Introduction

This handbook contains the minimum required items taken

from the information security policy and standard, compiled
in an easy to read and understand format.
Please read this handbook through, and observe the
instructions.
Information security is not the responsibility of other
people. Cooperation by all members is essential for
information security. Therefore every member must observe

Information Security Hand Book

the instructions listed in this handbook.

Observance to rules is monitored and logged in data
accessing and system operation activities, etc., and records
are used to prevent, detect, check, and audit incidents.
Your division may have more advanced rules. Please
observe such rules in addition to the rules listed in this
handbook.

Information Security Handbook

INDEX

Information Security Hand Book

Contents
When you come to the office;
01. Do you always wear your ID card?4
When you use information;
02. What classification should be applied to that information? 5
03. Isn't it personal information? 7
04. Do you pay attention when you open received mail message? 8
05. Do you always check the address to which you send a mail message? 9
06. Who is at the other end of the line? 10
07. Who is going to receive your FAX message? 11
08. Don't you leave printed sheets lying around? 12
When you use your PC;
09. Do you always deal your password confidential? 13
10. Is the website you are browsing really necessary for your work? 14
11. Don't you have a non-standard software program installed on your PC? 15
12. Are you using the latest version of anti-virus software? 16
13. Haven't you changed the standard settings? 17
14. Haven't you created shared folders on a PC? 18
15. Have you stored important information in the server? 19
16. Aren't you disposing of disused storage media as they are? 20
17. Haven't you stored any business data in personally owned PC or USB memory? 21
When you leave your desk;
18. Do you lock your PC screen when you leave your desk? 22
19. Don't you leave important documents on your desk? 23
When you are out of the office;
20. Don't you take your PC or USB memory etc. out of the office without permission? 24
21. Do you always pay attention to your surroundings when you go out? 25
When you leave the office;
22. Do you always look around your desk before you go home? 26
In case anything should happen,
23. When you feel something is wrong 27
Contact Information 28
List of Related documents 29
Information Security Handbook

INDEX

How to Use This Handbook

Text in red at the top of each page is "main text ". Please read this part first.
When there are guidelines and documents which need to be referred to in
additional places, you can find the place to obtain the information using the
"Relevant Guidelines list" on page 26.
Main text is sometimes followed by "detailed descriptions" written in blue.
Please consult this part when main text is not sufficient for you to understand
specifically what you should do.
Text in black at the bottom of each page describes "reason(s)".
This part explains you why you have to follow instructions given in main text.
This manual uses the term below.
ISO (Information Security Operator): Generally this term refers to your immediate manager.

Information Security Handbook

Do you always

01 wear your ID card?

Show your ID card (company ID card, admittance permit card) when you
arrive at work.
Always hold your ID card over the card reader at the card reader site.
Wear your ID card somewhere visible when in the company.
If you see someone who does not wear an ID card (or guest card),
check whether the person has one (ex.: Excuse me, you seem to not be
wearing an ID card. Are you a member of the company?). If this person
still persists in not wearing one, contact the security guard room.
When you enter the building and the office using your ID card, pay
attention to any strangers behind you or any strangers who do not have
an ID card (or not showing an ID card) following after you (in order to
prevent any tailgating).

W
h
y

If you do not use ID card properly, the system will not work and the
whole physical security system will be wasted.

Information Security Handbook

04

Which classification should be

02 applied to that information?

Classify all information according to the information asset register and

label appropriately.
Handle the information by following the defined rules.
Company information is classified into several levels according to the order of importance
of the information. Therefore all information that is handled must be categorized
appropriately. This is what is called classification. Additionally the clear specification of
information using the appropriate classification is termed labeling.
Please refer to the list on the next page for the definition of classification terminology.
Refer to "Guidelines for Information Classification" and "Labeling Manual" for the
methods of classification and labeling.

?
Report

Appropriate
Information Classification

Nissan Secret A
?

or

Nissan Restricted B
or

Nissan Confidential C
or

Nissan Internal
or

Nissan General

W
h
y

05

The classification of information and the labeling affect the way

in which that information is later handled. Therefore these are
fundamentally essential procedures.
Once the proper classification and labeling procedures are
followed, the information will be protected appropriately.

