- Network security -- Part 5: Securing communications across networks using Virtual Private Networks (VPNs)

Provides detailed guidance on the security aspects of the management, operation and use of IT networks, and their inter-connections. It defines techniques for securing inter-network connections that are established using virtual private networks (VPNs). It is relevant to all personnel who are involved in the detailed planning, design and implementation of VPN security (for example IT network managers, administrators, engineers, and IT network security officers).

15. DUS ISO/IEC 27033-6:2016 Information Security –

Network security – Part 6: Securing wireless IP network access

ISO/IEC 27033-6:2016 describes the threats, security requirements, security control and design techniques associated with wireless networks. It provides guidelines for the selection, implementation and monitoring of the technical controls necessary to provide secure communications using wireless networks. The information in this part of ISO/IEC 27033 is intended to be used when reviewing or selecting technical security architecture/design options that involve the use of wireless network in accordance with ISO/IEC 27033‑2. Overall, ISO/IEC 27033‑6 will aid considerably the comprehensive definition and implementation of security for any organization's wireless network environment. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls necessary to provide secure wireless networks.

16. DUS ISO/IEC 27039:2015 Information technology -- Security techniques -- Selection, deployment and operations of intrusion detection and prevention systems (IDPS)

This International Standard provides guidelines to assist organizations in preparing to deploy intrusion detection and prevention systems (IDPS). In particular, it addresses the selection, deployment, and operations of IDPS. It also provides background information from which these guidelines are derived.

17. DUS ISO/IEC 27035-2:2016 Information technology -- Security techniques -- Information security incident management -- Part 2: Guidelines to plan and prepare for incident response

This part of ISO/IEC 27035 provides the guidelines to plan and prepare for incident response. The guidelines are based on the “Plan and Prepare” phase and the “Lessons Learned” phase of the “Information security incident management phases” model presented in ISO/IEC 27035-1.

The major points within the “Plan and Prepare” phase include the following:

— information security incident management policy and commitment of top management;

— information security policies, including those relating to risk management, updated at both corporate level and system, service and network levels;

— information security incident management plan;

— incident response team (IRT) establishment;

— establish relationships and connections with internal and external organizations;

— technical and other support (including organizational and operational support);

— information security incident management awareness briefings and training;

— information security incident management plan testing.

The principles given in this part of ISO/IEC 27035 are generic and intended to be applicable to all organizations, regardless of type, size or nature.

Organizations can adjust the guidance given in this part of ISO/IEC 27035 according to their type, size and nature of business in relation to the information security risk situation. This part of ISO/IEC 27035 is also applicable to external organizations providing information security incident management services.

18. DUS ISO/IEC 27006:2015 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systems

This International Standard specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.

The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification.

NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes.

19. DUS ISO/IEC 27004:2016 Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation

This document provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system in order to fulfil the requirements of ISO/IEC 27001:2013, 9.1. It establishes:

a) the monitoring and measurement of information security performance;

b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls;

c) the analysis and evaluation of the results of monitoring and measurement.

This document is applicable to all types and sizes of organizations.

20. DUS ISO/IEC 27002:2013/Cor 2:2015

Information technology -- Security techniques -- Code of practice for information security controls

This Standard gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).

This International Standard is designed to be used by organizations that intend to:

a) select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;[10]

b) implement commonly accepted information security controls;

c) develop their own information security management guidelines.

21. DUS ISO/IEC 27003:2017 Information technology -- Security techniques -- Information security management systems -- Guidance

This document provides explanation and guidance on ISO/IEC 27001:2013.

22. DUS ISO/IEC27001:2013/Cor.2:2015

Information technology — Security techniques — Information

security management systems — Requirements

This Standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable when an organization claims conformity to this International Standard.

23. DUS ISO/IEC 13066-1:2011 Information technology – Interoperability with assistive technology (AT) – Part 1: Requirements and recommendations for interoperability

This part of ISO/IEC 13066 defines the responsibilities of different information technology (IT) and assistive technology (AT) functional units in supporting interoperability. It recognizes that AT can be provided both as functional units that are installed or otherwise connected to a system or can be utilized by being provided as a service which is accessed via communications connections. It bases these responsibilities on fundamental IT definitions of major types of functional units. It focuses on the utilization of standard, public interfaces for functional units and on the provision of accessible documentation of their capabilities.

This part of ISO/IEC13066 recognizes that IT is implemented both in conventional computer systems and as a major component of other systems within the wider scope of information and communications technology (ICT). This part of ISO/IEC 13066 recognizes the fundamental role of operating systems and application programming interfaces (APIs), in managing interoperability, and in providing guidance to developers of other functional units. It also recognizes that different operating systems will have their own standardized methods of supporting interoperability.

This part of ISO/IEC 13066 does not define or require specific technology, commands, APIs, or hardware interfaces. It defers to other existing standards and supports the development of new standards in these areas.

It identifies a variety of common accessibility APIs that are further described in other parts of ISO/IEC 13066.

24. DUS ISO/IEC 30134-1:2016 Information technology – Data centres – Key performance indicators – Part 1: Overview and general requirements

This part of ISO/IEC 30134 specifies the following for the other parts of ISO/IEC 30134:

a) a common structure;

b) definitions, terminology and boundary conditions for KPIs of data centre resource usage effectiveness and efficiency;

c) common requirements for KPIs of data centre resource usage effectiveness and efficiency;

d) common objectives for KPIs of the data centre resource effectiveness and efficiency;

e) general information regarding the use of KPIs of data centre resource usage effectiveness and efficiency.