柏崎 礼生
SIGUCCS '18 Proceedings of the 2018 ACM on SIGUCCS Annual Conference 43 - 50 2018年10月
[査読有り] In December 2017, a Japanese university announced a large-scale personal information leak. According to public sources, the leak was caused on several systems by several points of unauthorized access on several systems. Additionally in February 2018, a Japanese research institute announced a large-scale security incident. In Japan, many reports of cyber security incidents are announced for a year. After security incidents occur, a supervisory agency (in these cases, the Ministry of Education, Culture, Sports, Science and Technology a.k.a MEXT) and security consulting firms order the institutes to "strengthen governance in their own institutes'', "develop preventive measures'' and even "buy (expensive) security appliances''. The purpose of this paper is to share the example of a Japanese university's information leak and its cleanup process, as well as to explore what "governance'' means in higher education and research institutes, and how we operate Computer Emergency Response Teams / Computer Security Incident Response Teams.