Nagoya University Information Security Policy

Adopted by the Council on March 19, 2002, Revised on June 21, 2011,Revised on April 1, 2016.

Contents

1. Fundamental principles
2. Information security standards
3. Execution procedures

1. Fundamental principles

(1) Preamble

The mission of Nagoya University is "to contribute to the well-being and happiness of humankind through research and education in all aspects of humanity, society and nature from within a free and vibrant academic culture." While the accessibility and convenience of information in research and education are important social requirements, securing safety is necessary as problems related to information technologies continue to proliferate in society, such as unauthorized access, information leaks, and cyber-crime. Nagoya University's stance is to ensure accessibility and convenience while still giving due consideration to security. Furthermore, rather than establishing in advance rigid and detailed restrictions for various matters, Nagoya University encourages all of its members to always act responsibly in their use of our information infrastructure and to also act in a flexible manner to take advantage of the most advanced information utilization technology. However, each member must be aware of the fact that convenience also poses a serious risk due to the great ease of spreading information worldwide and must act responsibly when using the information infrastructure.

Nagoya University hereby sets out and complies with its fundamental principles regarding education and training systems to: ensure openness, security and availability of information on the basis of the level of importance of our information assets; promote appropriate management, maintenance and inspection; and raise awareness and improve skills of users regarding information security.

(2) Provisions

1. (Basic stance)

As a constituent member of society, Nagoya University shall create and maintain a secure and safe information environment and fulfill its social responsibility as a place for academic pursuit.

2. (Prevention)

Nagoya University aims to establish information infrastructure that enables its members to provide and receive education and conduct research and other work associated therewith in an efficient manner by preventing information security failure.

3. (After-the-fact measures)

When any information security incident occurs, Nagoya University shall make its best efforts to minimize the damage, recover affected system promptly and prevent recurrence of same or similar incidents.

4. (Management of operation and maintenance)

Nagoya University shall clarify roles and responsibilities of its members in relation to information security, and aim to continuously improve information infrastructure through the information security management system.

5. (Legal compliance)

Nagoya University shall create a sound information environment through respect for ethics, protection of copyrights and other intellectual property rights, prevention of unauthorized access and compliance with the Act on Protection of Personal Information and other laws and regulations.

(3) Scope of application

This Policy shall apply to all individuals who are involved in academic activities and business activities of Nagoya University and to its information assets.

2. Information security standards

In line with the fundamental principles regarding information security, the following measures shall be implemented to protect information assets against any alteration, destruction, leakage or such other incidents, regardless of whether the cause is accidental or intentional, and to maintain business continuity of Nagoya University.

(1) Establishment of Information Security Organizations

Nagoya University shall establish Information Security Organizations that plan, develop, implement, manage and continuously review specific matters based on the Security Policy, in order to create a sound environment which optimizes the balance between guaranteeing that information can be freely used (including its receipt, storage, processing, use and transmission) and the proper management of information security. Information Security Organization and University-wide Information Security Organization shall be established to integrate the information security of Nagoya University as a whole, while Information Security Organizations for relevant sections and other individual organizational units shall be established to implement the Security Policy. In addition, Information Security Audit Organization shall be established to verify whether the Information Security Policy is complied with.

a) Information Security Organizations

Information Security Organization works to carry out the following duties together with a university-wide organization and organizations for individual organizational units. Decisions made by this organization and standards and guidelines established are likely to have a profound impact on the members and non-members of the University. Therefore, a sufficient system for the disclosure of information shall also be prepared and maintained:

To develop, implement and continuously review the Information Security Policy of Nagoya University;
To determine basic matters concerning Information Security Organizations;
To coordinate between Information Security Organizations;
To clarify rights and duties of users of information-related facilities by establishing clear rules and guidelines and by developing easy-to-understand manuals;
To clarify the scope of authority, discretion and responsibility of administrators of information-related facilities;
To respond to and take measures for information security issues when they occur;
To collect and provide information regarding information security;
To deal with other matters related to information security; and
To take necessary measures based on the information security audit results.

b) University-wide Information Security Organization

The University-wide Information Security Organization shall perform the following duties:

