- Basic Policy for Information Security
Basic Policy for Information Security
Approval date: Jan. 18, 2018
Eiken Foundation of Japan
Koichi Matsukawa, Chairman
- 1. Overview and Purpose
The goal of the Eiken Foundation of Japan (hereafter Eiken) is the promotion of lifelong learning in order to facilitate the acquisition and spread of the practical English skills necessary to function in society, by evaluating English ability and providing people with various means to develop their English skills. To this end, Eiken stores a large volume of information assets, including personal data, and utilizes them on a daily basis. Additionally, it is actively implementing information management technology in order to both improve its operational efficiency and better serve test-takers. The information collected by Eiken is extremely important as it includes not just examinees' personal information but important data used in its operations as well, so if the information it stores were leaked outside of Eiken, the consequences would be extremely serious. Consequently, it is essential that both information and the information systems used to manage it be protected from any threats in order to ensure not only the continuation of Eiken's operations, but the security of test-takers' personal information as well. Therefore, as a basis for the comprehensive standards for the security measures to be observed by all executives and employees of Eiken who deal with information assets, this document sets out the information security policy established by Eiken, describes how it will be put it into practice, and explains that it must be continuously improved.
- 2.Information Security defined
Information Security refers to ensuring and maintaining the confidentiality, integrity, and availability of all information assets (including personal information) stored by Eiken.
- (1)Confidentiality: Not using or making public information related to individuals, entities (organizations, etc.), or processes without permission. (Safeguarding it from disclosure or unauthorized access)
- (2)Integrity: Safeguarding the accuracy and completeness of information assets. (Preventing tampering and errors)
- (3)Availability: The accessibility and usability of information when it is requested by authorized entities (organizations, etc.). (Safeguarding it from information loss and corruption, and system stoppages)
The Scope of Eiken's security policy is as follows:
- (1)The policy applies to Eiken’s executives and employees, workers employed by Eiken under dispatch contracts, subcontracted workers who perform duties at Eiken on a regular basis, and all of Eiken's part-time employees.
- (2)The policy applies to all information and information systems used in operations under Eiken's management.
- (3)The policy applies to information, either on paper or in digital form. It includes not just Eiken's documents, but documents that are in the process of being created, as well as regular and personal information obtained from outside sources.
- (4)The policy applies to all of Eiken's information systems used for the electronic processing of information, whether they are hardware-, software-, or network-based, as well as documents necessary for operations management or maintenance.
- (5)Even information assets that are stored outside of Eiken are recognized as information assets possessed by Eiken.
- 4. Implementation
- (1)Security management systems for safeguarding all applicable information assets (including personal information) from threats (information leaks, unauthorized access, tampering, loss, damage, etc.) shall be established, installed, put into operation, inspected, reviewed, and maintained and improved.
- (2)All information assets shall be handled in compliance with the requirements of any related laws and contracts.
- (3)In order to prevent interruptions in business activities caused by major setbacks and natural disasters, processes for preventing and recovering from them will be established, and the ability to restart business activities and important operations will be ensured. In addition, these will be reviewed on a regular basis.
- (4)All employees and other parties concerned shall be given regular education, training, and instruction regarding information security on a regular basis.
- 5.Responsibilities, duties, and penalties
- (1)The chairman shall be responsible for information security. Therefore, the chairman shall provide the necessary resources to all people described in Section 3 Part 1.
- (2)The people described in Section 3 Part 1 are responsible for protecting the information assets (including personal information) stored by Eiken.
- (3)The people described in Section 3 Part 1 shall follow the established policy for maintaining this information security policy.
- (4)The people described in Section 3 Part 1 must promptly report any incidents or weaknesses related to information security if they are discovered.
- (5)The people described in Section 3 Part 1, whether employed by Eiken or not, shall not infringe on the privacy of any company, organization, or individual.
- (6)The people described in Section 3 Part 1 shall not access information without authorization or use information without permission.
- (7)The people described in Section 3 Part 1 shall be fully aware of the role and impact of Eiken’s information assets, and in managing them, it shall give consideration to appropriate classification in order to ensure the confidentiality, integrity, and availability of information.
- (8)The people described in Section 3 Part 1 must observe all laws, regulations, and Eiken policies regarding information assets. In addition, if there is any violation of the various laws, agreements, and policies established by Eiken, then the penalties will be applied in accordance with the regulations established by Eiken.
- 6.Regular review and approval of information security and the information security policy
In order to protect information assets, information security measures will be evaluated regularly and if revision is needed, it will be carried out promptly. In addition, the efficacy of the information security policy will be evaluated regularly and revised if necessary. Further, the information security policy will be reviewed regularly by the Information Security Committee (at least once a year), and the review will be approved by the chairman.
- 7.Handling of personal information
Established Jan. 18, 2018