Security Policy

28.03.2016 Update

Ochanomizu University‘s Information Security Policy

1.Basic Philosophy and Policy

Contributing to humanity, society, and nature through education and research is the mission of Ochanomizu University. To carry out this mission, the university retains substantial information as assets and utilizes this information on a daily basis while continuing to produce and distribute new information. A solid information infrastructure system must be established and maintained as the foundation for such activities. Although the university's computerized information infrastructure system provides a level of convenience that is dramatically superior to previous information systems that relied on only paper and postal mail, it involves serious risks due to the dispersal of information. Each organization and organizational member at Ochanomizu University must be aware of the seriousness of these risks and take responsibility for every action they take while using the information infrastructure system. Ochanomizu University's information security policy (hereinafter referred to as the "Policy") stipulates the operational and usage authorization within the university's information infrastructure system, thereby clarifying the responsibilities of each of the university's organizations and individual members, with the goal of establishing and maintaining an information infrastructure system that is safe and reliable.

i. Definitions of Terms

The definitions of terms used herein are identical to those used in the Information Security Policy Guidelines established by the Information Security Measures Promotion Committee on July 18, 2000.www.kantei.go.jp/jp/it/security/taisaku/guideline.html

ii. Scope of Policy and Covered Individuals

The scope of this Policy includes all information retained by the university, all networks administered by the university, all devices (computers, memory storage devices, etc.) connected to these networks (even temporarily), and all devices (computers, memory storage devices, memory storage media, etc.) used to store the university‘s information.Individuals covered by this Policy include faculty members (full-time or otherwise), students in both undergraduate and graduate schools, research students, auditing students, students from affiliated schools, and all other members of the university or affiliated schools as well as commissioned vendors and visiting academics using the university's networks and information.

iii. Classification and Management of Information

All information handled by the university‘s departments and organizations (administrative information, research information, and educational information) is appropriately classified into three types, specifically, private information1, information disclosed with limitations2, and public information3. Each type of information is appropriately managed according to standards based on the level of importance (degree of demand for availability, degree of demand for completeness, and degree of demand for confidentiality). All information owned by the university is assigned to an administrator. No information is allowed to exist at the university without a designated information administrator. Each information administrator is given the responsibility, obligation, and authority to manage his/her assigned information. Management standards are established in the Security Policy Implementation Procedures (hereinafter referred to as the ”Procedures“).

  • 1. Information that only the assigned information administrator is allowed to view
  • 2. Information that only users with access privileges are allowed to view
  • 3. Information that the general public is allowed to view
iv. Organizational Framework and Authority

The following information security organization was established to plan, develop, implement, manage, evaluate, and continuously review specific details based on this Policy:

(a) Chief Information Security Administrator
The chief information security administrator is responsible for overall decision making on information security throughout the entire university, both on and off the campus, and in other organizations. The vice president (the head of the Academic and Information Board) takes on this role.The chief information security administrator notifies the university system administrator of measures that are needed to ensure the smooth operation of information systems. Any emergency measure carried out by the university system administrator becomes the responsibility of the chief information security administrator.
(b) Information Security Committee
The Information Security Committee formulates and revises important materials, including basic information security policies, for the entire university. The Information Technology Promotion Planning Office doubles as the committee, with the head of the office acting as chairman. The committee educates and promotes awareness about information security in all departments while enforcing compliance with security policies.
(c) University System Administrator
The university system administrator manages the university's information infrastructure system by leading the System Administration Committee. In addition, the university system administrator assists the chief information security administrator in implementing information system management throughout the entire university. The university system administrator is authorized to take emergency measures during emergencies, regardless of the department. The head of the Information, Media and Education Square assumes this role.
(d) Department System Administrator
The department system administrator sets up the university system administrator and the System Administration Committee and communicates with both while maintaining and strengthening information security through technical research and deliberation as well as the implementation of measures aimed at ensuring that the department's information systems run smoothly. In times of emergency, the department system administrator is authorized to carry out emergency measures, but only within the department in question.

2. Information Security Measures

Information security measures are carried out after all physical, human, and technical security perspectives have been taken into consideration. Refer to the Procedures for details.

i. Physical Security
(a) Installation Sites and Administrators

Critical information system devices and memory storage media, including server consoles, must be installed within a controlled area (a place separated physically and monitored 24 hours a day by monitoring equipment and for which a record of authentication and room entry/exit is kept). Equipment administrators must be assigned to these information system devices and controlled installation areas. An equipment administrator is authorized to manage specific equipment and areas and is responsible for carrying this out. Physical locations inside such controlled areas must not be opened to anyone other than the equipment administrator(s) assigned to the server equipment in question.

(b) Master Copies and Completeness of Information

Master copies of information for which completeness must be maintained are to be stored in a form that cannot be overwritten to guarantee the authenticity of these master copies. The information administrator for each type of information is responsible for this guarantee.

