Kyoto Institute of Technology Information Security Measures Policy

Established on August 1, 2004
Last updated on October 1, 2016

There have been increasing cases of attacks on websites (obstruction of business) and copyright infringement, resulting in the payment of huge damages. There have also been cases of leakage of personal information, resulting in damage to the trust of those who leaked such information. With even one similar incident caused by people related to KIT, we may suffer tremendous economic damage that might endanger the existence of KIT. This is no exaggeration; we always keep in mind that the use of computers and networks is accompanied by such danger. Even if people who are subject to the Information Security Basic Policy do not intentionally cause such incident, they may be exploited in a cyberattack without realizing it because their actions are not directly related to the attack. There are also dangers that they may unintendedly infringe copyrights or leak personal information or confidential information because of their lack of correct knowledge.

In addition to protecting the information assets of KIT, it is also necessary to prevent the incidents described above. It goes without saying that the same applies to when connecting a personally owned computer to the KIT network. The details of important points of provisions of applicable laws and the Information Security Basic Policy are shown below. People to whom such provisions are applied to must observe the following points, or have such points observed in the scope of their duties and capabilities.

(a) Management and Protection of Information Assets

Information assets must be classified according to their security importance level. Passwords or other methods will be used to appropriately control the use of such information assets. Especially when operating wireless LANs, it is necessary not only to control users but also to take measures against unauthorized interception of communications. Each person must strictly manage his/her password and other similar information, and prevent them from leaking to any third parties.
Protection of KIT’s information assets is important because it also is a basic way of preventing such assets from being used for cyberattacks against websites outside KIT’s network. As such, it is important to recognize the significance of it and to strictly manage passwords.

It is desirable to regularly make a backup of important data. It is necessary to secure safe storage space where such backup data will be kept.

It is also necessary to strictly manage access to and from server rooms and other facilities.

(b) Prevention of information security intrusion, anti-virus measures

It is of course a crime to intentionally damage or destroy information systems. However, in order to prevent yourself from unintentionally engaging in such activities, you must always pay attention to the following points:

  • Do not install any software with suspicious functions or obtained from dubious sources. Do not carelessly execute any files stored on USB memory sticks or other external memory. You also need to be careful about programs whose installation is requested while browsing websites and links to dubious websites. These actions may allow attackers to intrude into the network, resulting in higher risks of information theft or being used for attacks on other websites.
  • It is recommended to delete emails with dubious content from unknown senders without reading. Do not open the attached files or execute attached program, because there is a risk of virus infection. Even if emails are from people or organizations you know well, if you detect anything suspicious, directly contact the person by telephone or other communication method before opening attached files.
  • “Targeted email attacks” have become increasingly sophisticated. In these attacks, the attackers target a certain organization, thoroughly research its work practices, and attack the target with a combination of several methods. It is difficult to completely detect all of such emails and prevent them from entering the network. We must be careful enough when browsing websites and receiving emails, assuming that such targeted attack emails can enter KIT’s network.
  • Be sure to install anti-virus software, and keep virus definition files updated. Once a computer is infected with a virus, it may delete important files from it, or begin attacking websites. Even a virus that does not cause such actual damage, if the infection spreads, it may cause the malfunction of the foundation of KIT’s information systems.
  • If a security patch is released, apply it immediately. This may prevent a virus infection, even before the update of the virus definition file. Do not rely on anti-virus software only. Keep in mind that the fundamental solution to the problem of security holes is removing holes themselves, that is, applying security patches.
  • In managing machines including servers, stop the function of activating unnecessary processes. Also close unnecessary communication ports.
  • A multi-function printer with functions of facsimile, scanner, and copier uses various services, such as web management screen, file transfer, and file sharing. As such, it is vulnerable to various risks. When using such a machine, you need to select a security setting appropriate to the environment of the printer. Special devices such as network attached storage (NAS), a videoconference system, and a network camera may also be vulnerable to risks depending on the information handled with such devices, or how these devices are used. It is necessary to take measures appropriate for the characteristics of these devices.
  • It is not allowed to set up a method to access KIT’s information assets using a VPN (virtual private network) without making an application for permission of special treatment in the management of KIT’s firewall.
  • In principle, use domains of kit.ac.jp and kit.jp or subdomains under these domains when sending and receiving emails in the course of your work for KIT.
  • Social media services are useful methods of publishing information for promotional purposes. However, a user agreement of such services requires users to use external services, and you cannot use KIT domains. As such, there is a high risk of imposters. When using such services, take necessary measures, such as showing who is responsible for the account, clarifying that the account is for publishing information from KIT, and introducing the account name on the official website of KIT.

(C) Prohibition of unauthorized acquisition of information, unauthorized offer of information to any third parties, and unlimited use of computers

Whether it is from inside or outside of KIT’s network, it is illegal to access information assets beyond the scope of the authorization given to you. As for copyrights, be careful about the following points:

  • It is illegal to exchange or distribute copyrighted works, including music data, movie video, and commercial software on the network. Refrain from engaging in such activities, and those who are in the position of management and supervision must be careful not to overlook such illegal activities.
  • To prevent illegal infringement of copyrights and protect against information leakage, installment and use of Peer-to-Peer (P-to-P, P2P) file exchange software are prohibited.
  • Use commercial software with an appropriate license. Do not make an illegal copy of such software or use it in an illegal way that is contrary to the user agreement. Please be careful when putting a copy on a server machine as a backup. There have been cases where such action was deemed as a copyright infringement.
  • When publishing data and pictures on websites or in public documents, make sure that the use of such data and pictures does not infringe on any copyrights.

(d) Protection of data and personal information

It is necessary to take appropriate protection measures against risks of unauthorized access to confidential data and personal information (information that can identify individual persons), loss, unauthorized change, and leakage of such information. “Personal information” includes student status (including academic achievement) and communication history (log information). When collecting personal information, it is necessary to pay appropriate attention, by clarifying the scope of information collected or the purpose of use beforehand, and by keeping the confidentiality of personal information obtained in the course of your work.

Before using external services such as cloud computing services and ASPs (application service providers), or when outsourcing the development of an information system and website contents, it is necessary to confirm that such service providers have appropriate protective measures to prevent information leakage and mixing of malfunctions. When taking the data out of KIT using a USB memory stick, external memory, or a rental laptop, observe the restrictions set out in KIT’s rules.

(e) Promotion of information security

The methods of threatening information security have become increasingly diversified and sophisticated. As such, it is not enough to just take a measure once. It requires reviews and updates to keep ourselves protected from such risks. This is not something required only of KIT’s management and administration divisions. For example, as article (b) above requires to “keep virus definition files updated,” it is necessary to understand that this is something required for everyone. In order to deepen such understanding, it is necessary to hold lectures or training programs to learn about information security, and those who are subject to this policy will actively participate in such programs.

This Information Security Measure Policy needs to be regularly reviewed.

(f) Report of information security incidents/accidents

When noticing an actual or possible information security incident or accident, you need to immediately notify the Information Security Management Division (Director: Informatization General Manager, Education/Academic General Vice-Director: Director of the Center of Information Sciences, and Administration Division General Vice-Director: Chief of the Information Management Division) accordingly.

As for information leakage, reports shall be made in accordance with the separately established “Emergency Communication and Response Flow.”