Information Security Policy of the National Graduate Institute for Policy Studies

July 25, 2012

Regulations of the President

Revised by: September 3, 2019

I. Basic Policy for Information Security

1. Purpose

In our advanced information society, information assets are one of the most important assets of the National Graduate Institute for Policy Studies (hereinafter referred to as the “Institute”). Failure to properly protect our information assets could bring about stagnation in scientific research and educational activities at the Institute and lead to the loss of society’s confidence in the Institute. Accordingly, in order to encourage the Institute’s officers, employees and students to give their constant efforts to properly and strictly managing and using information assets, the Institute’s information security policy (hereinafter referred to as the “Policy”) is hereby established, with the purpose of promoting an understanding of the importance of information security.

2. Basic Principle for the Operation of Information Systems

In order to achieve the purpose mentioned in 1 above, the Institute’s information systems are operated stably and efficiently through superior organization and security, and are made available Institute-wide, pursuant to the Basic Regulations on the Operation of Information Systems prescribed below, so as to ensure the smooth and effective distribution of information.

3. Duties of Users

Persons who use the Institute’s information systems and those who engage in the operational services of these systems must use the systems according to the Policy and comply with the implementation regulations, etc. concerning the operation and use of the systems separately provided for (hereinafter referred to as the “regulations, etc. based on the Policy”).

4. Penal Provisions

Restrictions on use and other penalties imposed if the regulations, etc. based on the Policy are violated may be provided for in the respective regulations, etc.

II. Basic Regulations on the Operation of Information Systems

1. Purpose

The purpose of these Regulations is to provide for the necessary matters as concerns the operation and management of information systems at the Institute, thereby promoting the protection and utilization of information retained by the Institute and the implementation of appropriate information security measures.

2. Scope of Application

These Regulations apply to all persons who operate and manage the Institute’s information systems and all regular users and temporary users.

3. Definitions

In these Regulations, the terms specified in the following items have the meanings stipulated therein:

(1) Information systems

The following systems associated with information processing and information networks, including

devices connected to the Institute’s information networks:

(i) systems owned or managed by the Institute; and

(ii) systems provided to the Institute based on agreements, etc. with the Institute.

(2) Information

The following types of information managed by the information systems mentioned in (1) above:

(i) information recorded in an information system;

(ii) information recorded on external electronic or magnetic recording media; and

(iii) information stated in documents related to information systems (e.g. reference materials

concerning specifications, design, operation, management, and operational method).

(3) Information assets

Information systems, as well as information recorded in information systems, information recorded on

external electronic and magnetic recording media, and information stated in documents related to

information systems.

(4) Administrative information

Information which falls under either of the following:

(i) corporate documents to be regulated by the Regulations on Management of Corporate Documents

of National Graduate Institute for Policy Studies; or

(ii) other corporate documents designated by the Director-General of Administrative Bureau.

(5) Administrative information systems

Information systems that handle administrative information.

(6) Policy

The Basic Principles for the Operation of Information Systems and the Basic Regulations on the

Operation of Information Systems, established by the Institute.

(7) Implementation regulations

Regulations, standards and plans formulated based on the Policy.

(8) Procedures

Specific procedures, manuals and guidelines formulated based on the implementation regulations.

(9) Regular users

Employees and students who use the Institute’s information systems with permission for regular use.

(10) Temporary users

Persons other than employees and students, who use the Institute’s information systems with

permission for temporary use.

(11) Information security

Maintenance of confidentiality, integrity and availability of information assets.

(12) Electronic and magnetic records

Records prepared in electronic format, magnetic format or any other format that renders them

imperceptible through the senses alone, and used in information processing by computers.

Examples of recording media with recording formats that cause the records on them to be treated as

electronic and magnetic records:

Memories, hard disks, CDs, DVDs, MODs, magnetic tapes, magnetic cards, IC cards, two-dimensional

barcodes, QR codes, etc.

Examples of things that are not electronic or magnetic records:

Computer printouts, paper slips, paper forms and other sheets for data entry, and microfilm, that

render the record perceptible through the senses

(13) Information security incident

An incident or event caused intentionally or accidentally in relation to information security, which is

against the Institute’s regulations or laws.

(14) CSIRT

An abbreviation for Computer Security Incident Response Team, which is a team established within the

Institute to handle the Institute’s information security incidents.

(15) Labeling

Measures to enable all persons who handle information to share a common understanding of the

classification of that information. Labeling includes, in addition to labeling by way of identifying the

classification of each piece of information, other measures to ensure that persons handling information

share a common understanding of the classification of the relevant information. Other measures

include, for example, expressly designating in the regulations governing information systems the

classifications of information to be recorded in the relevant information system and ensuring that all

users of that system are aware of these classifications.