(c) Information Backups and Availability

Data stored in server devices and other such locations must be backed up on a regular basis. The back-up schedule is to be determined based on the importance of the server device in question. The media on which data is to be backed up must be stored inside a controlled area in a room for which entry and exit is managed through authentication. The equipment administrator is responsible for these backups.

(d) Information Deletion and Confidentiality
Information eventually becomes unnecessary as time passes. The information administrator is responsible for deleting information that is no longer needed while giving consideration to the maintenance of confidentiality. This responsibility is particularly important when the information is private in nature. The information administrator must establish rules for the number of years that managed information is to be kept before being deleted. Information devices and storage media will eventually grow old and require disposal. The disposal of information devices and storage media (including the deletion of stored information) is the responsibility of the equipment administrator and requires the approval of the information administrator.
ii. Personnel Security
(a) Awareness of Responsibilities by the Entire Membership

The entire membership of the university must be aware that anyone can either cause or suffer from information security problems. To avoid both, all members of the university must be aware of their responsibilities with respect to maintaining the information infrastructure and acquire the knowledge and maintain the skills necessary to do so. All users of information systems are obligated to maintain information security. The Information Security Committee publicizes policies among all members of the university while clarifying who has what authority and which responsibilities through awareness-raising and educational activities designed to ensure information security.

(b) 24-Hour Operation and Maintenance of the Information Infrastructure

The university's information infrastructure network (the university network backbone) is designed based on the assumption that it will operate 24 hours a day, 365 days a year. The System Administration Committee must run and maintain the university's information infrastructure network based on this assumption and secure the personnel needed to do so.

(c) Security Awareness at Each Organization

Every university organization must internally publicize the security levels of each type of information that it handles and manage the information accordingly while reporting to the Information Security Committee in writing regarding important information. In addition, organizations must review this management system on a regular basis.

Prohibition against Actively Wrongful Conduct

Regardless of whether he/she is from inside or outside the university, no person who is subject to this Policy may infringe upon the information of any research or educational institution, company, organization, group, individual, or other entity. Also, each law, agreement, or stipulation established by this university and other rules regarding information security must be observed.

iii. Technical Security

The System Administration Committee takes necessary measures to control and manage access to information networks to prevent the theft, falsification, or destruction of information that can be caused by unauthorized access, whether from inside or outside the university.

(a) Networks

The University System Administrator is responsible for managing university networks. Chronological records (logs) of firewalls and intrusion detection systems must be kept for a fixed period of time. Permission must be obtained from the Information Security Committee before university networks can be modified.

(b) Network Connection Devices

An equipment administrator must be assigned to each device that is allowed to connect to a university network. Minimal security standards that must be met by devices that are allowed to connect to university networks are stipulated in the Procedures. Any device that does not meet or comply with these standards may not be allowed to connect to university networks. Each device connecting to university networks must have some method that allows it to authenticate users. (Physical methods, such as restricted room entry/exit, are also permissible.) The equipment administrator must be able to identify the users of installed devices.

(c) Servers
Server equipment administrators must maintain a record of access to the servers and save this record for a set length of time. These access records (logs) must be analyzed on a regular basis to check them for problems, such as attempts to infiltrate the system.
(d) Personal Computers
Personal computers that connect to university networks and personal computers or memory storage devices that store university information in memory, whether temporary or not, must always have an assigned equipment administrator. This equipment administrator must also be a system administrator (superuser) for the personal computer in question. Also, each user of an administered personal computer must have his/her own user ID and password, and the personal computer must be set up so that logging in is not possible until a user ID and password are entered.
iv. Emergency Responses

If unauthorized access is detected, whether from inside or outside, or if an act, such as sabotage, takes place that interferes with the operation of the information infrastructure system, the university system administrator or department system administrator must follow emergency procedures established by the Information Security Committee. In such cases, the system administrator has both the authority and obligation to block the communication in question or separate and disconnect the information device involved as an emergency measure. Restoration of the disconnected communication or device must occur only after the Information Security Committee's assessment of the situation and within a set period of time.  If unauthorized access or sabotage continues to occur, the Information Security Committee must take measures to deter the problem, such as by halting routine use of the information device or network connected to the device in question, to protect the university's information infrastructure system.

3. Evaluation and Revision

For the security measures of the university information infrastructure system to be appropriate, consideration must be given to technological progress, the evolution of viruses, and other such issues, with diagnosis, evaluation, review, and revision conducted on a regular basis.  The university system administrator analyzes and organizes information collected from the System Administration Committee from the perspective of information system confidentiality, completeness, availability, and security and reports to the Information Security Committee.  The Information Security Committee examines the state of implementation of this Policy throughout the entire university, collects user opinions, keeps track of the latest information security technology, and otherwise evaluates the current Policy to make upgrades as necessary. This evaluation process must be carried out at least once a year, if not more frequently.

Supplementary Provision: This Policy went into effect on July 28, 2004.

  • このエントリーをはてなブックマークに追加