Contributing to humanity, society, and nature through education and research is the mission of Ochanomizu University. To carry out this mission, the university retains substantial information as assets and utilizes this information on a daily basis while continuing to produce and distribute new information. A solid information infrastructure system must be established and maintained as the foundation for such activities. Although the university's computerized information infrastructure system provides a level of convenience that is dramatically superior to previous information systems that relied on only paper and postal mail, it involves serious risks due to the dispersal of information. Each organization and organizational member at Ochanomizu University must be aware of the seriousness of these risks and take responsibility for every action they take while using the information infrastructure system. Ochanomizu University's information security policy (hereinafter referred to as the "Policy") stipulates the operational and usage authorization within the university's information infrastructure system, thereby clarifying the responsibilities of each of the university's organizations and individual members, with the goal of establishing and maintaining an information infrastructure system that is safe and reliable.
The definitions of terms used herein are identical to those used in the Information Security Policy Guidelines established by the Information Security Measures Promotion Committee on July 18, 2000.www.kantei.go.jp/jp/it/security/taisaku/guideline.html
The scope of this Policy includes all information retained by the university, all networks administered by the university, all devices (computers, memory storage devices, etc.) connected to these networks (even temporarily), and all devices (computers, memory storage devices, memory storage media, etc.) used to store the university‘s information.Individuals covered by this Policy include faculty members (full-time or otherwise), students in both undergraduate and graduate schools, research students, auditing students, students from affiliated schools, and all other members of the university or affiliated schools as well as commissioned vendors and visiting academics using the university's networks and information.
All information handled by the university‘s departments and organizations (administrative information, research information, and educational information) is appropriately classified into three types, specifically, private information1, information disclosed with limitations2, and public information3. Each type of information is appropriately managed according to standards based on the level of importance (degree of demand for availability, degree of demand for completeness, and degree of demand for confidentiality). All information owned by the university is assigned to an administrator. No information is allowed to exist at the university without a designated information administrator. Each information administrator is given the responsibility, obligation, and authority to manage his/her assigned information. Management standards are established in the Security Policy Implementation Procedures (hereinafter referred to as the ”Procedures“).
The following information security organization was established to plan, develop, implement, manage, evaluate, and continuously review specific details based on this Policy:
Information security measures are carried out after all physical, human, and technical security perspectives have been taken into consideration. Refer to the Procedures for details.
Critical information system devices and memory storage media, including server consoles, must be installed within a controlled area (a place separated physically and monitored 24 hours a day by monitoring equipment and for which a record of authentication and room entry/exit is kept). Equipment administrators must be assigned to these information system devices and controlled installation areas. An equipment administrator is authorized to manage specific equipment and areas and is responsible for carrying this out. Physical locations inside such controlled areas must not be opened to anyone other than the equipment administrator(s) assigned to the server equipment in question.
Master copies of information for which completeness must be maintained are to be stored in a form that cannot be overwritten to guarantee the authenticity of these master copies. The information administrator for each type of information is responsible for this guarantee.
Data stored in server devices and other such locations must be backed up on a regular basis. The back-up schedule is to be determined based on the importance of the server device in question. The media on which data is to be backed up must be stored inside a controlled area in a room for which entry and exit is managed through authentication. The equipment administrator is responsible for these backups.
The entire membership of the university must be aware that anyone can either cause or suffer from information security problems. To avoid both, all members of the university must be aware of their responsibilities with respect to maintaining the information infrastructure and acquire the knowledge and maintain the skills necessary to do so. All users of information systems are obligated to maintain information security. The Information Security Committee publicizes policies among all members of the university while clarifying who has what authority and which responsibilities through awareness-raising and educational activities designed to ensure information security.
The university's information infrastructure network (the university network backbone) is designed based on the assumption that it will operate 24 hours a day, 365 days a year. The System Administration Committee must run and maintain the university's information infrastructure network based on this assumption and secure the personnel needed to do so.
Every university organization must internally publicize the security levels of each type of information that it handles and manage the information accordingly while reporting to the Information Security Committee in writing regarding important information. In addition, organizations must review this management system on a regular basis.
Regardless of whether he/she is from inside or outside the university, no person who is subject to this Policy may infringe upon the information of any research or educational institution, company, organization, group, individual, or other entity. Also, each law, agreement, or stipulation established by this university and other rules regarding information security must be observed.
The System Administration Committee takes necessary measures to control and manage access to information networks to prevent the theft, falsification, or destruction of information that can be caused by unauthorized access, whether from inside or outside the university.
The University System Administrator is responsible for managing university networks. Chronological records (logs) of firewalls and intrusion detection systems must be kept for a fixed period of time. Permission must be obtained from the Information Security Committee before university networks can be modified.
An equipment administrator must be assigned to each device that is allowed to connect to a university network. Minimal security standards that must be met by devices that are allowed to connect to university networks are stipulated in the Procedures. Any device that does not meet or comply with these standards may not be allowed to connect to university networks. Each device connecting to university networks must have some method that allows it to authenticate users. (Physical methods, such as restricted room entry/exit, are also permissible.) The equipment administrator must be able to identify the users of installed devices.
If unauthorized access is detected, whether from inside or outside, or if an act, such as sabotage, takes place that interferes with the operation of the information infrastructure system, the university system administrator or department system administrator must follow emergency procedures established by the Information Security Committee. In such cases, the system administrator has both the authority and obligation to block the communication in question or separate and disconnect the information device involved as an emergency measure. Restoration of the disconnected communication or device must occur only after the Information Security Committee's assessment of the situation and within a set period of time. If unauthorized access or sabotage continues to occur, the Information Security Committee must take measures to deter the problem, such as by halting routine use of the information device or network connected to the device in question, to protect the university's information infrastructure system.
For the security measures of the university information infrastructure system to be appropriate, consideration must be given to technological progress, the evolution of viruses, and other such issues, with diagnosis, evaluation, review, and revision conducted on a regular basis. The university system administrator analyzes and organizes information collected from the System Administration Committee from the perspective of information system confidentiality, completeness, availability, and security and reports to the Information Security Committee. The Information Security Committee examines the state of implementation of this Policy throughout the entire university, collects user opinions, keeps track of the latest information security technology, and otherwise evaluates the current Policy to make upgrades as necessary. This evaluation process must be carried out at least once a year, if not more frequently.
Supplementary Provision: This Policy went into effect on July 28, 2004.