1　Approach to Information Security

　In order for Tsuda University to demonstrate responsibility in conducting academic research and providing education, as well as in other activities, the university needs to have a data infrastructure in place and ensure the security of the information assets it holds. The Tsuda University Information Security Policy comprises both overall principles and specific security standards, clearly setting out the arrangements necessary to ensure information security. The university also sets detailed procedures for reliable implementation of the Information Security Policy. These procedures are intended to make all information users within Tsuda University aware of the importance of information security and ensure the security of all information assets held by the university.

2　Objectives of the Information Security Policy

●The Information Security Policy applies to the following information users and data/systems:

Information users to whom the policy applies

Full-time and part-time faculty and staff at Tsuda University, degree students and research students (including auditing students, etc.), and others authorized to access information assets held by Tsuda University (including joint users, visitors to the university, and workers employed by outsourcing contractors).

Data/systems to which the policy applies

The policy applies to all information assets held by Tsuda University; information assets include information and information systems. Information may take any form (including magnetic, optical, or hard copy); magnetic discs, flash memory drives, and handwritten notes also qualify as information. Information systems are systems for handling information, and they include not only electronic systems, but also systems for handling information in hard-copy form, such as the university’s internal mail system. The Information Security Policy applies to all information assets recognized as held by Tsuda University, even if such information assets are stored on information systems outside Tsuda University.

●The aims of the Tsuda University Information Security Policy are as follows:

1. To ensure that information assets held by Tsuda University are classified according to importance and managed appropriately

2. To defend information assets held by Tsuda University against security infringements

3. To prevent acts of misconduct affecting information assets held inside or outside Tsuda University

4. To ensure early detection of and prompt response to security infringements and similar incidents occurring within Tsuda University

3　Information Security Policy: Overall Principles

3.1　Organizational provision

　Tsuda University shall appoint the Chief Information Security Officer to undertake overall decision-making relating to the university’s information security. The Chief information security officer shall take responsibility for Tsuda University’s information security both inside and outside the university. The Chief information security officer shall have the authority to determine information security-related measures and take the action necessary to ensure they are implemented throughout the university. In addition, the Chief information security officer shall have the authority to order the establishment of any organizational entities necessary to take such action.

3.2　Drafting of the Information Security Policy and implementation procedures

The university shall conduct regular information security audits throughout its organization, ascertaining how information assets are managed and analyzing risks in order to prepare security standards and implementation procedures. The university shall review its Information Security Policy and implementation procedures regularly.

3.3　Classification and management of information

The university shall classify information and determine appropriate information management methods.

3.4　Security of information systems

The university shall determine methods for managing information systems.

3.5　Defining information security requirements

The university shall identify requirements with regard to information security in order to prevent unauthorized access from inside or outside Tsuda University leading to destruction, impairment, manipulation, or unauthorized use of its information assets, suspension of its educational services, or other adverse outcomes.

3.6　Education and training relating to information security

The university shall put rules in place to ensure compliance with the Information Security Policy. It shall also provide education and training to ensure that the Information Security Policy is widely known and complied with.

3.7　Response to information security incidents

The university shall determine methods for responding to information security incidents (i.e., information security-related accidents or failures).

3.8　Measures in response to Information Security Policy violations

The university shall establish procedures for deciding on measures to be taken in response to Information Security Policy violations.

3.9　Establishment and publicizing of a point of contact for inquiries and complaints

The university shall establish a point of contact to handle inquiries or complaints and make the necessary provision for publicizing the point of contact.

3.10　Self-assessment and information security auditing

The university shall establish procedures relating to self-assessment of the information security system and information security auditing.

3.11　Precautionary approach

The university shall determine details relating to precautionary investigations.

3.12　Preparation of budget proposals

The university shall establish a methods for drafting information security-related budget proposals covering the university as a whole.

3.13　Measures in exceptional cases

The university shall determine procedures for handling exceptions to the Information Security Policy.

April 1, 2018