In order to safely exercise the think tank’s “convening power” to involve various stakeholders in the society, Asia Pacific Initiative (API) has established its “Information Security Policy”. This is to protect our information assets from threats such as fraud, cyberattacks, and other incidents, and thereby assure our stakeholders and other involved parties.
API’s staff fully acknowledge the importance of information security and have been trained to comply with this policy. API appoints the Chairman of API to the position of chief information security officer and the Executive Director to information security manager, and they will be responsible for conducting regular audits to ensure that the following items are observed:
I. Policies We Strictly Observe
(Operating Setup)
1. Personal computers (PCs) and smart devices used for API’s work are required to be protected by a password so that the only authorized users can access them. In addition, API staff will utilize two-step verification if applicable for all information and contact-sharing software used for API’s work.
2. Antivirus software is required to be installed and set to update automatically in all devices used for business purposes, including PCs and smart devices (note: if available in case of MacOS and iOS).
3. When Wi-Fi is used for API’s work , the use of encrypted communication is compulsory. The use of “WPA” and “TKIP” encryption or public Wi-Fi is not permitted.
4. To keep OS software up-to-date, updates will be set to launch automatically.
(Anti-theft)
5. When exchanging files containing personal information by email, setting a password for the file or compressed file is required.
6. When storing documents in a place where multiple people are permitted access, it is required that the documents are stored under lock and key.
7. In the event of a security breach or incident (lost/stolen equipment, data breach, virus, unauthorized access, etc.) it is required that the matter is promptly report to the Executive Director.
II. Policies We Endeavor to Follow
1. As a general rule, PCs and smart devices used for API’s work will not be shared with others. If shared use is unavoidable, a separate account must be created and access by other accounts restricted to any work-related folders or files.
2. The following password requirements will be integrated into our policy to prevent potential decryption and to minimize damage in the unlikely event that a device or software tool is compromised:
(1) Passwords of 10 characters or more, including alphanumeric characters and symbols;
(2) Reusing the same password should be avoided;
(3) Where two-step verification is applicable, it should be used.
3. Any USBs or CD-ROMs containing work-related data should not be carried around. If it cannot be avoided, a password on all the files and compressed files must be set. In the event that data must be transferred between devices using a USB or a CD-ROM, after the transfer is completed, all the files from the USB/CD-ROM must be deleted. Be sure not to lose the USB/CD-ROMs and be careful of theft afterwards.
4. Routine backups will be conducted on PCs and smart devices used for work purposes.
5. Caution must be exercised for virus infections via suspicious attachments and URL links in emails.
III. Other Considerations
1. When working in a public place, such as a shared office space, café, or during transit on the bus/train, the sitting position and the screen orientation of the device should be considered to avoid any wandering eyes. It is also recommended to consider measures such as using a computer privacy screen.
2. As a member of API, we will pay attention to the appropriateness of all posts made on SNS (including personal opinions on personal accounts). In particular, any information shared, remarks made, or photographs taken in private meetings will never be made public without the expressed consent of the individual.
Enacted on June 1, 2021