4. Information Security Supervisor

(1) The Institute has a Chief Information Security Officer (CISO) as the person responsible for the

operation of the Institute’s information systems, and the Vice President (in charge of general affairs)

assumes this position.

(2) The Information Security Supervisor deals with things related to the Policy and the regulations

based on it, and with the various issues presented by the information systems.

(3) The Information Security Supervisor may designate Institute information systems from among

those that are used as parts of the Institute-wide information infrastructure, which it is evaluated would

cause a particularly large impact if information security is breached.

(4) The Chief Information Security Officer supervises Institute-wide education and education for staff

members from the General Affairs Division.

(5) In the event that the Information Security Supervisor is unable to perform his/her duties, a person

designated in advance by the Information Security Supervisor performs those duties on his/her behalf.

(6) The Information Security Supervisor may appoint an expert with specialized knowledge and

experience in information security as an Information Security Adviser, if necessary.

5. Information Systems Operations Committee

(1) An Information Systems Operations Committee is established as the decision-making body for the

smooth operation of the Institute’s information systems.

(2) The Information Systems Operations Committee is responsible for the following particulars:

(i) those that are related to the amendment and repeal of the Policy and the implementation

guidelines for Institute-wide education;

(ii) those that are related to the formulation, amendment and repeal of regulations and procedures on

the operation and use of the information systems and to education;

(iii) those that are related to annual training plans for education on the operation and use of the

information systems;

(iv) those that are related to the formulation, amendment and repeal of regulations on operational risk

management for the information systems as well as the monitoring of the status of implementation

of these regulations;

(v) those that are related to the formulation, amendment and repeal of the information security audit

regulations as well as the implementation of these regulations;

(vi) those that are related to the formulation, amendment and repeal of emergency action plans for

the information systems as well as the implementation of these action plans; and

(vii) those that are related to the discussion and implementation of the measures to prevent the

recurrence of information security incidents.

(3) Operations Committee is to share information related to reports from CSIRT with officers and

employees as necessary, and submit proposals and reports to the Board of Research and Education

and other bodies with regard to matters that may have a significant impact on the Institute’s

Information systems.

6. Members of the Information Systems Operations Committee

The Information Systems Operations Committee is composed of the chairperson and the following members:

(i) an Information Security Implementation Officer;

(ii) an Information Security Operations Officer; and

(iii) other persons whom the Information Security Supervisor considers necessary.

7. Chairperson of the Information Systems Operations Committee

(1) The Information Security Supervisor serves as the chairperson of the Information Systems

Operations Committee.

(2) The chairperson presides over the Committee’s affairs.

8. Information Security Implementation Officer

(1) The Institute has an Information Security Implementation Officer, and the Director-General of

Administrative Bureau assumes this position.

(2) The Information Security Implementation Officer implements the Policy, the regulations based on it,

and procedure with respect to the development and operation of the Institute’s information systems,

based on the Information Security Supervisor’s directions.

(3) The Information Security Implementation Officer is to supervise the implementation of education for

those engaged in the operation of the information systems and for the regular users of the information

systems.

(4) The Information Security Implementation Officer represents the Institute in issuing communications

and reports concerning the security of the Institute’s information systems.

9. Information Security Audit Officer

(1) The Institute has an Information Security Audit Officer, and the Director of Audit Office assumes this

position.

(2) The Information Security Audit Officer supervises the administrative work for audits, based on the

President’s directions.

10. Organizational Unit for Management and Operation of the Information Systems Operations Committee

In order to ensure the smooth operation of the Information Systems Operations Committee, an organizational unit for the management and operation of the Information Systems Operations Committee (hereinafter referred to as the “Management Unit”) is to be created and assigned to the General Affairs Division.

11. Businesses Handled by Management Unit

The Management Unit conducts the following business in accordance with instructions from an Information Security Implementation Officer:

(1) business related to the operation of the Information Systems Operations Committee;

(2) coordination for the implementation of the Policy in relation to the operation and use of the

Institute’s information system;

(3) coordination for the implementation of plans including training plans, risk management and

emergency action plans; and

(4) liaison and reporting in relation to the security of the Institute’s information system.

12. Information Security Operations Officer

(1) The Institute has an Information Security Operations Officer, and the Director of General Affairs

Division assumes this position.

(2) The Information Security Operations Officer is in charge of deciding the Institute’s operational policy

and coping with the various issues presented by the information systems.

(3) The Information Security Operations Officer is in charge of deciding the structure of the information

systems and coping with technical problems.

