About UTokyo
Home > About UTokyo > Rules and Regulations > UTokyo Basic Policy for Information Security

UTokyo Basic Policy for Information Security

1. Basic Policy for Information Security

Collapse

To fulfill our mission to advance humankind by conducting research and educational activities appropriate for the highly information-orientated society of the 21st century, the University of Tokyo (UTokyo) must not only maintain our information infrastructure but also ensure the security of our information assets. The Policy for Information Security stipulates the arrangements necessary to ensure information security, and consists of Basic Guidelines and Standards for Countermeasures. Furthermore, specific procedures are defined in order to ensure reliable implementation of the Policy for Information Security. These measures are intended to raise awareness of the importance of information security among all users affiliated with UTokyo, and ensure the security of all information assets owned by the University.

2. Objectives of the Basic Policy for Information Security

Collapse
The target users and target assets of the Basic Policy for Information Security are as follows:
 

Users

Executives, full-time and part-time faculty and administrative members, students and research students (including those auditing classes), and persons with approval to access information assets owned by UTokyo (joint use users, visitors, outside contractors, etc.).

Assets

All information assets owned by UTokyo, including “information” and “information systems”. All media (magnetic, optical, paper, etc.) containing information are subject to this policy. This includes magnetic discs, flash drives, and handwritten notes. For the time being, test samples such as DNA samples are excluded. Information systems refer to any system that handles information. Examples include electronic systems as well as systems that handle printed materials, such as the internal mailing system. This policy is applicable to all university-owned information assets even if they are stored outside UTokyo.

UTokyo’s Policy for Information Security has four main objectives:

  1. Thorough categorization and corresponding management of information assets owned by UTokyo based on their level of importance.   
  2. Defense to prevent violations of information assets owned by UTokyo
  3. Prevention of damage to the information assets owned by UTokyo   
  4. Implementation of early detection and prompt handling of security breaches at UTokyo

3. Basic Policy for Information Security

Collapse

3.1. Organization and system

The Chief Information Security Officer (CISO)  oversees the entire University. The CISO makes comprehensive decisions  related to information security and is responsible for information security both within and outside UTokyo. The CISO not only  determines  information  security  measures  but  also  has  the authority  to  take  steps necessary  to  enforce  measures across  the  University, and can organize committees for this purpose at their discretion.

3.2. Formulation of Basic Policy for Information Security and enforcement procedures

Information security reviews are periodically conducted to assess the current state of information asset management. Risk analysis is then performed to create standards for countermeasures and implementation procedures. Finally, the Basic Policy for Information Security and implementation procedures are reassessed periodically.

3.3. Categorization and management of information

Information is categorized to determine the appropriate information management method.

3.4. Information security of information systems

Management methods are employed to maintain information security.

3.5. Clarification of information security requirements

Information security requirements are defined to prevent destruction of, damage to, tampering with, and use of information assets through unauthorized access, and to prevent interruptions and suspensions of services through unauthorized access from within or without the University.

3.6. Information security of personal information

In addition to establishing regulations, education and training are implemented to increase awareness of and compliance with the Basic Policy for Information Security.

3.7. Response to information security incidents

Protocols are established to handle information security incidents (incidents and malfunctions related to information security).

3.8. Measures for breaches in the Basic Policy for Information Security

Measures are established to process suspected or actual breaches in information security.

3.9. Public relations and information desk for inquiries and complaints

A system for public relations and an information desk for inquiries and complaints is created.

3.10. Self-checks and information security auditing

The processes for self-checks and information security auditing are determined.

3.11. Preventive security reviews

Measures are implemented for preventive security reviews.

3.12. Information security budget

A method for drawing up budget proposals for university-wide information security is established.

3.13. Exceptional cases

Measures to handle exceptional cases are established.

Information Security Committee (March 6, 2006)
Revision by Chief Information Security Officer (April 1, 2018)
Inquiries about the content of this page: Public Relations GroupSend inquiry
Access Map
Close
Kashiwa Campus
Close
Hongo Campus
Close
Komaba Campus
Close