Nagoya University Information Security Guidelines

Adopted by the Council on May 27, 2003, Revised on June 23, 2011, Revised on June 28, 2012, Revised on August 8, 2012, Revised on October 25, 2012, Revised on October 24, 2013, Revised on January 15, 2015, Revised on December 24, 2015,Revised on February 23,2016, Revised on December 22,2016.

Contents

Introduction

These Nagoya University Information Security Guidelines (hereinafter referred to as the "Guidelines") have been established based on the "Nagoya University Information Security Policy" (adopted by the Council on March 19, 2002; revised on June 23, 2011; hereinafter referred to as the “Security Policy”).

These Guidelines shall apply to all organizations and individuals who use information devices and information networks of Nagoya University (hereinafter referred to as the “University”). Accordingly, these Guidelines shall govern all information devices connected to a university-wide information network, Nagoya University Integrated Communication Environment (hereinafter referred to as "NICE"). Therefore, each individual user will be the administrator when the device or equipment he/she uses is connected to NICE, even if such device or equipment is his/her own such as a personal computer.

All university units and members of the University are required to comply with these Guidelines. To this end, the person responsible for each section shall keep all members of his/her section informed about the contents of these Guidelines. Even those who are not members of the University shall comply with these Guidelines, as far as they are users of information devices at a facility of the University such as the library (including visitors using the library and users of network devices participating in various conferences). Each section may set out its own provisions pertaining to the matters not set out in these Guidelines, if necessary for the section.

These Guidelines are posted on the Internet for convenience of users. These Guidelines are linked to the websites containing Nagoya University Information Security Policy and other information for easy reference to such information. The full version of these Guidelines is also available.

These Guidelines consist of the following five chapters and each chapter contains provisions independent of other chapters:

  • Chapter 1 Information System User Guidelines (User's Guide)
  • Chapter 2 Crisis Management Guidelines
  • Chapter 3 Information Security Technology Guidelines (Administrators' Guide)
  • Chapter 4 Guidelines for Use of Cloud Services
  • Chapter 5 Information Security Training and Education Guidelines

For those who manage servers and personal computers, please read Chapter 3 carefully.

In operating these Information Security Guidelines, new provisions may be added and amendments may be made from time to time with the changes to information and communication technology environment. Necessary changes may be also made to the Guidelines to respond to changes that are not predictable at this moment. Public Relations Guidelines and matters concerning violation of guidelines shall be governed by a relevant committee or other body, rather than stipulating them in these Guidelines.

It is our sincere wish that these Guidelines become widely understood and used by all members of the University to enable them as healthy senders and users in information society to enjoy the benefit of information network.

Chapter 1 Information System User Guidelines (Users' Guide)

1.1 Outline

This Users' Guide is intended to provide, as guidance, specific information concerning use of computers and other information devices and database and other information resources provided by the University for research and educational purposes (including personal computers installed by research laboratories) to which we wish all users to pay particular attention. In this Guide, guidelines for the following matters are provided:

  1. Increasing awareness of security
  2. Initiation of use
  3. Use of information devices
  4. Receipt and creation of information
  5. Information management
  6. Sending information
  7. Crisis management
  8. Consultation Service Desk

For those who plan to install personal computers, work stations and such other devices, as they fall within the definition of equipment administrator, please read "Chapter 3 Information Security Technology Guidelines" in addition to this chapter.

1.2 Increasing awareness of security

1.2.1 Management of authentication information

The University has an environment in which its members can access not only to the University network but also to the Internet through a computer. To provide this environment, a name to be used to access to a computer or a network (called account, ID or user name) and a key (password) will be prepared as authentication information and given to each computer user. This authentication information is exclusively for a particular user and users are prohibited to allow other persons to use, to loan or to disclose to the public such information. Authentication information includes an account issued by the Information & Communications (Nagoya University ID, etc.), an account issued by a section or a seminar (section or seminar mail account, etc.) and a personally managed account (account for own personal computer, etc.). Some personal computers do not have the concept of authentication. In this case, when use of a computer is authorized by the system administrator, the authentication information is deemed to have been given to you.

Points to remember

  • It is desirable to change your password used to log in periodically.
  • Avoid using a password that is easily guessed.
  • Faculty members should not give out their passwords to their teaching assistants. Faculty members are responsible for inappropriate actions committed by their students. When hiring teaching assistants, faculty members should grant them a password that is different from theirs or take such other appropriate measures.
  • Do not use your Nagoya University account on computers which are used by unspecified persons, such as a computer in an internet cafe.

1.2.2 Computer virus

When users receive information through the Internet or other sources, the providers or senders of the information are not necessarily trusted. Users must be aware of risks of computer viruses and other malicious software and avoid accessing any suspicious information or take other appropriate actions.

Computer viruses that infect computers are spread mainly through e-mail. The way computer viruses infect computers has become more sophisticated over the years. In many cases, fake sender addresses are used. Therefore, you should not open any suspicious attachment attached to e-mail even from a close friend, and check with the sender where necessary, to protect your computer.

Your computer can also be infected through a website you access. Proper steps, such as not accessing any suspicious website, must be taken.

Installation of anti-virus software will have a certain effect on detecting viruses hidden in attached files and detecting infection by viruses downloaded through access to a website.

Intentionally creating and distributing computer viruses is, of course, strictly prohibited.

Points to remember

  • An increasing number of malicious viruses are transmitted via e-mail or websites. If infected by these viruses, not only could the system be disrupted, but it could also spread confidential information, as in the case of Sircam. Recovery from such infection requires a great deal of efforts.
  • Many computer viruses generate subspecies, and simply installing anti-virus software will not ensure the security. We are seeing an increasing number of cases that a virus invades and spreads over the University's system undetected before pattern files become available.
  • Criminals are spreading computer viruses called Bot to take over computers. People do not realize that their computers are infected, as no apparent change will occur even when computers are infected by these viruses. Recovery from such infection requires a great deal of efforts.
  • Some viruses automatically attack a large number of computers connected via a network. Some viruses create an access point for unauthorized access and you may unknowingly become an attacker of others through such access point.
  • By accessing inappropriate websites, users may be at risk of executing dangerous software which may create security holes or of leaking information concerning automatic authentication (generally called "cookie") without knowledge.
  • Free software could be spyware which automatically collects and analyzes individuals' web access trends. By using software with such function, hobbies and taste of users can be analyzed and disclosed without the knowledge of the users.
  • There is software called “Trojan Horse” or ”Trojan” which appears to be useful software but in fact opens a backdoor of the victim's computer for the purpose of tapping or illegally invading the computer.
  • Phishing scam which sends e-mail by pretending to be from a financial institution and leads the recipient to a website where he/she is directed to input online banking user information, credit card number, pin number and other information with the intent of stealing such information is spreading.
  • Do not open any suspicious e-mail. Do not access to any suspicious websites. Caution is advised to avoid the risk of infection by viruses and warms and the risk of leakage of confidential information.

1.2.3 Copyright and other intellectual property right infringement

Software and many other items are protected by law as intellectual property. It is prohibited to use any work created by others as a material for a webpage of your own or for others, or to publish it through a network using a P2P system or webpage, or distribute or exchange it through other means.