Information Security Handbook

Classification List
This is the list of confidential classification terminology that everyone must know.

Name

Ty p e

Example

Type of information where

disclosure is limited only
to a number of specific
parties.

Information related to company

management that most
employees do not need to be
involved with.

Nissan Restricted B

The type of information

shared only by parties
specified by his/her
name.

Information that is to be shared

only among those specified by
the creator.

Nissan Confidential C

The type of information

that can be shared only
within a specific group
(division, department,
project).

Nissan Internal

The type of information

that can be shared by all
parties handling Nissan
information.

Information shared through a

company-wide intranet.

Nissan General

The type of information

that is made available
to people outside of the
company.

Information accessible to those

outside of the company such
as website information and
pamphlets.

Nissan Secret A

Information stored in an intranet

area with limited access.

Information Security Handbook

06

Isn't it

03 personal information?
When any information created and/or being handled contains personal
information, follow the regulations related to 'Act on the Protection of
Personal Information'.

Any information that contains personal information should be categorized as Nissan

Confidential C or above. Any information that contains personal client information should
be categorized as Nissan Restricted B or above.

Customer
Name

Address

Date
of
Birth

Phone
number
etc.

Within the company there is a significant amount of personal

information, including client information and employee information.

W
h
y

07

Personal information should be appropriately handled not only

from the information protection perspective but also bearing
in mind the need for compliance with 'Act on the Protection of
Personal Information'.
Therefore in the event of any incident or problem arising from the
inappropriate handling of personal information, this can result in
being held accountable for considerable social responsibilities and
to being held accountable for sizeable damages.

Information Security Handbook

Do you pay attention when you

04 open received mail message?

When you receive a mail message with an attachment from an unknown

sender, basically, you are asked to delete it without opening.
When you receive a mail message with an attachment from someone
you know, check the message and its title. In case you find anything
suspicious, do not open and contact the help desk.
Even if there is no attachment, you need to be careful with the contents
of the message. Do not click on an unknown URL cited in the message,
or enter your password on any website you may have moved to.

Attached files may contain computer virus. In some cases, you can
be infected by merely opening a message.

W
h
y

Some of e-mail you receive may have a deceptive sender address.

You may also receive contaminated message from infected PC.
In this case, sender is spreading virus unintentionally.
There is a type of fraud called "phishing". They lead you to a URL
with a pop-up window requiring you to enter personal information
to steal your personal information. Any information such as
PIN, password, or credit card number you type in is sent to the
wrongdoer.
Information Security Handbook

08

Do you always check the address

05 to which you send a mail message?

Check the destination address(es) each time you send a mail message.
In particular, make sure you have removed unnecessary address(es)
from the destination when you use "Reply to All".
Mail address is a part of personal information. When external address
(e.g. address of your customer) is included to the destination addresses,
use BCC to prevent the address from being disclosed to other
recipients.

You should only include people who are allowed to know the contents
to the main message. The original message may be cited in forwarded
message or sometimes in reply. Check if there is any sensitive information.

W
h
y

09

"Reply to All" is a convenient feature, however be sure to check all the

addresses you reply to.

Japan's Personal Information Protection Law prohibits providing personal

information to third party without prior consent. When you send an e-mail
message to more than one person, the recipients may be third parties to
each other. In this case, if the recipients can see all destination addresses,
you may be accused of disclosing personal information. To avoid such a
situation, hide the destination addresses by putting them in BCC.

Information Security Handbook

Who is

06 at the other end of the line?

Never tell your password over the phone in any situation.
When you are asked for personal information of someone else (such
as phone number), tell the caller to leave a message for the person and
never give any personal information.
When you make a phone call, make sure you are dialing right number to
avoid leaving a message on a wrong answer phone. You must not leave
a message containing sensitive information on an answer phone.
Please verify all participants before any telephone meeting. Moreover
any information related to any telephone meeting should not be shared
with anyone else except those relevant parties.