(4) The Information Security Operations Officer implements education for staff members from the

General Affairs Division to ensure compliance with the Policy, the regulations based on it, and

procedure.

13. Appointment of Information Security Advisor

(1) The Chief Information Security Officer may appoint a person with expert knowledge and experience

related to information security as an Information Security Advisor.

(2) The Chief Information Security Officer determines the specific business of an Information Security

Advisor, including the following:

(i) providing advice to the Chief Information Security Officer on the advancement of implementation of

the information security measures for the entire Institute;

(ii) providing advice on the formulation of information security regulations;

(iii) providing advice on the formulation of a plan for advancement of implementation of information

security measures;

(iv) providing advice on the generation of an educational plan as well as assistance for the

development of teaching materials and implementation of education;

(v) providing advice on technical matters related to information security;

(vi) in case of contracting out the designing and development of information systems, providing advice

on the formulation of the information security requirements and specifications to be presented as

part of the terms and conditions for procurement;

(vii) daily consultation for users;

(viii) assistance for handling information security incidents; and

(ix) in addition to the business specified in the preceding items, providing advice or assistance related

to information security measures.

14. Development of Organizational Structure for Handling Information Security Incidents

(1) The Chief Information Security Officer is to create a CSIRT to ensure swift and smooth response

to the occurrence of any information security incidents and make clear its roles.

(2) The Chief Information Security Officer is to appoint employees who are determined to have expert

knowledge or capability as CSIRT members. Among CSIRT members, a CSIRT Manager is to be

appointed to take charge of handling the Institute’s information security incidents.

(3) The Chief Information Security Officer is to develop an organizational structure so that the

occurrence of any information security incidents will be immediately reported to him/her.

15. Roles of CSIRT

The Chief Information Security Officer is to provide the roles of CSIRT, including the following, shall be provided for separately:

(1) receiving reports on information security incidents from a section that accepts reports;

(2) reporting information security incidents to the Chief Information Security Officer and other

employees;

(3) liaison with outside parties; and

(4) instruction and recommendation on emergency measures to prevent the expansion of d amage.

16. Division of Roles

(1) In the operation of information security measures, it is prohibited for the same person to play the

following roles concurrently:

(i) a person who applies for approval or permission, and the person who gives that approval or

permission (hereinafter referred to as a “person authorized to give approval, etc.”); and

(ii) a person who is subject to an audit, and the person who conducts that audit

(2) Notwithstanding the preceding paragraph, if, in light of the official authority of a person authorized

to give approval, etc. and other factors, it is found to be inappropriate for such person to determine

whether to give approval or permission (hereinafter referred to as “approval, etc.”), an employee is to

apply for approval, etc. to the superior of the person authorized to give approval, etc. In this, if an

employee obtains approval, etc. from the superior of the person authorized to give approval, etc., the

employee is not required to obtain approval, etc. from the person authorized to give approval, etc.

(3) (Whenever a superior of an employee gives approval, etc. to the employee) in a case referred to in

the preceding paragraph, the employee is to take measures that are in conformity with the points of

compliance as concerns the person authorized to give approval, etc.

17. Classification of Information

The Information Systems Operations Committee is to develop regulations on the classification and restricted use as well as labeling of information handled by information systems, in terms of confidentiality, integrity and availability for electronic and magnetic records, and in terms of confidentiality for documents.

18. Prevention of Acts That May Lead to a Decline in Information Security Level Outside the Institute

(1) The Information Security Implementation Officer develops regulations concerning measures to

prevent acts that may lead to a decline in the information security level outside the Institute.

(2) Persons who operate and manage the Institute’s information systems as well as regular users and

temporary users of these systems take measures to prevent acts that may lead to a decline in the

information security level outside the Institute.

19. Outsourced Management of Information Systems Operations

If the whole or part of the operations of the Institute’s information systems are outsourced to a third party, the Information Security Supervisor is to take the necessary measures to ensure that the third party will implement information security thoroughly.

20. Information Security Audit

The Information Security Audit Officer conducts an audit to confirm that security measures for information systems are being implemented in accordance with procedures that are based on the Policy. An information security audit is governed by regulations on information security audits separately provided.

21. Review

Persons who formulated the Policy, the implementation regulations and procedures are to consider the necessity of reviewing these provisions in a timely manner, and if they find it necessary to review any of them, they are to report this to the Information Systems Operations Committee.

Supplementary Provisions

This Security Policy comes into effect as of March 27, 2012.

Supplementary Provisions

This Security Policy comes into effect as of July 25, 2012.

Supplementary Provisions

This Security Policy comes into effect as of October 1, 2019.