If you obtain software through illegal means (such as purchase of pirated software and file-sharing by WinMX) or use software without complying with the relevant license agreement, not only you as an individual but also the entire University could be held liable for your action. To prevent use of illegal copies, multiple organizations including Nagoya University are monitoring the use of so-called P2P software (peer-to-peer; general name for computer programs by which data is exchanged between peers, i.e. personal computers) such as WinMX and Winny (computer program names).

For restrictions on the use of P2P software at Nagoya University, please refer to Restrictions on the use of P2P file-sharing software posted on Information & Communications, Nagoya University as needed. Some personal computers purchased from overseas have pre-installed "P2P file-sharing software." When connecting these personal computers to NICE, great caution is required.

Reference:

Points to remember

  • Those who download music or movie files, knowing that said files are non-free copyrighted materials and are being distributed illegally, may be subject to punishment (imprisonment for up to two years, or a fine of up to two million yen) and to liability for damages.

1.2.4 Information leakage

Users shall manage confidential information with great care and prevent any information leakage. In particular, to protect personal information, you are required to comply with "Nagoya University Rules: Protection of Personal Information."

Great caution is also required when publishing information on websites.

Reference:

Points to remember

  • Do not store examination questions and academic records as is in computer hard disks, as it may possibly lead to leakage of important information. Encrypt such data by installing devices for information management and information leakage prevention (such as hardware key), or take other appropriate measures.
  • It is necessary to follow instructions of information protection administrator when taking out personal information (Article 19 of Nagoya University Rules: Protection of Personal Information). When carrying portable computers such as notebook and laptop computers in which important information is stored, it is necessary to pay utmost attention to prevent leakage of information by loss or misplacement of such computers.
  • When working in the seat in an airplane or train, a person next to you may be able to see your monitor. This may cause a problem depending on the type of information displayed.
  • As mobile phones are becoming more technologically advanced, such as smartphone, they may be a cause of information leakage. Utmost attention is advised when using these devices.
  • When you send or receive e-mails containing confidential information, as a general rule, you should use Nagoya University e-mail services.
  • When you send or receive confidential information using group mail service, you should check visibility settings, the terms of service, etc.

1.2.5 Information security self-inspection

Nagoya University conducts information security self-inspection to increase awareness of members about information security and to make information security measures more substantial. Members are required to conduct such information security self-inspection. Information security audit is also conducted based on the results of information security self-inspection.

1.3 Initiation of use

1.3.1 Information devices and information resources

The University has a university-wide network “NICE” as its information infrastructure. Information devices such as computers are classified into those used university-wide such as those in the library and those provided by departments, research laboratories and other organizational units. Information resources are classified into various database provided by the library, information resources provided by each section through web, information resources that are opened to public via Internet, and other types of information resources.

NICE is a network used on campus of Nagoya University. NICE will be used to access information and the Internet within the University. For details, please refer to the description of NICE posted on Information & Communications, Nagoya University.

1.3.2 User registration

To use information devices and information resources of the University, regardless of whether they are university-wide or section specific, user registration is required. In some cases, user registration may be done automatically for all students, such as the case of Nagoya University Information Media Education System.

As the University provides information devices and information resources to be jointly used by its members, the University is in the position to be held liable for inappropriate acts committed by the users. Users are expected to be aware of this fact and act appropriately.

Some of the examples of information devices and information resources of the University are: Nagoya University NUWNET; Information Media Education System; and computer system for each department.

1.3.3 Connecting information equipment to NICE

When users connect information equipment to NICE, as a general rule, they are required to apply for authorization to connect to the person responsible for issuing IP addresses or a person to whom the authority to issue IP addresses is delegated (IP address sub administrator). Person responsible for issuing IP addresses and IP sub-address administrators must register information about the equipment with IPDB immediately. When registered information is changed, users must report the change to the IP address administrator to keep the information up-to-date. When communication using an unregistered IP address is detected, the Information Strategy Office blocks the communication. To unblock the communication, the user shall submit a letter of apology through the head of department (in the case of use without registration of IP address), or file a claim (in the case of unauthorized use by outsider). When connecting information equipment to a specific network of a section or a research laboratory, users are also required to apply for authorization to connect to the network administrator. When connecting information equipment to NICE through Nagoya University NUWNET, application for authorization to connect will be made through the connection authentication process. When using devices and equipment brought into the University from outside, please make sure that such devices and equipment are not infected by viruses before connecting them to NICE.

1.4 Use of information devices

1.4.1 Proper use

Most information devices of the University are intended to be shared by its members. Therefore, users are expected to be considerate and cooperative to allow many people to use the information devices and to maintain them in a good condition.

Points to remember

  • It is not desirable to use shared terminals, such as those in the library, for yourself for a long period of time during the crowded period.
  • A personal website created on a free website outside the University websites with banner ads which is directly linked from a University website will give the impression that such ads on such website are endorsed by Nagoya University. Such act that may mislead the public is not desirable.

1.4.2 Unauthorized access

The Unauthorized Access Prohibition Act (officially, “Act on the Prohibition of Unauthorized Computer Access”) prohibits any individual to whom authentication information is not provided, i.e. an individual who does not have the authority to use from using or attempting to use a computer by obtaining such authentication information by illegal means. The persons who commit such act could be subject to criminal penalties.

Points to remember

  • Using and aiding others to use authentication information of others is to constitute a violation of the Unauthorized Access Prohibition Act.
  • Altering and destroying information without authorization is to constitute a violation of the Unauthorized Access Prevention Act.

1.4.3 Unauthorized installation, alteration, carrying out and destruction of hardware

Hardware such as computers, printers and network equipment is an integral component of information devices. Unauthorized installation, alteration, addition and carrying out of these information devices without notifying the administrator is prohibited. Intentionally damaging or destroying such devices is, of course, strictly prohibited.

Points to remember

  • Destroying network cables and other cables, computer equipment, power supplies and other devices constitutes damage to property, and is subject to a disciplinary action.
  • Destroying or carrying out network equipment, computers and their parts constitutes theft, and is subject to a disciplinary action.
  • Removing and collecting mouse balls and key tops of certain characters on the keyboard without due reason constitutes intentional damage to equipment.
  • Connecting computers with no IP address to NICE is prohibited. Unauthorized connection may cause a network trouble.

1.4.4 Unauthorized installation and alteration of software

Altering basic software and application software installed in shared information devices such as computers for Nagoya University Information Media Education System without permission of the system administrator is prohibited. It is also prohibited to install software, such as operating system or application software, in any equipment without authorization.

Points to remember

  • Installing games in a terminal in the Information Media Center and rewriting basic software such as OS and application software without permission, even only for a part of it, is a serious violation of rules.

1.4.5 Carrying out information equipment

Notebook computers are widely used as they can be used in many places. However, in doing so, attention needs to be paid in terms of security. When carrying out notebook computers controlled by the University outside campus, authorization of the person responsible for installing equipment is required. When carrying out such equipment, attention shall be paid to the data stored in the equipment. In particular, when confidential information is stored in such equipment, it is important to properly control such equipment through, for example, password protection and encryption.

1.5 Receipt and creation of information

1.5.1 Consideration to information created by others

Users can easily create reports, web pages and other materials and information using a computer system by which information devices and information resources are made available through a network. When creating information, users are required to give proper consideration to and respect for copyright in drawings, photographs, texts, logos, audio sources, programs and other information created by others.