1
2

W
h
y

So-called "social engineering" or stealing important information by

using fake identities to trick people is becoming a common threat
to information security.

Information Security Handbook

10

Who is going to receive your

07 FAX message?

Make sure you send FAX message to right number.

Do not leave sent or received sheets on FAX machine.
Do not re-use the reverse side of a paper on which sensitive information
is printed.
When high level classified documents are received and sent, ensure,
over the phone in advance with your business partner, that you receive/
send the documents and make sure that the documents arrive securely
(e.g. Wait in front of the fax machine).

?? ?

00-1234- 4678
NISSAN

** ** **

FAX Messag

00-1234-5678
NISSAN

W
h
y

11

Special care is required when sending FAX messages since you

cannot confirm the receiving party through conversation.
FAX numbers are more easily mistaken than mail addresses.

Information Security Handbook

Don't you leave printed

08 sheets lying around?

Immediately collect paper sheets printed on a printer or a copier.

Do not leave the original sheet on a copier.
When you use scanner function of multifunction copier, PDF file is
kept in the machine for 24 hours before being deleted. For documents
with high confidentiality, save PDF file in server and delete the file
immediately from the multifunction copier.

Nis

san

Sec

ret

W
h
y

Anybody can see or take information in these cases.

Information Security Handbook

12

Do you always deal your

09 password confidential?

Select a password that cannot be easily guessed, and keep them strictly
confidential.
For password, use eight or more alphanumeric and special characters .
Avoid using words that are directly related to your personal life, such as
date of birth or name of your family members, simple words that can be
easily guessed, or words that can be found in a dictionary. Also, change
your PIN code and password at least every 60 days.
Never write down your password on a paper and stick it on your desk or
around your PC.

wor d
Pass ** ** *

**

ord

sw
Pas
OK

A01A

****

****

wor d
Pas s A1234

EL

NC

CA

A simple password can be revealed easily by attack using computer.

W
h
y

13

If someone masquerades by using your identification, you may be

accused for wrongdoings that you did not commit.

Information Security Handbook

Is the website you are browsing

10 really necessary for your work?

Do not browse any websites that are not relevant to your work.
Observance conditions (e.g. checked websites) are monitored and
logged, in order to prevent or detect incident and to check and audit.

USHI"
No.1

"S tion for

Best Competi

I"
"SUSH
ion for
N
te

Best Competito.1
Vo

1
No.

Vote

. 1
No

W
h
y

Your PC may be infected with computer virus, etc. by merely

browsing a website.

Information Security Handbook

14

Don't you have a non-standard software

11 program installed on your PC?

Do not install any software programs other than those authorized as

standard by the company. For any work that requires the installation
of any non-standard software, please submit the predetermined
application.
Even if you find useful-looking software programs on a website or in CD
attached to magazine as a supplement, you must not install them.

DOWNLOAD

W
h
y

15

Software programs are subject to copyright. Installing a software

program without obtaining permission for replication from the
author is an illegal action.
A software program obtained from a suspicious source may
contain viruses, Trojan horse or spy-ware.

Information Security Handbook

Are you using the latest

12 version of anti-virus software?

When a new pattern file of anti-virus software you are using is released,
or a new security patch file containing fixing information is released,
install it promptly, following the instructions from the IS Division.

rn File
Virus Patte
mpleted
Update Co

OK

W
h
y

New viruses and hacking threats emerge every day.

Information Security Handbook

16

Haven't you changed the

13 standard settings?

Do not change the configuration of your network and hardware including

modems and wireless access points.
You must not automatically forward messages received in the mailbox of
the company to an outside mailbox or a cellular phone.

If you change the configuration based on your own judgment, this

might make a hidden path allowing access from outside of the
company. Even a single hole in the system can render the whole
system vulnerable.

W
h
y

17

Today, so-called "war dialing" or "war driving" to unauthorized

modems or wireless access points, has become a common threat
to information security.
Automatic forwarding may result in an unintended disclosure of
sensitive information.

Information Security Handbook

Haven't you created shared

14 folders on a PC?
Do not create shared folders on any PC.