To identify and examine information security matters which need to be addressed university-wide;
To develop a policy on the structure of Information Security Organizations for individual organizational units to be established within the University;
To establish university-wide response and handling processes for information security issues;
To standardize the level of information security standards on a university-wide basis;
To adjust and standardize response and handling methods for information security issues to be taken by Information Security Organizations for individual organizational units;
To externally respond to information security issues;
To provide support and advice in implementing the Security Policy;
To develop and execute annual plans to realize the Security Policy;
To appoint a university-wide network administrator and a person responsible for installing network equipment and terminal equipment; and
To deal with other matters related to information security.

c) Information Security Organizations for individual organizational units

Information Security Organizations for individual organizational units shall perform the following duties:

To establish and operate Information Security Organizations for individual organizational units in line with the policy on their structure stipulated by the University-wide Information Security Organization;
To develop and execute annual plans to realize the Security Policy for Information Security Organizations for individual organizational units;
To perform work related to the assurance of information security in Information Security Organizations for individual organizational units;
To work together with the University-wide Information Security Organization;
To appoint a network administrator and a person responsible for installing network equipment and terminal equipment for Information Security Organizations for individual organizational units; and
To deal with other matters related to information security.

d) Information Security Audit Organization

The Information Security Audit Organization shall perform the following duties:

To develop information security audit plans; and
To conduct audit based on the information security audit plans.

(2) Maintenance and management of electronic information

When information goes online and is stored on any equipment connected to a network, such information requires sensitive handling that is distinct from the handling of normal printed materials. Although the general rule is to handle information stored on a network equipment in accordance with Nagoya University Rules: Management of Administrative Documents, a system, rules and guidelines for such information in consideration of specific nature of the way in which such information is stored shall be separately established. It is also critical to ensure that electronic information held by third parties is handled in a proper manner.

a) Information management

a-1) Information management

Persons who intend to store public information on any network equipment shall consider the importance of such information, establish standards and procedures for the matters relating to the management of such information including the accuracy, prevention of alteration, access authority, scope of disclosure, reproduction and update thereof, and manage such information in accordance therewith.

a-2) Duty to report by public information administrator

The administrator of public information shall, upon request of Information Security Organizations, report the status of information management.

a-3) Confidential information

When any information designated as confidential information by the administrator of public information is copied to personal equipment and taken outside, he/she shall follow the pre-determined procedure. Any information relating to information security, including the information concerning the authentication of equipment shall not be disclosed to the public without the permission of Information Security Organizations.

b) Prohibition of unauthorized access

Any person who wishes to use information shall not attempt to access information that he/she is not authorized to access or that the access of which may infringe on the rights of others, whether or not an access control mechanism is in place.

(3) Advancement of information security training system and educational activities

Each organization of Nagoya University shall keep its members informed about the way information is to be handled within the organization to ensure information security, review its management system from time to time, communicate the result thereof, and thereby improve its system for raising information security awareness in each member.

(4) Assurance of effectiveness of Information Security Policy

Each organization of Nagoya University shall undergo an information security audit by the Information Security Audit Organization. Information security audit refers to an action by an organization or an individual independent of the section to be audited to confirm certain items (independent assessment) concerning information security. Through an information security audit, samples taken from self-inspection results will be checked and assessed, and the results thereof will be reported to each organization. This will contribute to improving the security level of Nagoya University.

(5) Establishment of Fundamental Principles regarding Information Security Technology

To realize information security described in this Information Security Policy, it is critical to establish fundamental principles regarding information technology. The Fundamental Principles regarding Information Security Technology concerning information equipment held by Nagoya University shall be established as follows, and related guidelines shall be established separately.

a) Fundamental principles

a-1) External connections

As a general rule, external connections to the Nagoya University network may be opened as is necessary following the application process.

a-2) Authority of network administrator

Where emergency measures are required to be taken due to, among other reasons, the occurrence of unauthorized access, the person who performs day-to-day network management may, to prevent further damage, suspend a specific service or to block external access from specific equipment without consulting Information Security Organizations.