Points to remember

  • Using pirated software and unauthorized copy is a violation of Copyright Act.
  • Music CDs and software media contain strict terms concerning the extent of permitted reproduction. Unauthorized reproduction and distribution is prohibited.
  • Electronic journals are subject to "Fair Use." Printing a large amount of contents and downloading a large number of titles is beyond the extent of Fair Use stated in the "Guidelines for Fair Use" of Ejournals.

1.5.2 Unintended use

Information devices of the University are provided exclusively to promote education and research and to carry out work and supporting business. Therefore, users are required to be aware of the need to draw a line between public and private and to avoid any use that is not in line with the purpose of installing the device (unintended use).

A typical example of unintended use is to accept an order from outside for data entry or program development and use information devices of the University for commercial purposes to gain personal profit. As there are a wide variety of forms and modes of unintended use, in this Guide, some examples of unintended use which users need to be aware of are described under separate categories of users, namely, students, graduate students, and faculties and staff.

Points to remember

  • It is not appropriate to use a bulletin board, etc. for private business.
  • As a general rule, it is not permitted to do maintenance work for external computers and data using information devices of the University for personal gain.
  • Unless unavoidable for research purposes, net auction using devices, e-mail addresses, domain names and other properties of the University is prohibited. When using net auction under unavoidable circumstances for research purposes, advance permission is required.
  • It is inappropriate to use information devices of the University to promote or sell your own publication. It is out of this scope to do so for posting a list of publication or for posting information necessary for sales of text books to the students of the University who are enrolled in the course.

1.6 Information management

1.6.1 Prevention of occurrence of problems

The rapid popularization of network is causing various problems. You could be involved in a dispute caused by a minor error. You could receive unwanted soliciting mail. You could be charged an unexpected amount of money. Proper information management described in the following sections 1.6.2 and 1.6.3 are effective means to prevent such problems from occurring.

1.6.2 Personal information

Please take upmost care in managing your own personal information. Answering a questionnaire to receive a small amount of reward may cause unauthorized and uncontrolled use of your personal information you provided.

Points to remember

  • Avoid providing information concerning privacy of others such as e-mail addresses without reason even when asked by a close friend. You should first try to obtain consent from the relevant individual.
  • When providing personal information to others via e-mail, it is necessary to act with care, such as inserting a sentence asking "Destroy After Reading" in the mail.

1.6.3 Privacy of others

It is not rare that information provided by others contains privacy information. Common-sense judgment is necessary. For example, e-mail from friends should be handled in a manner similar to handling a sealed letter.

Points to remember

  • Avoid providing information concerning privacy of others such as e-mail addresses without reason even when asked by a close friend. You should first try to obtain consent from the relevant individual.
  • When providing personal information to others via e-mail, it is necessary to act with care, such as inserting a sentence asking "Destroy After Reading" in the mail.

1.6.4 Handling of confidential information at the time of retirement

When retiring from Nagoya University, users are prohibited to take out any information and information devices containing confidential information obtained in the course of work. Please comply with the following rules:

Reference:

1.7 Sending information

1.7.1 Responsibilities of sender of information

The University provides an environment where users send information relatively easily using various information devices and information resources. On the one hand, meaningful transmission of information brings numerous advantages to the society. On the other hand, it has the risk of causing unexpected disputes in and outside the university. Users are required to be fully aware of the significance and risks of sending information.

1.7.2 Chain mails

Spreading and forwarding chain mains (such as the mail that claims that breaking the chain will bring you unlucky events) is not permitted as the information system may be overloaded.

1.7.3 Invasion of privacy and leakage of information

In general, websites allow people from all over the world to access them. Therefore, proper judgment is needed when posting information concerning other people's privacy or their personal information online. The same consideration is needed when sending information via SNS or e-mail.

Points to remember

  • It is inappropriate to distribute a staff directory and student directory to outsiders without permission of the issuer.
  • Citing and publishing biography of others posted on a website with access restriction without the consent of the relevant individual.
  • It is inappropriate to post secret information obtained in the course of work duties on SNS, etc.
  • The reply address for an e-mail received through a Mailing List (ML) is usually set to the ML itself. Sufficient attention must be paid when replying to the person who sent an email out to the ML.
  • Similarly, caution is required when sending an email, as the mail addresses in the “To” and “CC” fields will be known by recipients of the email.
  • Selecting the appropriate method for sending information will prevent the information from being sent by mistake.For example, if using NUCT, announcement of information on lectures can be sent only to students who take the lecture.
  • In addition, caution is required when bringing a webpage online. If unrelated files/data are uploaded by mistake, it may be regarded as leakage of information depending on the contents.

1.7.4 Slanderous statement

Slandering other people by posting slanderous statements on a bulletin board or other site on the Internet is prohibited.

Points to remember

  • "Chatting" on the Internet tends to turn a discussion to an emotional fight due to misunderstanding of words. Be careful to participate in anonymous chat, as it is quite often open to non-participants and it may result in spreading slanderous statements to other people.
  • When expressing opinions and commenting on a website of others who express a position different from yours, it is critical to do so in a faithful and reasonable manner.

1.7.5 Harassment and stalking

It is not appropriate to use a shared printer to print out images which make others uncomfortable, to use improper images for wall paper (background image for monitor), or to stalk a specific person on a bulletin board.

Points to remember

  • Sending indecent images to a specific person repeatedly is likely to constitute harassment.

Reference:

1.7.6 Unintended use

As a general rule, sending information for the purpose of selling goods or information using information devices of the University is prohibited.

Points to remember

  • Using information devices or information resources of the University to sell goods or information is prohibited.
  • Posting and sending advertisement using information devices of the University for the purpose of selling goods and services is prohibited.
  • Acting as an intermediary in the course of commercial transactions using information devices and information resources of the University is prohibited.
  • Using information devices of the University for political or religious activities is prohibited.

1.7.7 Miscellaneous

In addition to the above, sending any information that is against public order and morals is prohibited.

Points to remember

  • Posting and distributing information about the method for suicide and manufacturing bombs is strictly prohibited.

1.8 Risk management

When a serious problem occurs to information devices, users must first take emergency measures and then response measures. As used herein, emergency measures refer to the measures to be taken to handle the situation, and response measures refer to the measures to be take to fundamentally resolve the situation. Please also refer to Chapter 2 as to how to handle crises when they occur.

1.8.1 Emergency measures

When users detect any serious problem in the information devices they use such as virus infection, they are required to take immediate measures such as unplugging a network connection cable and turning wireless LAN off.

1.8.2 Response measures

After emergency measures are taken, users shall take response measures for the information devices in accordance with the instructions given by the system administrator or the Information & Communications.

1.8.3 Status Report

When users detect any hacking or virus infection or any other incident related to information devices or information resources of the University or those they use, they shall promptly report the situation to the Information & Communications. Such incident shall also be reported to the administrator of the information devices and equipment where possible.