If you want to share folders via network, use shared folders in the
integrated file server.

If you create a shared folder, you need to set access right to the
folder by your own. If you fail to do setting properly, an unexpected
person may access to your PC.

W
h
y

There are viruses, such as Nimda, that can spread via shared
folders.
If there are too many PCs having shared folders, division servers
or domains you are searching may not appear in "My Network
Place," thereby causing inconvenience to many users.
Information Security Handbook

18

Have you stored important

15 information in the server?

Save important data in the integrated file server.
Remove unnecessary data from the integrated file server.

When you store a file related to copyright or software license in the integrated server,
make sure you comply with the copyright law or the license agreement.

W
h
y

19

Important data might disappear as a result of PC failure or

erroneous operation. Backup copies are regularly generated for
files stored in the integrated file server.
The disk capacity of the server is limited. Unnecessary data left in
the server uses up disk space for necessary data.

Information Security Handbook

Aren't you disposing of disused

16 storage media as they are?

Send disused storage media to the specified location.

Do not reuse storage media that contain sensitive data. Paper sheets on
which such data is printed must be shredded, and the reverse side of
such sheets must not be reused.
When you scrap disused floppy disks, magneto-optical disks, or DAT/DLTs, follow the
prescribed procedure. Refer to Japanese members near your desk for more details.
You can throw away other storage media such as CD-R by yourself, after you break them
and make them unusable.

W
h
y

Today, "scavenging" of information from garbage, and restoring

original information from residual signals in used media are
common threats to information security. Original information can
be easily restored from deleted files or formatted disks.

Information Security Handbook

20

Haven't you stored any business data in

17 personally owned PC or USB memory?

Do not store any business data in your personally owned PC or USB

memory.

W
h
y

21

Your company cannot control the configuration of personally owned PCs. It is

entirely in your discretion how you configure your own PC. Even if the configuration
of your PC has high risk of information disclosure or data corruption, the company
has no means of knowing that fact. There are great risks in allowing employees to
store business data in such PCs. For example, incidental disclosures of business
confidential data have been reported from other companies following the storing of
data in personally owned PCs in which P2P file sharing software programs such as
WinMX or Winny were installed.
Similarly your company cannot control the configuration of any personally owned
USB memory, what it contains or how it is used in the company. When you use
such a USB memory for your own personal matters, business information can be
disclosed by mistake, or simply through loss. The use of a personally owned USB
memory results in the elevated risk of an information security incident.

Information Security Handbook

Do you lock your PC screen

18 when you leave your desk?

When you leave your desk, please lock your PC screen, in order to avoid
your screen seen by others or used by others.
PC screen lock can be clone by [ctrl]+[alt]+[del] and select ' computer
lock '.

coffee

Or Alternatively,
PC cover closed for note/mobile PC.
Monitor SW off for desktop PC.

W
h
y

xxxx
1 2
3

xx

4
8 9
10 11 5 6 7
15 16
12 13
17 18
14
22 23
19 20
24 25
21
29 30
26 27
31
28

If you leave your desk with your PC logged on, you cannot prevent
somebody masquerading and operating your PC as you by using
your identification. You may be accused of wrongdoing that you
did not commit.

Information Security Handbook

22

Don't you leave important

19 documents on your desk?

Do not leave documents that contain sensitive information on your desk
when you leave your desk.
When you use white board, erase everything you have written after you
finish (also recommended as good manners).
When you use projector in a meeting, turn it off during breaks.

10: 0
0

Meet i ng
Leader

23

Due Date

xxxx
1 2
3 4
xx
8 9
10 11 5 6 7
15 16
12 13
17 18
14
22 23
19 20
24 25
21
29 30
26 27
31
28

FAX

Nissan Secret A

W
h
y

Cont ent

Anybody can see or take information in these cases

Information Security Handbook

Don't you take your PC or USB memory

20 etc. out of the office without permission?

When taking a PC or USB memory etc. outside of the company, ask for
permission according to the predetermined rules.
Be aware of the mislaying or theft of items such as your PC and USB
memory etc. In case of loss or theft, report to the ISO (Information
Security Operator) immediately.