The network administrator may require persons responsible for installing network equipment to take improvement measures, if he/she deems that such persons are in breach of technical standards or separately stipulated security guidelines.

a-3) Duties of persons responsible for installing equipment

If any damage occurs outside the University as a result of failure by the persons responsible for installing the equipment to fully perform their duties relating to information security, not only the persons responsible for installing the equipment but also the University as a whole may be socially stigmatized. Therefore, persons who install network equipment and terminal equipment shall make their best efforts to ensure information security.

a-4) Information Security Guidelines

Information Security Organizations shall develop and publicly announce "Information Security Guidelines" and other guidelines, and provide the network administrator, persons responsible for installing equipment and network users with information security training.

b) Network designing

b-1) Information security

When designing and establishing a new network, such network shall be designed with due consideration to information security.

b-2) Consultation with Information Security Organizations

When designing and establishing a new network and putting it into operation, prior consultation with and approval of Information Security Organizations shall be required. Consultation with and approval of Information Security Organizations shall be also required when expanding or altering an existing network. Installing any network devices that allow direct access to Nagoya University Campus Information Network from outside without the approval of Information Security Organizations shall be strictly prohibited.

c) Network devices

Network devices refer to routers, hub devices or other devices that provide name services. Although details of installation and management of such devices shall be governed by separate guidelines, the following standards shall be satisfied at a minimum in installing and managing network devices:

c-1) Up-to-date software

Best efforts shall be made to maintain the software for the network equipment as up-to-date as possible.

c-2) Prevention of unauthorized access by persons other than the network administrator

In the case where functions of network equipment can be configured by software, proper measures shall be taken to prevent any unauthorized access to such network equipment by persons other than the network administrator.

c-3) Selection of safe location for installation

When installing a new network device, a safe installation location shall be selected to protect the device from any physical sabotage.

c-4) Prohibition of installation of equipment that bypasses security control measures

Any access devices including information outlets and wireless LAN devices that enable any devices that are not controlled by the members of the University to access Nagoya University Campus Information Network without authentication shall not be installed.

c-5) Duty to report by persons responsible for installing equipment

Persons responsible for installing equipment shall register equipment connected to Nagoya University Campus Information Network on the prescribed equipment registration database. In addition, persons responsible for installing equipment shall, upon request of Information Security Organizations, report the operation status of network equipment.

d) Network devices

d-1) Connections of special equipment

When intending to use measuring instruments, medical equipment or any other special equipment by connecting them to the network, such connections must follow advance consultation with the relevant Information Security Organizations.

d-2) Prohibition of connection of equipment with insufficient security measures

Any equipment for which proper security measures have not been taken in accordance with the Security Technical Guidelines may not be connected to the network.

d-3) Prohibition of unauthorized use

All terminal equipment shall be kept in such condition that only persons permitted by the person responsible for installing the terminal equipment can use the equipment.

d-4) Duty to report by persons responsible for installing equipment

The persons responsible for installing equipment shall make it possible to track usage of terminal equipment, and upon request of Information Security Organizations, shall report the usage of terminal equipment. In addition, the persons responsible for installing equipment shall register such equipment in the prescribed equipment registration database.

d-5) Power of Information Security Organizations to provide instructions

Information Security Organizations may require the persons responsible for installing equipment to take specific measures, if they deem it necessary to ensure the security.

e) Information security equipment

The University-wide Information Security Organization shall install, maintain and manage security equipment including firewall devices and intrusion detection devices to ensure the security of Nagoya University Campus Information Network to a maximum extent. The following standards shall be satisfied at a minimum in installing and operating information security equipment:

e-1) Up-to-date information security equipment

The University-wide Information Security Organization shall make its best efforts to maintain the security equipment as up-to-date as possible.

e-2) Prompt response to problems

When any problem of information security equipment that is deemed important to security is detected, the University-wide Information Security Organization shall take necessary measures without delay.

e-3) Monitoring network communications

It is critical for the assurance of information security to monitor network communication using security equipment and thus all members of the University shall be notified of the fact that network communication will be monitored by security equipment, and the approval thereof shall be sought.

e-4) Disclosure of information

The University-wide Information Security Organization shall disclose the status of operation of information security equipment to all the members of the University in as much detail as possible, to the extent that such announcement does not conflict with the maintenance of security.

(6) Operation and maintenance

Nagoya University shall establish Consultation Service Desk concerning information security and a communication system in case of occurrence or possible occurrence of any information security incident.

(7) Response to an information security incident

Nagoya University shall separately establish response procedures to ensure prompt response to the occurrence of any information security incident.

3. Execution procedures

Nagoya University shall separately establish and keep all members of Nagoya University informed about the Information Security Guidelines to put the Fundamental Principles regarding Information Security and the Standards for Information Security Measures into practice. Furthermore, best efforts shall be made to realize compliance with Nagoya University Information Security Policy and Nagoya University Information Security Guidelines through linking the aforementioned Policy and Standards with the Information Environment Master Plan which describes Nagoya University's strategies concerning information environment.