Emergency contact in the event of an information security incident

  • Tel: 052-747-6389(internal line: 6389)
  • E-mail:security at icts.nagoya-u.ac.jp
  • Web: Q&A システム

1.9 Consultation Service Desk

The University has established Consultation Service Desk for consultation regarding the use of information devices and information resources of the University. Before contacting Consulting Service Desk, please check Q&A and other pages of Information Security Technology Center website. If you cannot still find the appropriate information, contact Consultation Service Desk.

General Service Desk: IT Help Desk (Tel: 052-747-6389 (ext. 6389))

Chapter 2 Crisis Management Guidelines

2.1 Outline

These Crisis Management Guidelines aim to provide relevant parties with specific information regarding how to deal with hacking (illegally breaking into computers), virus infection, copyright infringement and other information security incidents (hereinafter referred to as the “Incident”) when they occur in using NICE, computers and other information devices and equipment and database and other information resources provided by the University for educational and research purposes, in order to understand the situation and to take appropriate measures in an integrated manner.

2.2 Establishment of Information Security Hotline

The Information & Communications shall establish a system (such as Information Security Hotline and IT Help Desk) to report the incident to the Information Strategy Office, the Information & Communications (hereinafter referred to as the "Information Strategy Office") by multiple methods (such as telephone, fax, e-mail and website), and keep all members informed about the occurrence of such incident by posting information about the incident at various places through websites, brochures and bulletin boards.

2.3 Reporting Incident

The first person to find the incident or possible incident shall promptly report the situation to the Information Strategy Office through Information Security Hotline. Such incident shall be also reported to the administrator of the relevant information devices and equipment, where possible.

2.4 Response to Incident

2.4.1 Prompt response

The Information Planning Office shall respond to the incident in a prompt manner. The target response time shall be 3 hours during the normal operation hours, and 8 hours on holidays and other time outside the normal operation hours.

2.4.2 Emergency measures by Information Planning Office

Upon receipt of report of incident, the Information Strategy Office shall resolve the issue in collaboration with the administrator of the relevant system. However, in the case of emergency, to prevent the damage from spreading, the Information Strategy Office may, without the permission of the administrator of the relevant information devices and equipment, enter the place where the relevant devices and equipment are installed, suspend certain services, block access by certain devices and equipment to outside or take other necessary measures.

2.4.3 Notice to administrator of information devices and equipment

If the incident has not been notified to the administrator of the relevant devices and equipment, the Information Strategy Office shall immediately notify him/her of the incident. When a serious incident occurs (hacking, invalid command execution, information falsification, information leakage, etc.), the Information Strategy Office shall notify also the head of department. If the Information Strategy Office takes emergency measures without the permission of the administrator of the relevant devices and equipment, it shall explain after the fact about the situation and the contents of the emergency measures to the administrator of the relevant devices and equipment.

Points to remember

  • When conducting information security self-inspection, it is required to register your e-mail address for emergency contact. The e-mail address is used to inform about security incident. Please register e-mail address used primary.

2.4.4 Response by the administrator of information devices and equipment

After taking necessary measures, the administrator of information devices and equipment shall report the situation of the incident and measures taken to the Information & Communications. When a serious incident occurs, the administrator shall report the situation to the information security unit section and the head of department. If the administrator is the person to find the incident, he/she may omit reporting the occurrence of the incident to the Information & Communications. However, if it takes more than 6 hours from discovery of the incident to reporting of completion of handling thereof, reporting of the occurrence of the incident is required.

Points to remember

  • When a serious incident occurs, users need to preserve evidence.
  • When users preserve evidence of the device that might be infected with malware, they are required to take immediate measures such as power off (unplugging a power cable) because malware might change information of the device.
  • Please don't access to the disk that is required to preserve evidence. If you need to access it, please contact to IT Help Desk (e-mail: it-helpdesk at icts.nagoya-u.ac.jp, Tel: 052-747-6389) in order to take measures to protect writing (read-only mount, use of the device to protect writing). The disk to preserve evidence should be kept under the control of the head of department.

2.5 Reporting to Information & Communications

When a serious incident occurs, the Information Planning Office shall report the response status to the Information & Communications as they think proper depending upon the situation of the incident.

2.6 Contact to the off-campus organizations

The Information & Communications reports the situation about the event of an information security incident to the off-campus organization such as Ministry of Education, Culture, Sports, Science and Technology, if the university determines that it is necessary to do so.

2.7 Effective use of Incident information

The Information & Communications shall create incident information database which shall be used effectively by the Department of Information Promotion and each information security unit section in carrying out work to help improving information security.

2.8 Establishment of Contact System in Sections

Each section needs to establish contact system in incidents.

2.9 Response on leakage of personal information

If personal information might be leaked, please report to the information protection manager according to Nagoya University Rules on the Protection of Personal Information.

2.10 Periodic inspection of Information Security Hotline

The Information Strategy Office and the administrator of each information security unit section shall check Information Security Hotline as to its proper operation at least once a month.

2.11 Keeping members informed of the risk management and educational activities

Information Strategy Office shall keep users and administrators informed of the measures to be taken when the incident occurs and the importance of such measures through information security training, and check whether the measures to be taken at the time of occurrence of incident are properly understood.

Chapter 3 Information Security Technology Guidelines (Administrators' Guide)

3.1 Outline

These Security Technology Guidelines (hereinafter referred to as the "Guidelines") describe guidelines concerning the management of information devices and information resources to ensure security thereof for all members of the University who connect or wish to connect information devices and equipment (hereinafter referred to as the "Devices and Equipment") to NICE. Attention shall be paid to the fact that, as far as the Devices and Equipment are connected to NICE, each user thereof becomes the administrator, even if he/she is using the Devices and Equipment of his/her own such as personal computers (including personal computers carried into the University by individuals).

As there are other networks other than NICE in the University, in connecting the Devices and Equipment to a network, the specific network to which the Devices and Equipment are to be connected shall be confirmed. If NICE is connected to another network, communication failure may occur, causing failure of the entire networks.

If Devices and Equipment are not managed in a proper manner in accordance with these Guidelines, damage and failure may occur and the Devices and Equipment may become unusable, which may subsequently affect educational and research activities as well as business of the University. If an attack to the Devices and Equipment of the University due to inappropriate management thereof causes any damage to external networks, the entire networks of the University could be removed from the Internet. Please be aware that the management of Devices and Equipment connected to a network is not only an issue of an individual member of the University but also an issue of the University as a whole.

3.2 Devises and equipment to be managed

In these Guidelines, Devises and Equipment to which these Guidelines apply shall be divided into the following four categories, and the method of management of the Devices and Equipment to ensure security shall be explained for each category:

  1. Network Devices and Equipment

    Router, HUB, NAT, wireless LAN Devices and Equipment, remote access server, DNS server, DHCP server and VNP server

  2. Server

    Web server, mail server, name server, file server, computational server and database server

  3. Computer for personal use

    Personal computer (hereinafter referred to as "PC"), client WS, smartphone and tablet device

  4. Special Equipment

    Medical equipment, controle equipment, etc.

  5. Others

    Printer, scanner, digital multifunction machines, TV conference system, NAS (network attached storage) device, measuring devices and equipment, etc.

3.3 Basic perspective of management of Devices and Equipment

3.3.1 Appointment of the person responsible for installing equipment and the person responsible for operation and management

Each information security unit section (hereinafter referred to as the "Unit Section") shall appoint the person responsible for installing equipment and the person responsible for operation and management (hereinafter referred to as the "Administrator") for all Devices and Equipment connected to NICE in accordance with the Nagoya University Information Security Policy and the provisions stipulated by the Information & Communications.

