Information Security Policies

Matsuyama University (hereafter, the “University”) follows the three founding principles of “Truthful,” “Faithful,” and “Useful” based on the traditional spirit of the school which has existed since its founding in order to raise the quality of academic research and education activities. The University has actively promoted the establishment of an information base and the utilization of the Internet for the purposes of the publication of research results, the exchange of information between students and teaching staff, the exchange of information between the University and the regional community, and the exchange of information with universities and research institutions across the nation and in countries around the world.　These actions have been in conformance with the founding principle of “Faituful.”

Further, the promotion of practical information technology in education and research has made the “Truthful” and “Useful” of information exchanged via computers and networks increasingly important.

The information handled by the University includes information which could bring about serious harm, including injury to the life and property of citizens, infringement on individual rights, or a loss of the University’s trust if intercepted, modified, destroyed, stolen, or leaked. To prevent such matters from occurring, the University must protect the truth and faithfulness (Useful) of information from interception, modification, destruction, theft, and leakage.

To do so, the University categorizes information systems and information (hereafter, “information assets”) by degree of importance and provides appropriate protection for the same while respecting the use of information assets within a scope which enables the freedom of research and education. Accordingly, the University, as a post-secondary education system established in the community, has established a clear set of Information Security Policies for all University users to rigorously protect and manage information assets. The University shall also maintain a balance between “Truthful,” “Faithful,” and “Useful” and further increase the trust of the regional community in the University by introducing systems which realize information security without damaging user-friendliness.

The University’s Information Security Policies are composed of the Basic Information Security Policy (this document), the Information Security Policy, and the Information Security Countermeasure Standards.

Persons making use of the University’s information assets must respect the University’s three founding principles and adhere to the Information Security Policies.

June 6, 2015
Satoru Kamimori, Director
Matsuyama University

This policy is a guideline, based on the Matsuyama University information security basic policy (referred to below as “the basic policy”) to enable Matsuyama University (referred to below as “the University”) to protect the data assets it owns from falsification, destruction and leakages etc.

1. Definitions
   Terms used in this policy are defined as follows:
   (1) Information system
   The hardware, software, networks, storage mediums managed by the University, and the processing undertaken therein.
   (2) Information
   Information handled by the information system
   (3) Information assets
   The information system (including resources required for its development, management and protection) and information
   (4) Information security
   Refers to the maintenance of confidentiality *1, integrity *2, and usability *3 of information assets and the usable condition of information assets in an established setting.
2. Purport and positioning
   This policy, drawn up for the following reasons, lays out the minimum stipulations which must be adhered to when handling data using the information system. All details are in compliance with relevant acts *4, and all internal rules and regulations.
   (1) To prevent breaches of University information security
   (2) To stave off acts which may damage information security inside and outside the University.
   (3) To sort and manage information assets
   (4) To renew and evaluate the information security
3. Scope and target personnel
   The remit of this University policy is information electromagnetically recorded in information system (hardware, software, storage media etc.).   The policy targets all students and staff members who use University information assets: teachers, office staff, part time teachers, clerical assistants, temporary employees, staff sent in by dispatch companies, subcontractors, graduate students, undergraduate students, junior college students, students attending credited auditor courses and attendances of scientific workshop etc.
4. Extent of policy disclosure
   This policy and the basic policy are in the public domain, both inside and outside the University.
   The Matsuyama University Information Security Standards (referred to as “the standards”) are handled as a confidential document, and as a rule may not be disclosed outside the University. However, disclosure may be permitted in certain cases, after an NDA has been signed, should non-disclosure adversely affect the execution of professional duties.
5. Data security management system
   The CIO (Chief Information Officer) is responsible for consolidating all information assets owned by the University. The President of Administrative Board will take on these duties if the Administrative Board exceptionally does not appoint a CIO. The CISO (Chief Information Security Officer) is responsible for protecting and managing information asset security, and these duties will be taken on by the administrator responsible for the information systems should the Administrative Board not appoint a CISO exceptionally. Under the CISO there is a system which implements and manages information security measures.
6. Sorting and managing information assets
   Information assets will be classified according to content and management responsibility will be clarified, and alongside this, information security measures will be implemented according to the importance stipulated in the countermeasure standards.
7. Threats to information assets
   Threats to information assets, to be considered in the implementation of information security measures in terms of the extent of the threat and its possible effects, are as follows:
    (1) Intentional unauthorized information access or program extraction by illegal means, interception, data corruption, data deletion, or theft of devices or mediums, by a person other than University employees or students, 
    (2) Unintentional operation, or intentional unauthorized access, data or program extraction by illegal means, theft, data corruption or deletion, or theft of devices or mediums, data leakage through computer access which does not comply with security standards, by University staff members or students.
    (3) Stoppage of duties or services due to damage, accidents, malfunctions caused by earthquakes, lightening, fire etc.
8. Information security measures
   The following information security measures are in place to protect the information assets from the security threats mentioned in Section 7.
    (1) Physical security measures
    Physical measures needed to prevent illegal entry into the facilities in which the networks and data systems are housed, and to protect information assets from damage and interference.  
    (2) Human security measures
   This refers to measures required for education in, and dissemination of, to all staff and students, the contents of the information security policy (referred to below as “the policy”) prescribed in the basic policy, which demarcates authority and responsibility relating to data security. 
   (3) Technology and operations security measures
   Control of access to information assets in order to appropriately protect them from unauthorized access from inside and outside the University, measures in the technological area such as network management and subcontracting of system development to third parties, network monitoring, measures in the operational area including confirmation of adherence to the policy, and measures to enable rapid reaction should an operational emergency occur.
9. Formulation of countermeasure standards
   University information assets: The CISO will separately enact standards to clarify the basic standards necessary for implementing information security countermeasures, because there is a need to enact standards of judgement and actions which must be adhered to when taking steps to ensure the data security mentioned in Section 8.
10. Information security implementation procedures
    The information system manager (refers to the director who has jurisdiction over the information system Division, Departments and Bureaus) will draw up information security countermeasure implementation procedures for the information assets under his jurisdiction, based on the basic standards outlined in the countermeasure standards, in line with the importance of information asset threats and the information assets themselves.
11. Information asset access control
    The CISO is able to limit information asset access for users of information assets managed by the University who have contravened the policy, whether or not they are employees or students. Furthermore, there are cases in which employees or students who have contravened the policy will be subject to further disciplinary action.
12. Implementation of evaluations and revisions
    The CISO will carry out regular audits to verify the extent to which the policy is being adhered to, and based on the results of this validation the items laid out in the policy and the countermeasure will be evaluated. Alongside this, policy revisions will be implemented should they become necessary due to changes in the information security environment.
13. Unforeseen circumstances
    Unforeseen matters not covered by the policy will be discussed by the Information Security Committee.
14. Revision and/or abolition of the policy
    The policy will be revised or abolished by the Administration Board following discussion by the Information Security Committee.

Notes
※1 Confidentiality: ensuring that data is only accessed by people who have been authorized to do so.
※2 Integrity: safeguarding the data and accuracy of processing methods, and ensuring that it remains intact.
※3 Usability: ensuring that people who have permission are able to access data when they need it.
※4 Relevant acts: Major laws related to information security

• Laws regarding the lirotection of liersonal information owned by administrative bodies
• Laws regarding the disclosure of data owned by administrative bodies
• Laws regarding the lirotection of liersonal information
• Civil law
• lirovider Liability Limitation Law
• Criminal law
• Laws regarding the lirohibition of unauthorized access
• Laws regarding the intercelition of communications for criminal investigations
• Coliyright laws
• Unfair Comlietition lirevention Act