Information Security Policy of the National Graduate Institute for Policy Studies

 

July 25, 2012

Regulations of the President

Revised by: September 3, 2019

 

I. Basic Policy for Information Security

1. Purpose

  In our advanced information society, information assets are one of the most important assets of the National Graduate Institute for Policy Studies (hereinafter referred to as the “Institute”). Failure to properly protect our information assets could bring about stagnation in scientific research and educational activities at the Institute and lead to the loss of society’s confidence in the Institute. Accordingly, in order to encourage the Institute’s officers, employees and students to give their constant efforts to properly and strictly managing and using information assets, the Institute’s information security policy (hereinafter referred to as the “Policy”) is hereby established, with the purpose of promoting an understanding of the importance of information security.

2. Basic Principle for the Operation of Information Systems

  In order to achieve the purpose mentioned in 1 above, the Institute’s information systems are operated stably and efficiently through superior organization and security, and are made available Institute-wide, pursuant to the Basic Regulations on the Operation of Information Systems prescribed below, so as to ensure the smooth and effective distribution of information.

3. Duties of Users

  Persons who use the Institute’s information systems and those who engage in the operational services of these systems must use the systems according to the Policy and comply with the implementation regulations, etc. concerning the operation and use of the systems separately provided for (hereinafter referred to as the “regulations, etc. based on the Policy”).

4. Penal Provisions

  Restrictions on use and other penalties imposed if the regulations, etc. based on the Policy are violated may be provided for in the respective regulations, etc.

 

II. Basic Regulations on the Operation of Information Systems

1. Purpose

  The purpose of these Regulations is to provide for the necessary matters as concerns the operation and management of information systems at the Institute, thereby promoting the protection and utilization of information retained by the Institute and the implementation of appropriate information security measures.

2. Scope of Application

  These Regulations apply to all persons who operate and manage the Institute’s information systems and all regular users and temporary users.

3. Definitions

  In these Regulations, the terms specified in the following items have the meanings stipulated therein:

    (1) Information systems

    The following systems associated with information processing and information networks, including 

   devices connected to the Institute’s information networks:

      (i) systems owned or managed by the Institute; and

      (ii) systems provided to the Institute based on agreements, etc. with the Institute.

    (2) Information

    The following types of information managed by the information systems mentioned in (1) above:

      (i) information recorded in an information system;

      (ii) information recorded on external electronic or magnetic recording media; and

      (iii) information stated in documents related to information systems (e.g. reference materials

           concerning specifications, design, operation, management, and operational method).

    (3) Information assets

    Information systems, as well as information recorded in information systems, information recorded on

    external electronic and magnetic recording media, and information stated in documents related to

    information systems.

    (4) Administrative information

    Information which falls under either of the following:

      (i) corporate documents to be regulated by the Regulations on Management of Corporate Documents

          of National Graduate Institute for Policy Studies; or

      (ii) other corporate documents designated by the Director-General of Administrative Bureau.

    (5) Administrative information systems

    Information systems that handle administrative information.

    (6) Policy

    The Basic Principles for the Operation of Information Systems and the Basic Regulations on the

    Operation of Information Systems, established by the Institute.

    (7) Implementation regulations

    Regulations, standards and plans formulated based on the Policy.

    (8) Procedures

    Specific procedures, manuals and guidelines formulated based on the implementation regulations.

    (9) Regular users

    Employees and students who use the Institute’s information systems with permission for regular use.

    (10) Temporary users

    Persons other than employees and students, who use the Institute’s information systems with

    permission for temporary use.

    (11) Information security

    Maintenance of confidentiality, integrity and availability of information assets.

    (12) Electronic and magnetic records

    Records prepared in electronic format, magnetic format or any other format that renders them

    imperceptible through the senses alone, and used in information processing by computers.

    Examples of recording media with recording formats that cause the records on them to be treated as

    electronic and magnetic records:

     Memories, hard disks, CDs, DVDs, MODs, magnetic tapes, magnetic cards, IC cards, two-dimensional

     barcodes, QR codes, etc.

    Examples of things that are not electronic or magnetic records:

     Computer printouts, paper slips, paper forms and other sheets for data entry, and microfilm, that

     render the record perceptible through the senses

    (13) Information security incident

    An incident or event caused intentionally or accidentally in relation to information security, which is

    against the Institute’s regulations or laws.

    (14) CSIRT

    An abbreviation for Computer Security Incident Response Team, which is a team established within the

    Institute to handle the Institute’s information security incidents.

    (15) Labeling

    Measures to enable all persons who handle information to share a common understanding of the

    classification of that information. Labeling includes, in addition to labeling by way of identifying the

    classification of each piece of information, other measures to ensure that persons handling information

    share a common understanding of the classification of the relevant information. Other measures

    include, for example, expressly designating in the regulations governing information systems the

    classifications of information to be recorded in the relevant information system and ensuring that all

    users of that system are aware of these classifications.

