1. Basic Policy for Information Security
To fulfill our mission to advance humankind by conducting research and educational activities appropriate for the highly information-orientated society of the 21st century, the University of Tokyo (UTokyo) must not only maintain our information infrastructure but also ensure the security of our information assets. The Policy for Information Security stipulates the arrangements necessary to ensure information security, and consists of Basic Guidelines and Standards for Countermeasures. Furthermore, specific procedures are defined in order to ensure reliable implementation of the Policy for Information Security. These measures are intended to raise awareness of the importance of information security among all users affiliated with UTokyo, and ensure the security of all information assets owned by the University.
2. Objectives of the Basic Policy for Information Security
Executives, full-time and part-time faculty and administrative members, students and research students (including those auditing classes), and persons with approval to access information assets owned by UTokyo (joint use users, visitors, outside contractors, etc.).
All information assets owned by UTokyo, including “information” and “information systems”. All media (magnetic, optical, paper, etc.) containing information are subject to this policy. This includes magnetic discs, flash drives, and handwritten notes. For the time being, test samples such as DNA samples are excluded. Information systems refer to any system that handles information. Examples include electronic systems as well as systems that handle printed materials, such as the internal mailing system. This policy is applicable to all university-owned information assets even if they are stored outside UTokyo.
UTokyo’s Policy for Information Security has four main objectives:
- Thorough categorization and corresponding management of information assets owned by UTokyo based on their level of importance.
- Defense to prevent violations of information assets owned by UTokyo
- Prevention of damage to the information assets owned by UTokyo
- Implementation of early detection and prompt handling of security breaches at UTokyo
3. Basic Policy for Information Security
3.1. Organization and system
The Chief Information Security Officer (CISO) oversees the entire University. The CISO makes comprehensive decisions related to information security and is responsible for information security both within and outside UTokyo. The CISO not only determines information security measures but also has the authority to take steps necessary to enforce measures across the University, and can organize committees for this purpose at their discretion.
3.2. Formulation of Basic Policy for Information Security and enforcement procedures
Information security reviews are periodically conducted to assess the current state of information asset management. Risk analysis is then performed to create standards for countermeasures and implementation procedures. Finally, the Basic Policy for Information Security and implementation procedures are reassessed periodically.
3.3. Categorization and management of information
Information is categorized to determine the appropriate information management method.
3.4. Information security of information systems
Management methods are employed to maintain information security.
3.5. Clarification of information security requirements
Information security requirements are defined to prevent destruction of, damage to, tampering with, and use of information assets through unauthorized access, and to prevent interruptions and suspensions of services through unauthorized access from within or without the University.
3.6. Information security of personal information
In addition to establishing regulations, education and training are implemented to increase awareness of and compliance with the Basic Policy for Information Security.
3.7. Response to information security incidents
Protocols are established to handle information security incidents (incidents and malfunctions related to information security).
3.8. Measures for breaches in the Basic Policy for Information Security
Measures are established to process suspected or actual breaches in information security.
3.9. Public relations and information desk for inquiries and complaints
A system for public relations and an information desk for inquiries and complaints is created.
3.10. Self-checks and information security auditing
The processes for self-checks and information security auditing are determined.
3.11. Preventive security reviews
Measures are implemented for preventive security reviews.
3.12. Information security budget
A method for drawing up budget proposals for university-wide information security is established.
3.13. Exceptional cases
Measures to handle exceptional cases are established.
Revision by Chief Information Security Officer (April 1, 2018)