W
h
y

Within the company, increased incidents of mislaying and theft of

personal information contained within PCs and USB memory etc.,
together with the disclosure of confidential information, has
become a problem.
More information leaks out as time passes. Any delay in
countermeasures may result in far-reaching damage.

Information Security Handbook

24

Do you always pay attention to your

21 surroundings when you go out?

When you use your PC or open files outside of the office, be careful not
to let anybody peeking at your display.
Pay attention to your topics of conversation when you are in public
places such as when on a train, or at restaurants, etc.

W
h
y

25

You never know who is next to you. The person may be someone
with bad-intention, competitor or one of our customers.

Information Security Handbook

Do you always look around your

22 desk before you go home?

When you leave the office, shut down your PC.
Lock up your note PC and mobile PC.
Lock up important information in a secure place.
What is a note PC :

A notebook PC with Mobile Setting (allowing access to the LAN from a remote
access area).
What is a mobile PC:
A notebook PC which is not a mobile PC.

W
h
y

The above precautions are needed to prevent information from

being used by unauthorized persons or stolen.

Information Security Handbook

26

When you

23 feel something is wrong

When you encounter an accident or find any indication of a potential accident,
report it to the ISO (Information Security Operator) as soon as possible.
Additionally in the event of any theft or loss of a PC or any memory media, and
should a virus infection occur, report to the help desk as well.
Any accident related to information security, or any indication of any accident, is referred to
as an 'information security incident'. Specifically, they are the following situations. When
you come across any such incident, please report it immediately.
PC infection with a malicious program, such as a virus, worm, or spy-ware;
Unauthorized system access;
Theft of a mobile PC;
Disclosure, etc. of personal information;
Sighting of a suspicious person(s) or object(s) in the office;
Non-observance of the company policy and rules;
Any illegal actions; or
Discovery of an incident or signs of an incident that could lead to corruption of information security.

W
h
y

27

For example, in case of information disclosure, more information

leaks out as time passes. Any delay in countermeasures may result
in far-reaching damage. Each employee should keep his/her eyes
open for any unusual signs and respond as soon as possible once
a trouble is detected.

Information Security Handbook

Contact Information
Fill in the following fields with contact information related information
security, your department and your name.

Contact information for information security related issues

Help Desk

ISO
(Information Security Operator)

Security Guard Room

Owner of this handbook

Department

Name

Information Security Handbook

List of Related Documents

The information covered in this handbook can be categorized according to the
following policy, guidelines and regulations. When confirmation is necessary,
please refer to these documents.

Information Security in General

(WIN JAPAN/A&O Policies and Guidelines Home Page 05.Information Security
Information Security Policy )

Method of Information ClassificationLabeling

Guideline for information classification

( WIN JAPAN/A&O Programs Information Security Guidelines/Manuals

Guideline for Information Classification )

Guideline for Preparation of Information Asset Register

( WIN JAPAN/A&O Programs Information Security Guidelines/Manuals

Guideline for Preparation of Information Asset Register )

Labeling Manual

( WIN JAPAN/A&O Programs Information Security Guidelines/Manuals

Guideline related to Information Security Policy Labeling Manual )

Act on the Protection of Personal Information

Regulations related to 'Act on the Protection of Personal Information'

(WIN JAPAN/A&O Policies and Guidelines Home Page 02.Legal

* The English version is not available.

PC Related GuidelinesApplications

IS Rules/Manuals

( WIN JAPAN/A&O Tool Box PC/OA Tools PC Navi (PC Helpdesk) )

Information Security Handbook

Revision History
Date

Context

reviser

March, 2006

First edition

Global IS Division
Security Office

August, 2007

Second edition
Revision of content structure
Addition of chapters 23
Revision of chapters 161117
2023 and a list of contacts.
Addition of a List of Related
Documents

ISecMC Administration

August, 2010

Third edition
Remove ' ID card compulsory usage
for PC '
Password 8 digits

October, 2015

forth edition
Update of the classification of
information and the labeling

Office

Information Security Handbook