  1. Person responsible for installing equipment
    The person responsible for installing equipment refers to a person who finally assumes responsibilities concerning purchase of Devices and Equipment and connection to NICE. The person responsible for installing equipment may appoint the person responsible for operation and management to fulfill his/her responsibilities. In the case of Devices and Equipment to be used exclusively by a particular individual such as PCs, the user thereof is the person responsible for installing equipment as well as the person responsible for operation and management.

  2. Person responsible for operation and management
    The person responsible for operation and management shall configure the Devices and Equipment and conduct day-to-day operation and management thereof, and shall be responsible for managing Devices and Equipment to make them function properly. The person responsible for operation and management shall have the duty to prepare and maintain an operational and management work record which shall record changes to the configuration of and installation of security patches to the relevant Devices and Equipment, as a memo for him/herself as well as to prepare for the future replacement of the person responsible for operation and management. The person responsible for operation and management shall be required to promptly investigate and take measures when network failure occurs due to the Devices and Equipment operated and managed by him/her. If it is difficult to deal with the situation him/herself, the person responsible for operation and management shall be required to take emergency measures such as immediately disconnecting the relevant Devices and Equipment from the network upon obtaining the approval of the person responsible for installing equipment.

Points to remember

  • There are some devices or equipment still being used without proper operation and management being done due to replacement of the person responsible for operation and management or due to unsuccessful handover of duties at the time of transfer of faculty staff or graduation of students. If the person responsible for operation and management is unable to fulfill his/her duty to operate or manage Devices and Equipment, he/she shall, upon consultation with the person responsible for installing equipment, remove from NICE the Device and Equipment he/she is unable to manage, for the secure operation of the entire NICE.

3.3.2 Basic perspective of installation and management of Devices and Equipment

The Administrator shall have the duty to take appropriate measures in relation to the following two points for the management of Devices and Equipment:

  1. Physical security: The place of installation of Devices and Equipment and physical access to the Devices and Equipment
  2. Network security: Network access to Devices and Equipment

For a server, the Administrator shall also have the duty to take appropriate measures in relation to the following two security points in addition to the above two points:

  1. Account security: user management
  2. File system security: data preservation

In this section, the basic perspective of physical security and network security will be described, and server-specific matters will be described in 3.5 Server Devices and Equipment.

  1. Standards for physical security
    When installing the Devices and Equipment, a place with a secure installation environment where damage by theft and physical sabotage is unlikely to occur shall be selected. In particular, the Devices and Equipment for the main networks and servers and other important Devices and Equipment shall be installed in an environment where physical access to such Devices and Equipment can be restricted, and the management of these Devices and Equipment requires specific measures, such as installing uninterruptible power-supply system to avoid any impact of instantaneous power failure.
    There have been frequent reports of theft of PCs for personal use. It is necessary to use common sense to manage such computers, such as not easily leaving notebook computers unattended and locking a research laboratory during the night.
    In managing the Devices and Equipment installed in a shared space, it is necessary to take measures to prevent physical sabotage or theft from being committed by not only people from outside but also inside users.

  2. Standards for network security
    NICE is a network connected to the world, and as such, the Devices and Equipment connected to NICE are globally accessible. Therefore, the Devices and Equipment operated as an Internet server shall be configured in such a way to prevent unnecessary services from being activated. In addition, access control shall be properly set up for such Devices and Equipment by, for example, restricting addresses from which such Devices and Equipment can be accessed through the Internet.

3.4 Network Devices and Equipment

Network Devices and Equipment to be managed by the Administrator include router and HUB installed for NICE as well as router, HUB, NAT, wireless LAN devices, remote access server, DNS server, DHCP server and VNP server installed by sections and research laboratories for their own use.

3.4.1 Standards for installation of Devices and Equipment

In installing network Devices and Equipment, attention shall be paid to the following points:

  1. They shall be installed in an environment where entry by unauthorized persons can be restricted (particularly for the main network Devices and Equipment).
  2. An uninterruptible power-supply system shall be installed (particularly for the main network Devices and Equipment).
  3. It is desirable to install them in a designated node room.
  4. No information outlet which can be used freely by unspecified users shall be installed.
  5. As in the case of high-performance computers, it is desirable to install high-performance network Devices and Equipment in a room with air-conditioning equipment to prevent any mechanical failure.
  6. As the smaller the network Devices and Equipment is, the louder the noise of the cooling fun is, it is desirable to have a node room pecifically designated for network Devices and Equipment.
  7. When installing information outlet in a place where unspecified users can freely enter such as an unlocked class room, it is necessary to take appropriate measures to prevent any unauthorized use of such outlet, such as covering and locking the information outlet.

3.4.2 Duty of Administrator

Caution is required to operate network Devices and Equipment, as a network configuration error may have a significant impact. In particular, when connecting a private LAN operated under a private address to NICE using a NAT, the Administrator shall be careful not to allow packets with a private address to leak onto NICE.

In addition to the basic network configuration, caution is required to the following points:

  1. A password for the Devices and Equipment configuration shall be changed.
  2. SNMP configuration shall be changed.
  3. MAC address shall be used to restrict access (DHCP).
  4. Encrypted communication shall be used.
  5. User authentication shall be used (for remote access)

Leaving the default password for configuration of Devices and Equipment unchanged will invite the risk of the configuration being altered without permission by people who are familiar with the Devices and Equipment or people who learned the default password from the manual published on the Web.

Leaving the default configuration of SNMP unchanged will invite the risk of network information being stolen or the network configuration being altered.

When creating a wireless LAN environment or installing a DHCP server, please use the method described in the Wireless LAN Security Guideline posted by the Information & Communications to prevent unauthorized persons from accessing. It is necessary to establish minimum section units for each section. The minimum section unit is a seminar or a research group, etc. and the unit should have a responsible person to operate shutdown wireless LAN access points. It will be even securer if they are used in an environment where other users in the subnet are kept away by firewall. Wireless LAN access points connected to NICE, whether directly or indirectly, shall be registered on Nagoya University IP Address Database, as in the case of other equipment.

When installing and operating a remote access server, an authentication mechanism shall be established and used to allow only authorized users to access. It is desirable to limit the scope of a network that can be accessed via remote access server to a minimum, such as within a research laboratory.

When installing a wireless LAN or DHCP server, each Unit Section (sub-net) shall establish its own policy and operate it in such a manner not to cause any subnet conflict. When installing the Devices and Equipment, "Wireless LAN Devices Configuration Check List" shall be prepared in accordance with the operating policy of the relevant Unit Section, and whether configuration has been actually made in accordance therewith shall be confirmed. Even if configuration is commissioned to a contractor, it is necessary to record that configuration has been made in accordance with the Check List.

If you need to access the equipment from outside campus, you must apply for opening the port according to the manual of IPDB for opening/blocking the port. If the equipment with the IP address is not required to access from/to outside campus, you can apply for blocking the interactive communication.