4. Information Security Supervisor

    (1) The Institute has a Chief Information Security Officer (CISO) as the person responsible for the

    operation of the Institute’s information systems, and the Vice President (in charge of general affairs)

    assumes this position.

    (2) The Information Security Supervisor deals with things related to the Policy and the regulations

    based on it, and with the various issues presented by the information systems.

    (3) The Information Security Supervisor may designate Institute information systems from among

    those that are used as parts of the Institute-wide information infrastructure, which it is evaluated would

    cause a particularly large impact if information security is breached.

    (4) The Chief Information Security Officer supervises Institute-wide education and education for staff

    members from the General Affairs Division.

    (5) In the event that the Information Security Supervisor is unable to perform his/her duties, a person

    designated in advance by the Information Security Supervisor performs those duties on his/her behalf.

    (6) The Information Security Supervisor may appoint an expert with specialized knowledge and

    experience in information security as an Information Security Adviser, if necessary.

5. Information Systems Operations Committee

    (1) An Information Systems Operations Committee is established as the decision-making body for the

    smooth operation of the Institute’s information systems.

    (2) The Information Systems Operations Committee is responsible for the following particulars:

      (i) those that are related to the amendment and repeal of the Policy and the implementation

          guidelines for Institute-wide education;

      (ii) those that are related to the formulation, amendment and repeal of regulations and procedures on

           the operation and use of the information systems and to education;

      (iii) those that are related to annual training plans for education on the operation and use of the

          information systems;

      (iv) those that are related to the formulation, amendment and repeal of regulations on operational risk

          management for the information systems as well as the monitoring of the status of implementation

          of these regulations;

      (v) those that are related to the formulation, amendment and repeal of the information security audit

          regulations as well as the implementation of these regulations;

      (vi) those that are related to the formulation, amendment and repeal of emergency action plans for

          the information systems as well as the implementation of these action plans; and

      (vii) those that are related to the discussion and implementation of the measures to prevent the

          recurrence of information security incidents.

    (3) Operations Committee is to share information related to reports from CSIRT with officers and

     employees as necessary, and submit proposals and reports to the Board of Research and Education

     and other bodies with regard to matters that may have a significant impact on the Institute’s 

     Information systems.

6. Members of the Information Systems Operations Committee

  The Information Systems Operations Committee is composed of the chairperson and the following members:

      (i) an Information Security Implementation Officer;

      (ii) an Information Security Operations Officer; and

      (iii) other persons whom the Information Security Supervisor considers necessary.

7. Chairperson of the Information Systems Operations Committee

    (1) The Information Security Supervisor serves as the chairperson of the Information Systems

    Operations Committee.

    (2) The chairperson presides over the Committee’s affairs.

8. Information Security Implementation Officer

    (1) The Institute has an Information Security Implementation Officer, and the Director-General of

    Administrative Bureau assumes this position.

    (2) The Information Security Implementation Officer implements the Policy, the regulations based on it,

    and procedure with respect to the development and operation of the Institute’s information systems,

    based on the Information Security Supervisor’s directions.

    (3) The Information Security Implementation Officer is to supervise the implementation of education for

    those engaged in the operation of the information systems and for the regular users of the information

    systems.

    (4) The Information Security Implementation Officer represents the Institute in issuing communications

    and reports concerning the security of the Institute’s information systems.

9. Information Security Audit Officer

    (1) The Institute has an Information Security Audit Officer, and the Director of Audit Office assumes this

    position.

    (2) The Information Security Audit Officer supervises the administrative work for audits, based on the

    President’s directions.

10. Organizational Unit for Management and Operation of the Information Systems Operations Committee

  In order to ensure the smooth operation of the Information Systems Operations Committee, an organizational unit for the management and operation of the Information Systems Operations Committee (hereinafter referred to as the “Management Unit”) is to be created and assigned to the General Affairs Division.

11. Businesses Handled by Management Unit

  The Management Unit conducts the following business in accordance with instructions from an Information Security Implementation Officer:

    (1) business related to the operation of the Information Systems Operations Committee;

    (2) coordination for the implementation of the Policy in relation to the operation and use of the

    Institute’s information system;

    (3) coordination for the implementation of plans including training plans, risk management and

    emergency action plans; and

    (4) liaison and reporting in relation to the security of the Institute’s information system.

12. Information Security Operations Officer

    (1) The Institute has an Information Security Operations Officer, and the Director of General Affairs

    Division assumes this position.

    (2) The Information Security Operations Officer is in charge of deciding the Institute’s operational policy

    and coping with the various issues presented by the information systems.

    (3) The Information Security Operations Officer is in charge of deciding the structure of the information

    systems and coping with technical problems.

