UNIDIR Cyber Policy Portal Database

agencies of the Cabinet, the Imperial Household Agency, agencies regulated by Paragraph 1 or 2, Article 49 of the Cabinet Office Establishment Act (Act No. 89 of 1999), agencies regulated by Paragraph 2, Article 3 of the National Government Organization Act (Act No. 120 of 1948) or agencies placed under them. (b) Incorporated Administrative Agencies: Corporations regulated by Paragraph 1, Article 2 of the General Rules for Incorporated Administrative Agencies (Act No. 103 of 2009) (c) Designated Corporations: Designated Corporations regulated in Article 13 of the Act 2. Persons who are the application target of this model are national public servants engaged in administrative affairs in national administrative organs, executives of Incorporated Administrative Agencies and Designated Corporations engaged in the work of said organizations, and other people serving under the supervision of Agencies, all of whom handle the information that is defined by the next paragraph (hereinafter referred to as “employees”). 3. Information that is the application target of this model is the information recorded in the system provided for information process or communication purpose (hereinafter referred to as “information system”) or in external electronic or magnetic recording medium and the information relating to design or operation management of information system, both of which are officially handled by employees. Chapter 2. Basic Policy of Information Security Measures for Government Agencies and Related Agencies (Risk Evaluation and Measures) Article 3. Agency shall analyze a possibility of threat occurrence relating to retained information and used information system and loss at the time of threat existence, evaluate risk and take necessary information security measures by taking into consideration result of selfassessment defined by Article 10, result of information security audit defined by Article 11 and result of audit implemented by the cybersecurity strategic HQ based on Law in light of purpose of its own agency. 2. Agency shall review information security measures when there is any change in the evaluation of the previous paragraph. (Information Security Documents) Article 4. Agency shall stipulate Agency’s basic policy (it is the basic policy of its own information security measures. The same shall apply hereinafter) and Agency’s own standards (it is the standards of information security measures to ensure information security of