3.4.3 Maintenance of Devices and Equipment

The Devices and Equipment installed for NICE are constantly checked for their condition, and backup maintenance is undertaken to prevent any failure. As failure of network Devices and Equipment will have a profound effect, it is advisable for sections and research laboratories to take measures similar to those for NICE also for the Devices and Equipment installed by them, such as preparing backup Devices and Equipment.

3.4.4 Management of operation records

Operation records (generally called "log") shall be kept, where possible.

3.5 Server Devices and Equipment

Server Devices and Equipment refer to devices used by multiple users through a network, which include a Web server, mail server, file server and database server. For server Devices and Equipment, the Administrator has the duty to manage users in addition to the Devices and Equipment.

3.5.1 Standards for installation of Devices and Equipment

A server shall be installed in an environment where physical access can be restricted as much as possible. Installation of uninterruptible power-supply system is also effective to deal with instantaneous power failure.

3.5.2 Duty of Administrator

The Administrator shall operate a server in compliance with the following:

  • The most up-to-date security patch shall be maintained.
  • Unnecessary Internet services shall not be activated.
  • Access control shall be in place.
  • Data backup shall be made periodically.
  • Data integrity shall be checked. (Particularly for Web server)
  • Prevention of information leakage shall be in place
  • Protection of privacy of users shall be ensured.
  1. Most up-to-date security patch
    When any bug or security hole (defects in the system that allow unauthorized access) is discovered in OS or software to execute Internet service functions for any server, a patch for OS or software version-up is generally provided. Patch information for OS shall be checked on a regular basis (for example, once a month) and the most up-to-date security patch shall be maintained. In particular, when important security information is received, do not put it off. It is critical to take necessary measures immediately. It is also an effective way to turn automatic update feature, such as Windows Update and Microsoft Update, on to automatically install security patches when they become available. Please refer to the Information & Communications' website as needed, as vulnerability information concerning OS and application software is posted on the website.

  2. Ending unnecessary Internet services
    If unnecessary Internet services continue to be operated without proper configuration, it could create a security hole. A server shall be configured to activate only necessary Internet services.

  3. Access control
    For a server shared by multiple users, access control shall be in place, if the scope of users who may receive the service can be restricted to some extent, as in the case of computational servers and file servers. For UNIX, tcp_wrapper and similar tools are useful. When publishing information through a Web server, it is important to set up proper access control according to the level of importance of the information.

  4. Periodic backup
    Data stored in a server shall be backed up on a regular basis in case of disk failure.

  5. Data integrity check
    Information stored in a server shall be constantly checked for data integrity to prevent any unauthorized alteration. It is not sufficient for a Web server to just store data, but it is critical to monitor at all times whether data stored has not been altered, using tripwire or other similar tools. In the case of dynamic web pages, it is desirous to check integrity of data entered to prevent a cross site scripting attack.

  6. Prevention of information leakage
    It is desirous to take appropriate measures to prevent any leakage of data stored in a server. Proper update of server program, proper configuration, user authentication and other measures shall be taken with the greatest possible care.

  7. Protection of privacy of users
    The server Administrator shall promptly respond under its authority to any damage to the network caused by users. In doing so, the Administrator shall keep in mind that he/she shall not infringe upon the users' privacy. For example, he/she shall not access to any file not authorized to access, and when he/she needs to analyze data such as e-mail which contains personal information, he/she shall limit the analysis to only information necessary for resolving the issue.

  8. Miscellaneous
    To securely operate a server, appropriate measures shall be taken. For example, access to the server shall be limited to those using SSH and security check shall be conducted on a regular basis. Changing the SSH port number and using public key authentication are also effective means.

3.5.3 Maintenance of Devices and Equipment

As any server failure will have a profound impact on many users, when such failure occurs, speedy recovery is required. To this end, mirroring important servers to create server redundancy is desirous.

3.5.4 Management of users

Management of users includes ID (user registration) management and management and education of users.

  1. Prompt deletion of unnecessary IDs
    In managing IDs, it is important to delete registration of unnecessary IDs such as those of graduated students.

  2. Management of temporary IDs
    Please pay attention to the following points when managing temporary IDs which become temporarily necessary such as the time of server configuration, multiple server configuration using virtual machines or configuration by a contractor:
    1. Temporary IDs shall be made available only when necessary.
    2. An easily-guessed username, such as “guest,” shall not be used.
  3. User education
    Even if the Administrator manages a server properly, security may be threatened by users' action. The Administrator shall consider user management and education as part of server management. In particular, it is critical to ensure that users avoid:
    1. using a password that can be easily guessed;
    2. writing down their password;
    3. disclosing their user name and password to others; and
    4. allowing their family and friends to use the environment available to them, as doing so will decrease the level of security.
    5. The Administrator shall also check whether user's password is strong on a regular basis, using password check tools, such as crack and John the Ripper, as much as possible.

3.5.5 Management of operation records

When server security is breached, the Administrator shall grasp the situation and investigate into the cause of the breach. Operation records (logs) are needed for such purposes.

  1. System logs, mail delivery logs, Web access logs and other logs which record operational status shall be always turned on.
  2. Logs shall be stored at least for three months.
  3. It is desirable to check logs on a daily basis to detect any abnormality.

3.5.6 Management of web servers

Conduct the following procedures to prevent the leakage of information or the tampering of contents on a web server.

  1. Updating
    In order to prevent vulnerabilities from entering into the web server, the following must be maintained continuously, and versions with no confirmed vulnerabilities that could lead to information leakage or tampering should be used.
    1. Web server programs (apache, etc.).
    2. Web applications (WordPress, Joomla, etc.; Plugins included).
    3. Databases used by web applications (MySQL, PostgreSQL, etc.).
    4. Programs used by web applications (PHP, Perl, etc.).

Points to remember

  • Some plugins installed in web applications may not have been maintained continuously. It is necessary to regularly check the information of plugins you use and confirm that they have been maintained.
  1. Web server settings
    1. When using CMS (Contents Management System), set IP address access restrictions to the management page in order to prevent access by persons other than the CMS administrator. In addition, a sufficiently complex password must be created, rather than continued use of the default password.
    2. The directory listing function should be disabled if it is not needed.
  2. Creation of web applications
    When creating web applications, make sure to keep in mind their vulnerabilities while designing them, such as SQL injection.

3.6 Computers for personal use

This section applies to PCs, client work stations smartphones and tablet devices. When using PCs for personal use, be aware that the user is the Administrator.

3.6.1 Scope of duties and responsibilities of Administrator

  1. Password setting
    A password shall be always set, if password setting is available. Even if the computer is for personal use, please avoid using it without setting a password. Fingerprint and other biometric authentication and TPM (Trusted Platform Module) are effective means for security.

  2. Management of shared PCs
    For shared PCs such as those used for business purposes, it is necessary to establish an operating policy and appoint a person responsible for operation and management when installing such Devices and Equipment. Each user of PC shall use such PC in accordance with the prescribed operating policy.

  3. Management of PCs capable of performing a server function
    Even when Devices and Equipment are used for personal purposes, if such Devices and Equipment is capable of performing a server function, they shall be managed in a manner described in "4. Server Devices and Equipment." Particular attention shall be paid to prevent UNIX/LINUX Internet service, Windows IIS, file sharing or DLNA from being unexpectedly activated.

