1.Basic Philosophy and Policy

Contributing to humanity, society, and nature through education and research is the mission of Ochanomizu University. To carry out this mission, the university retains substantial information as assets and utilizes this information on a daily basis while continuing to produce and distribute new information. A solid information infrastructure system must be established and maintained as the foundation for such activities.
Although the university's computerized information infrastructure system provides a level of convenience that is dramatically superior to previous information systems that relied on only paper and postal mail, it involves serious risks due to the dispersal of information. Each organization and organizational member at Ochanomizu University must be aware of the seriousness of these risks and take responsibility for every action they take while using the information infrastructure system.
Ochanomizu University's information security policy (hereinafter referred to as the "Policy") stipulates the operational and usage authorization within the university's information infrastructure system, thereby clarifying the responsibilities of each of the university's organizations and individual members, with the goal of establishing and maintaining an information infrastructure system that is safe and reliable.

i. Definitions of Terms

The definitions of terms used herein are identical to those used in the Information Security Policy Guidelines established by the Information Security Measures Promotion Committee on July 18, 2000.
www.kantei.go.jp/jp/it/security/taisaku/guideline.html

ii. Scope of Policy and Covered Individuals

The scope of this Policy includes all information retained by the university, all networks administered by the university, all devices (computers, memory storage devices, etc.) connected to these networks (even temporarily), and all devices (computers, memory storage devices, memory storage media, etc.) used to store the university‘s information.
Individuals covered by this Policy include faculty members (full-time or otherwise), students in both undergraduate and graduate schools, research students, auditing students, students from affiliated schools, and all other members of the university or affiliated schools as well as commissioned vendors and visiting academics using the university's networks and information.

iii. Classification and Management of Information

All information handled by the university‘s departments and organizations (administrative information, research information, and educational information) is appropriately classified into three types, specifically, private information1, information disclosed with limitations2, and public information3. Each type of information is appropriately managed according to standards based on the level of importance (degree of demand for availability, degree of demand for completeness, and degree of demand for confidentiality). All information owned by the university is assigned to an administrator. No information is allowed to exist at the university without a designated information administrator. Each information administrator is given the responsibility, obligation, and authority to manage his/her assigned information. Management standards are established in the Security Policy Implementation Procedures (hereinafter referred to as the ”Procedures“).

• 1. Information that only the assigned information administrator is allowed to view
• 2. Information that only users with access privileges are allowed to view
• 3. Information that the general public is allowed to view

iv. Organizational Framework and Authority

The following information security organization was established to plan, develop, implement, manage, evaluate, and continuously review specific details based on this Policy:

(a) Chief Information Security Administrator

The chief information security administrator is responsible for overall decision making on information security throughout the entire university, both on and off the campus, and in other organizations. The vice president (the head of the Academic and Information Board) takes on this role.
The chief information security administrator notifies the university system administrator of measures that are needed to ensure the smooth operation of information systems. Any emergency measure carried out by the university system administrator becomes the responsibility of the chief information security administrator.

(b) Information Security Committee

The Information Security Committee formulates and revises important materials, including basic information security policies, for the entire university. The Information Technology Promotion Planning Office doubles as the committee, with the head of the office acting as chairman. The committee educates and promotes awareness about information security in all departments while enforcing compliance with security policies.

(c) University System Administrator

The university system administrator manages the university's information infrastructure system by leading the System Administration Committee. In addition, the university system administrator assists the chief information security administrator in implementing information system management throughout the entire university. The university system administrator is authorized to take emergency measures during emergencies, regardless of the department. The head of the Information, Media and Education Square assumes this role.

(d) Department System Administrator

The department system administrator sets up the university system administrator and the System Administration Committee and communicates with both while maintaining and strengthening information security through technical research and deliberation as well as the implementation of measures aimed at ensuring that the department's information systems run smoothly. In times of emergency, the department system administrator is authorized to carry out emergency measures, but only within the department in question.