Information Security Policy

July 25, 2012

Regulations of the President

 

I. Basic Policy for Information Security

1. Purpose

In our advanced information society, information assets are one of the most important assets of the National Graduate Institute for Policy Studies (hereinafter referred to as the “Institute”). Failure to properly protect our information assets could bring about stagnation in scientific research and educational activities at the Institute and lead to the loss of society’s confidence in the Institute. Accordingly, in order to encourage the Institute’s officers, employees and students to give their constant efforts to properly and strictly managing and using information assets, the Institute’s information security policy (hereinafter referred to as the “Policy”) is hereby established, with the purpose of promoting an understanding of the importance of information security.

2. Basic Principle for the Operation of Information Systems

In order to achieve the purpose mentioned in 1 above, the Institute’s information systems are operated stably and efficiently through superior organization and security, and are made available Institute-wide, pursuant to the Basic Regulations on the Operation of Information Systems prescribed below, so as to ensure the smooth and effective distribution of information.

3. Duties of Users

Persons who use the Institute’s information systems and those who engage in the operational services of these systems must use the systems according to the Policy and comply with the implementation regulations, etc. concerning the operation and use of the systems separately provided for (hereinafter referred to as the “regulations, etc. based on the Policy”).

4. Penal Provisions

Restrictions on use and other penalties imposed if the regulations, etc. based on the Policy are violated may be provided for in the respective regulations, etc.

 

II. Basic Regulations on the Operation of Information Systems

1. Purpose

The purpose of these Regulations is to provide for the necessary matters as concerns the operation and management of information systems at the Institute, thereby promoting the protection and utilization of information retained by the Institute and the implementation of appropriate information security measures.

2. Scope of Application

These Regulations apply to all persons who operate and manage the Institute’s information systems and all regular users and temporary users.

3. Definitions

In these Regulations, the terms specified in the following items have the meanings stipulated therein:

(1) Information systems

The following systems associated with information processing and information networks, including devices connected to the Institute’s information networks:

(i) systems owned or managed by the Institute; and

(ii) systems provided to the Institute based on agreements, etc. with the Institute.

(2) Information

The following types of information managed by the information systems mentioned in (1) above:

(i) information recorded in an information system;

(ii) information recorded on external electronic or magnetic recording media; and

(iii) information stated in documents related to information systems (e.g. reference materials concerning specifications, design, operation, management, and operational method).

(3) Information assets

Information systems, as well as information recorded in information systems, information recorded on external electronic and magnetic recording media, and information stated in documents related to information systems.

(4) Administrative information systems

Information systems that handle administrative information.

(5) Policy

The Basic Principles for the Operation of Information Systems and the Basic Regulations on the Operation of Information Systems, established by the Institute.

(6) Implementation regulations

Regulations, standards and plans formulated based on the Policy.

(7) Procedures

Specific procedures, manuals and guidelines formulated based on the implementation regulations.

(8) Regular users

Employees and students who use the Institute’s information systems with permission for regular use.

(9) Temporary users

Persons other than employees and students, who use the Institute’s information systems with permission for temporary use.

(10) Information security

Maintenance of confidentiality, integrity and availability of information assets.

(11) Electronic and magnetic records

Records prepared in electronic format, magnetic format or any other format that renders them imperceptible through the senses alone, and used in information processing by computers.

Examples of recording media with recording formats that cause the records on them to be treated as electronic and magnetic records:

Memories, hard disks, CDs, DVDs, MODs, magnetic tapes, magnetic cards, IC cards, two-dimensional barcodes, QR codes, etc.

Examples of things that are not electronic or magnetic records:

Computer printouts, paper slips, paper forms and other sheets for data entry, and microfilm, that render the record perceptible through the senses

(12) Incident

An incident or event caused intentionally or accidentally in relation to information security, which is against the Institute’s regulations or laws.

(13) Labeling

Measures to enable all persons who handle information to share a common understanding of the classification of that information.

4. Information Security Supervisor

(1) The Institute has an Information Security Supervisor as the person responsible for the operation of the Institute’s information systems, and the President appoints the person that fills this position.

(2) The Information Security Supervisor deals with things related to the Policy and the regulations based on it, and with the various issues presented by the information systems.

(3) The Information Security Supervisor may designate Institute information systems from among those that are used as parts of the Institute-wide information infrastructure, which it is evaluated would cause a particularly large impact if information security is breached.

(4) The Information Security Supervisor supervises Institute-wide education and education for information security operators.

(5) In the event that the Information Security Supervisor is unable to perform his/her duties, a person designated in advance by the Information Security Supervisor performs those duties on his/her behalf.

(6) The Information Security Supervisor may appoint an expert with specialized knowledge and experience in information security as an Information Security Adviser, if necessary.

5. Information Systems Operations Committee

(1) An Information Systems Operations Committee is established as the decision-making body for the smooth operation of the Institute’s information systems.

(2) The Information Systems Operations Committee is responsible for the following particulars:

(i) those that are related to the Policy and the implementation guidelines for Institute-wide education;

(ii) those that are related to regulations on the operation and use of the information systems and to education;

(iii) those that are related to annual training plans for education on the operation and use of the information systems;

(iv) those that are related to regulations on operational risk management for the information systems;

(v) those that are related to information security audit regulations;

(vi) those that are related to emergency action plans for the information systems; and

(vii) those that are related to measures to prevent the recurrence of incidents.

(3) The Information Systems Operations Committee is to submit proposals and reports to the Board of Research and Education and other bodies, if necessary, with regard to matters up for decision by the Committee that may have a significant impact on the Institute’s information systems.