  4. Installation of security patches
    When any problem causing security vulnerabilities is found in OS and application software installed in the information equipment in use, the manufacture of the software distributes a computer program to correct the problem (security patch). Users are required to check warning and update information posted on the website of the relevant company on a regular basis and take necessary measures. Please refer to the Information & Communications' website as needed, as vulnerability information concerning OS and application software is posted on the website. It is also an effective way to turn automatic update feature, such as Windows Update and Microsoft Update, on to automatically install security patches when they become available.

  5. Management of Microsoft Windows
    As Windows is widely distributed and used as OS for PCs, many viruses attacking its security holes are created. Infection of NICE by such viruses occurs frequently. The Administrator of Windows PCs shall pay due attention to the following:
    • Enable Automatic Updates in Windows Update.
      Update information to resolve security holes of Windows OS is provided frequently. As Windows Update can be activated from the Start Menu and can be easily executed, be advised to execute Windows Update on the first day of each month, or otherwise on a regular basis. Windows has the Automatic Updates feature. By turning this feature on, update information will be automatically searched and notified, which will prevent you from missing updates.
    • Enable anti-virus software.
      The Administrator of Windows PCs has the duty to take virus protection measures. The Administrator shall ensure that anti-virus software is installed in all PCs connected to a network and configure the PCs to be able to use the most up-to-date virus definition files. It will be also a good idea to turn the automatic updates of virus definition files on. For most anti-virus software, by default, the automatic update feature for virus definition files is enabled. Nagoya University is distributing anti-virus software under the site license on the Information & Communications' website. Installing this software is also an effective way to protect PCs.
  6. Management of Apple's Mac OS
    Mac OS also may be affected by a virus. The administrators should install anti-virus software for Mac OS. Nagoya University is distributing anti-virus software for Mac OS under the site license.
    • Enable Automatic Updates in Software Update.
      Like Windows, software updates are provided through network for Mac OS X. This feature is enabled under the standard settings. Software shall be kept up-to-date using the Software Update feature.
  7. Management of tablet devices and smartphones
    Users should take security measures on smartphones and tablet devices in the same way as personal computers. Users need to update OS to the latest version. Users are recommended to use anti-virus software.

  8. Management of application software
    As in the case of OS, in recent years, software updates are also distributed through network. It is advisable to enable automatic updates.

3.6.2 Standards for taking out and carrying in Devices and Equipment

  1. Permission to take out
    Notebook computers are widely used as they can be used in various places. However, in doing so, attention needs to be paid in terms of security. When taking notebook PCs outside campus, the permission of the person responsible for installing equipment is required. When taking them out, attention shall be paid to the data stored therein. In particular, when confidential information is stored, it is important to properly control such Devices and Equipment through, for example, password protection and encryption.

  2. Carrying in Devices and Equipment
    When using notebook PCs which users use at home, users shall not connect such PCs to NICE without properly configuring their security settings. To connect such PCs to NICE, users are required to confirm, at a minimum, that the PCs are not infected by viruses at the time of connection.

3.7 Special Equipment

This section applies to equipment which may cuase accidents, disasters, health hazards, etc., and equipment which controls them. The followings are examples of such equipment:

  • Laser equipment
  • X-ray equipment
  • Industrial robots
  • High magnetic field generators
  • Medical equipment
  1. Connection of special equipment
    As a general rule, you should not connect special equipment with the internet. If this equipment does not work correctly because of illegal access, it may cause accidents or disasters. Even if you connect this equipment to the internet for safety reasons, you should connect it to a private network and use VPN.

  2. Connection application
    If you connect special equipment to NICE for safety reasons, you should consider the risk and security measures, obtain the approval of the head of department, and submit a connection application form to the Information & Communications in advance.

  3. Management of special equipment, which is based on general-purpose OS
    If special equipment is based on Windows/Linux OS, you should manage it as a server devices and equipment.

3.8 Other information Devices and Equipment

This section applies to printers, scanners, digital multifunction machines, TV conference system, NAS (network attached storage) devices, measuring devices and equipment, etc.

  1. Password setting
    A password shall be always set, if password setting is available. Even if the Devices and Equipment are for personal use, please avoid using them without setting a password. Even such devices like network printers which appear to have nothing to do with a password sometimes have a password for device/equipment setting. The default password shall not remain unchanged. Please set an appropriate password.

  2. Management of other information devices and equipment
    Operating systems based on the Linux kernel are used in these devices and equipment. Therefore, it is required to update firmware periodically. If it is impossible to modify a vulnerability used by attacker, please don't connect it with the global network.

Points to remember

  • To prevent any information leakage, please connect printers and scanners, digital multifunction machines, NAS (network attached storage) devices to private network. The Information & Communications provides Secure NICE as a service for secure private network.
  • It is necessary to apply to the Information & Communications for authorization to connect with the global network. You must restrict access to them by password, IP address, etc.

3.9 Encryption method

There is always the risk of leakage, with or without malicious intent, when communication is made through a network or information is stored in a computer. Encryption of information can be used as means of preventing leakage. More specifically, there are following encryptions:

  1. Encryption using Web service
    When exchanging personal information or other information using a Web browser, it is desirable to use SSL communication. Please make sure that Web server's URL starts with https and proper certificate is used.
    Reference URL: http://www.verisign.co.jp/repository/faq/SSL/

  2. Encryption of electronic mail
    When communicating important contents via e-mail, the contents shall be encrypted. Please use a mail client or tool with encryption function, such as PGP.
    Reference URL: http://www006.upp.so-net.ne.jp/naoki-s/pgpi/

  3. Encryption of data files
    There are many tools for encryption of data files stored in a computer.
    Reference URL: http://www.vector.co.jp/vpack/filearea/win/util/security/cipher/index.html

  4. Encryption of communication
    The protocol to be adopted for encrypting communication must be one whose safety has been adequately confirmed.

Points to remember

  • As the safety of protocols before SSL3.0 cannot be adequately confirmed, they must be set to unavailable so that they will not be used.

3.10 Remote access environment

Caution is required with remote access environments, including use of VPN (Virtual Private Network) servers and remote desktops, because they are entryways into the university network from the outside. Therefore, for equipment set up inside the university on which VPN servers or remote desktops are enabled for use, please submit an application for opening a port through the “IP address management system.” The application may not be approved, depending on the situation or purpose for opening the port. In addition, Information and Communications is currently investigating into offering VPN service, and planning to integrate into this service step by step.

  1. Preparation of procedures for commencing/terminating use
    Procedures for commencing use of remote access environments must be prescribed so that only users requiring remote access can use the services. Similarly, procedures for terminating use must also be prescribed in order to disable user accounts that no longer require access, and a review of the users who have been granted access should be carried out at least once a year.

  2. User authentication
    Passwords for user authentication must be unique (do not reuse passwords from other systems).

  3. Access to information
    Do not place sensitive personal information, confidential information, etc. on the system configured as a remote access environment. In addition, the university system accessed through the remote access environment should be at the very least limited by IP address.

Points to remember

  • Some e-journals and Site License Software prohibit access through remote access environments. Please be careful not to violate these licenses.
  1. Authentication log
    A record of the authentication log must be kept for at least one year. Also, regular log checks are required to inspect for unauthorized access.