    (4) The Information Security Operations Officer implements education for staff members   from the

    General Affairs Division to ensure compliance with the Policy, the regulations based on it, and

    procedure.

13. Appointment of Information Security Advisor

    (1) The Chief Information Security Officer may appoint a person with expert knowledge and experience

    related to information security as an Information Security Advisor.

    (2) The Chief Information Security Officer determines the specific business of an Information Security

    Advisor, including the following:

      (i) providing advice to the Chief Information Security Officer on the advancement of implementation of

          the information security measures for the entire Institute;

      (ii) providing advice on the formulation of information security regulations;

      (iii) providing advice on the formulation of a plan for advancement of implementation of information

          security measures;

      (iv) providing advice on the generation of an educational plan as well as assistance for the

          development of teaching materials and implementation of education;

      (v) providing advice on technical matters related to information security;

      (vi) in case of contracting out the designing and development of information systems, providing advice

           on the formulation of the information security requirements and specifications to be presented as

          part of the terms and conditions for procurement;

      (vii) daily consultation for users;

      (viii) assistance for handling information security incidents; and

      (ix) in addition to the business specified in the preceding items, providing advice or assistance related

          to information security measures.

14. Development of Organizational Structure for Handling Information Security Incidents

    (1) The Chief Information Security Officer is to create a CSIRT to ensure swift and smooth response

    to the occurrence of any information security incidents and make clear its roles.

    (2) The Chief Information Security Officer is to appoint employees who are determined to have expert

    knowledge or capability as CSIRT members. Among CSIRT members, a CSIRT Manager is to be

    appointed to take charge of handling the Institute’s information security incidents.

    (3) The Chief Information Security Officer is to develop an organizational structure so that the

    occurrence of any information security incidents will be immediately reported to him/her.

15. Roles of CSIRT

  The Chief Information Security Officer is to provide the roles of CSIRT, including the following, shall be provided for separately:

    (1) receiving reports on information security incidents from a section that accepts reports;

    (2) reporting information security incidents to the Chief Information Security Officer and other

    employees;

    (3) liaison with outside parties; and

    (4) instruction and recommendation on emergency measures to prevent the expansion of d amage.

16. Division of Roles

    (1) In the operation of information security measures, it is prohibited for the same person to play the

    following roles concurrently:

      (i) a person who applies for approval or permission, and the person who gives that approval or

          permission (hereinafter referred to as a “person authorized to give approval, etc.”); and

      (ii) a person who is subject to an audit, and the person who conducts that audit

    (2) Notwithstanding the preceding paragraph, if, in light of the official authority of a person authorized

    to give approval, etc. and other factors, it is found to be inappropriate for such person to determine

    whether to give approval or permission (hereinafter referred to as “approval, etc.”), an employee is to

    apply for approval, etc. to the superior of the person authorized to give approval, etc. In this, if an

    employee obtains approval, etc. from the superior of the person authorized to give approval, etc., the

    employee is not required to obtain approval, etc. from the person authorized to give approval, etc.

    (3) (Whenever a superior of an employee gives approval, etc. to the employee) in a case referred to in

    the preceding paragraph, the employee is to take measures that are in conformity with the points of

    compliance as concerns the person authorized to give approval, etc.

17. Classification of Information

  The Information Systems Operations Committee is to develop regulations on the classification and restricted use as well as labeling of information handled by information systems, in terms of confidentiality, integrity and availability for electronic and magnetic records, and in terms of confidentiality for documents.

18. Prevention of Acts That May Lead to a Decline in Information Security Level Outside the Institute

    (1) The Information Security Implementation Officer develops regulations concerning measures to

    prevent acts that may lead to a decline in the information security level outside the Institute.

    (2) Persons who operate and manage the Institute’s information systems as well as regular users and

    temporary users of these systems take measures to prevent acts that may lead to a decline in the

    information security level outside the Institute.

19. Outsourced Management of Information Systems Operations

  If the whole or part of the operations of the Institute’s information systems are outsourced to a third party, the Information Security Supervisor is to take the necessary measures to ensure that the third party will implement information security thoroughly.

20. Information Security Audit

  The Information Security Audit Officer conducts an audit to confirm that security measures for information systems are being implemented in accordance with procedures that are based on the Policy. An information security audit is governed by regulations on information security audits separately provided.

21. Review

  Persons who formulated the Policy, the implementation regulations and procedures are to consider the necessity of reviewing these provisions in a timely manner, and if they find it necessary to review any of them, they are to report this to the Information Systems Operations Committee.

 

Supplementary Provisions

This Security Policy comes into effect as of March 27, 2012.

Supplementary Provisions

This Security Policy comes into effect as of July 25, 2012.

Supplementary Provisions

This Security Policy comes into effect as of October 1, 2019.