(4) The Information Systems Operations Committee has an administrative body to facilitate its activities, and the General Affairs Division serves as this body.

6. Members of the Information Systems Operations Committee

The Information Systems Operations Committee is composed of the chairperson and the following members:

(i) an Information Security Implementation Officer;

(ii) an Information Security Operations Officer; and

(iii) other persons whom the Information Security Supervisor considers necessary.

7. Chairperson of the Information Systems Operations Committee

(1) The Information Security Supervisor serves as the chairperson of the Information Systems Operations Committee.

(2) The chairperson presides over the Committee’s affairs.

8. Information Security Implementation Officer

(1) The Institute has an Information Security Implementation Officer, and the President appoints the person that fills this position.

(2) The Information Security Implementation Officer implements the Policy, the regulations based on it, and procedure with respect to the development and operation of the Institute’s information systems, based on the Information Security Supervisor’s directions.

(3) The Information Security Implementation Officer is to supervise the implementation of education for those engaged in the operation of the information systems and for the regular users of the information systems.

(4) The Information Security Implementation Officer represents the Institute in issuing communications and reports concerning the security of the Institute’s information systems.

9. Information Security Audit Officer

(1) The Institute has an Information Security Audit Officer, and the President appoints the person that fills this position.

(2) The Information Security Audit Officer supervises the administrative work for audits, based on the President’s directions.

10. Information Security Operations Officer

(1) The Institute has an Information Security Operations Officer, and the Information Security Implementation Officer appoints the person that fills this position.

(2) The Information Security Operations Officer is in charge of deciding the Institute’s operational policy and coping with the various issues presented by the information systems.

(3) The Information Security Operations Officer is in charge of deciding the structure of the information systems and coping with technical problems.

(4) The Information Security Operations Officer implements education for information security operators to ensure compliance with the Policy, the regulations based on it, and procedure.

11. Information Systems Operations Team

(1) An Information Systems Operations Team is established under the Information Systems Operations Committee.

(2) The Information Systems Operations Team carries out the following:

(i) investigations on the status of compliance with the Policy and awareness-raising with regard to this;

(ii) formulation and implementation of risk management plans and emergency action plans;

(iii) formulation and implementation of measures to prevent the recurrence of incidents;

(iv) design and planning of education for regular users; and

(v) other activities that the Information Security Implementation Officer considers necessary.

12. Members of the Information Systems Operations Team

(1) The Information Systems Operations Team is composed of a team leader and the following members:

(i) information security operators; and

(ii) other persons whom the Information Security Operations Officer considers necessary.

13. Team Leader of the Information Systems Operations Team

The Information Security Operations Officer serves as the team leader of the Information Systems Operations Team.

14. Information Security Operators

(1) The Institute has information security operators so that the Information Security Operations Officer can proceed smoothly with the management of the Institute’s information systems, and the Information Security Implementation Officer appoints the persons that fill these positions.

(2) Information security operators take charge of the technical aspects of the operation of the Institute’s information systems and assist in education for regular users, based on the Information Security Operations Officer’s directions.

15. Division of Roles

(1) In the operation of information security measures, it is prohibited for the same person to play the following roles concurrently:

(i) a person who applies for approval or permission, and the person who gives that approval or permission (hereinafter referred to as a “person authorized to give approval, etc.”); and

(ii) a person who is subject to an audit, and the person who conducts that audit

(2) Notwithstanding the preceding paragraph, if, in light of the official authority of a person authorized to give approval, etc. and other factors, it is found to be inappropriate for such person to determine whether to give approval or permission (hereinafter referred to as “approval, etc.”), an employee is to apply for approval, etc. to the superior of the person authorized to give approval, etc. In this, if an employee obtains approval, etc. from the superior of the person authorized to give approval, etc., the employee is not required to obtain approval, etc. from the person authorized to give approval, etc.

(3) (Whenever a superior of an employee gives approval, etc. to the employee) in a case referred to in the preceding paragraph, the employee is to take measures that are in conformity with the points of compliance as concerns the person authorized to give approval, etc.

16. Classification of Information

The Information Systems Operations Committee is to develop regulations on the classification and restricted use as well as labeling of information handled by information systems, in terms of confidentiality, integrity and availability for electronic and magnetic records, and in terms of confidentiality for documents.

17. Prevention of Acts That May Lead to a Decline in Information Security Level Outside the Institute

(1) The Information Security Implementation Officer develops regulations concerning measures to prevent acts that may lead to a decline in the information security level outside the Institute.

(2) Persons who operate and manage the Institute’s information systems as well as regular users and temporary users of these systems take measures to prevent acts that may lead to a decline in the information security level outside the Institute.

18. Outsourced Management of Information Systems Operations

(1) If the whole or part of the operations of the Institute’s information systems are outsourced to a third party, the Information Security Supervisor is to take the necessary measures to ensure that the third party will implement information security thoroughly.

19. Information Security Audit

The Information Security Audit Officer conducts an audit to confirm that security measures for information systems are being implemented in accordance with procedures that are based on the Policy. An information security audit is governed by regulations on information security audits separately provided.

20. Review

The Information Systems Operations Team is to consider the necessity of reviewing the Policy, the implementation regulations and procedures in a timely manner, and if it finds it necessary to review any of them, it is to report this to the Information Systems Operations Committee.

 

Supplementary Provisions

This Security Policy comes into effect as of March 27, 2012.

Supplementary Provisions

This Security Policy comes into effect as of July 25, 2012.

7-22-1 Roppongi, Minato-ku, Tokyo 106-8677

TEL : +81-(0)3-6439-6000     
FAX : +81-(0)3-6439-6010

PAGE TOP

Print Out