Chapter 4 Guidelines for Use of Cloud Services

4.1 Outline

In this chapter, guidelines are provided for all university members who intend to use a cloud service, so that they can use the cloud service safely. Generally, cloud services are operated by sharing computer resources with other users under the management of the cloud service companies. Therefore, it is always necessary to be aware of the mode of operation when dealing with information through cloud services. These guidelines explain the issues to be aware of when selecting a cloud service. Furthermore, please make sure to consult with Information and Communications in advance when dealing with sensitive information through cloud services.

4.2 Selection of cloud services

When using a cloud service, it is important to fully grasp in advance how the cloud service is operated. The following are points to be taken into consideration when selecting a cloud service.

4.2.1 Connecting to cloud services

Using a cloud service means using servers external to Nagoya University. Therefore, in order to ensure safe communication between the cloud service system and the computer used for the service, confirm that the items below are satisfied.

  1. Encryption of communication
    Confirm that communication from the user’s computer to the system can be encrypted.

  2. Access restriction
    Regarding access to the system, confirm that access can be restricted by IP address. Also, restrict access so that only specified university computers can use the cloud service system (While access to some website pages are intended to be open to the public and should not be restricted, access to other pages such as the website management page should be restricted.).

4.2.2 Security measures for cloud services

It is necessary to be aware of security issues, even with cloud services. The following items should be checked and confirmed when selecting a cloud service.

  1. Security policy
    Check the security policy under which the cloud service is operated.

  2. Malware countermeasures
    Confirm that malware can be detected and defended against.

  3. Action taken in the event of security incidents
    Check how the cloud provider responds when security incidents occur.

  4. System log
    Make sure that the log for the cloud service system can be browsed.

4.2.3 Terms of contract

  1. Clarification of the scope of responsibilities
    Clarify the scope of responsibilities and damage compensation between the university and the cloud provider at the time of entering into a contract by means such as having documentation issued.

  2. Applicable laws and regulations
    Check which laws and regulations will be applied in case of a dispute.

4.2.4 Handling of data

  1. Ownership of data and authority to use data
    The ownership of data and authority to use data on the cloud service must be clarified by checking the documents provided by the cloud provider, or by having documents issued when entering into the contract, or by other means.

  2. Handling of data upon termination of contract
    Confirm that the data on the cloud service and the users’ data are properly deleted upon termination of the contract.

4.2.5 Security measures for cloud services

Make sure that, when you intend to use a cloud service for a long time, the cloud provider has the capacity to provide the service for such a long period of time. In addition, confirm in advance that the utilization rate, response time, and other performance aspects will be sufficiently provided.

4.3 Use of cloud services

4.3.1 Management of user information

As is the case with other information systems, passwords must not be easily guessable, and should be different from those used with other services.

Chapter 5 Information Security Training and Education Guidelines

5.1 Outline

The Security Policy points out the need of awareness of risks and responsibilities associated with openness and convenience of information devices and information resources and provides for the "introduction of training system and implementation of educational activities." These Information Security Training and Education Guidelines (hereinafter referred to as the "Training Guidelines") are intended to provide specific guidelines concerning implementation of training and educational activities.

5.2 Information security training and education system

Information Security Training and Education Committee (hereinafter referred to as the "Training and Education Committee") shall be established as prescribed by the Information & Communications within the Information & Communications, and this Training and Education Committee and Information Security Members selected from information security unit sections shall work together to implement training and education.

5.3 Basic perspective of information security training

As a general rule, training shall be provided to the members of the University when: (1) they wish to obtain the authority to use information devices and equipment connected to NICE or its sub-network; (2) the devices and equipment they use are connected or they wish to connect the devices and Equipment to NICE; and (3) they are involved in the management and operation of NICE.

There are three types of information security training: initial training; periodical training; and special training. The training shall be provided to network users, the person responsible for installing information devices and equipment and the person responsible for operation and management (hereinafter referred to as the "Administrator").

5.3.1 Initial training

The initial training shall be provided to persons who obtain the authorization to use various networks of the University for the first time (for example, new students, newly appointed teachers, newly appointed researchers and newly hired staff) and persons who are appointed as the Administrator of the information devices and equipment for the first time.

  1. Initial training for network users
    Information System User Guidelines (Users' Guide) and other materials shall be used as training materials for the training for network users, and the training shall be provided with a focus on the following four issues through, among other methods, providing guidance or e-Learning:

    1. Purpose and importance of information security;
    2. Things users are permitted or not permitted to do;
    3. Measures to be taken by users when problems occur; and
    4. The need to be prepared to deal with information security for users themselves.
  2. Initial training for persons who wish to connect the information devices and equipment to NICE
    The Information Security Technology Guidelines and Information System User Guidelines separately prepared and other materials shall be used as training materials for the training for Administrators, and the training shall be provided with a focus on the following four issues:

    1. Purpose and importance of information security;
    2. The need to be prepared to deal with information security for Administrators themselves;
    3. Information security technology Administrators are expected to have; and
    4. Measures to be taken by Administrators when problems occur.
  3. Initial training for persons who manage and operate NICE
    Training plans for initial training for those who manage and operate NICE shall be prepared by the Information & Communications.

  4. Basic perspective of implementation of initial training

    1. Establishment of efficient training implementation plan
      The Training and Education Committee is expected to closely communicate and coordinate with information security unit sections regarding the method for implementation of initial training, and to ensure that the initial training plans prepared by information security unit sections do not overlap and the plans are implemented efficiently.

      In implementing the initial training, a laborsaving method such as online training shall be used as much as possible, and a mechanism to reduce burden of trainees, such as a system which allows trainees to participate in a training session at any time during the specified period, shall be introduced.

    2. Storing initial training participation record
      The Information & Communications or relevant information security unit section shall store a record of persons who participated in the initial training for an appropriate period of time.

    3. Omission of initial training
      As a general rule, the initial training shall be provided at each time the authorization to use the Devices and Equipment is newly granted. However, when the initial training taken elsewhere by an applicant is deemed sufficient, the initial training for such person may be omitted as far as the fact that the applicant has actually taken the initial training is confirmed.

5.3.2 Periodical training

The Training and Education Committee shall provide periodical training in collaboration with the relevant information security unit section. Information security unit sections shall provide their own periodical training as needed.

5.3.3 Special training

The Training and Education Committee shall provide special training in collaboration with the relevant information security unit section as needed. Information security unit sections may, as their own discretion, provide special training as needed.

5.4 Education

The Training and Education Committee shall collect from and provide to users, Administrators and members of the University information concerning information security in collaboration with the relevant information security unit section. To conduct educational activities, various media including mailing list, Information System User Guidelines and Information Security Technology Guidelines on websites, brochures and posters shall be used. All information concerning information security can be obtained from the website of Nagoya University, Information & Communications.

Annex 1 Security-related URLs

  1. Anti-virus software for Windows download sites
  2. Security patch information
  3. Network security tools

Annex 2 Glossary

  • Online Dictionary
  • Terms
    • NAT (Network Address Translator)
    • DHCP (Dynamic Host Configuration Protocol)
    • VPN (Virtual Private Network)
    • SNMP (Simple Network Management Protocol)
    • MAC (Media Access Control)
    • SSH (Secure SHell)