<1>Don't share the same user ID among a group of system users.
<2>Be sure to set a password for a user ID.
<3>If a user has a number of user IDs, set a unique password for each of them.
<4>Don't set poor passwords.
<5>Change passwords whenever appropriate.
<6>Don't write a password down on paper or on a similar medium.
<7>Input passwords without being seen by others.
<8>If you learn another user's password, quickly notify the system administrator.
<9>When you discontinue use of a user ID, quickly report it to the system administrator.

<1>Implement measures such as setting passwords for important information or enciphering such information.
<2>In sending important information, limit its destinations and fully confirm the addresses.
<3>Make sure that the access authority that is appropriate for the importance of a file is set as a file attribute.
<4>Strictly control the files needed for maintenance of computer and communication equipment, so that they cannot be stolen, altered, or deleted.
<5>Keep paper and magnetic media containing important information in a safe place.
<6>In discarding paper and magnetic media containing important information, make sure that no information may be leaked.
<7>Make file back-ups whenever appropriate and store their magnetic media in a safe place.

<1>In installing, updating, and removing computers, communication equipment, or software, follow the system administrator's guidance.
<2>Minimize access to a computer using the highest level of authorization (hereafter referred to as "privilege") assigned for computer control.
<3>In accessing computers by privilege, set limits for computers, locations, and periods, etc.
<4>Check computer access history whenever appropriate to check for signs of unpermitted access to computers.
<5>Don't leave computers in the state of waiting for input.
<6>Use functions for omitting password input under the guidance the system administrator.

<1>When you discover a system abnormality, contact the system administrator immediately and follow his or her instructions.
<2>When you discover an unauthorized access, contact the system administrator immediately and follow his or her instructions.

<1>Receive security education from the system administrator whenever appropriate.
<2>When you obtain any information about security measures, provide the information to system administrators whenever appropriate.

<1>Receive system audit reports and take any necessary actions to increase the effectiveness of the unauthorized access countermeasures taken by system users.

<1>Establish system security policies and make sure they are thoroughly known and observed.
<2>Establish a system control structure and control procedures and make sure they are thoroughly known and observed.
<3>Establish an emergency liaison structure and recovery procedures and make sure they are known and observed thoroughly.
<4>Keep information obtained through system control activities confidential.
<5>Minimize the authority of the system administrator to what is essential to perform duties only.
<6>Assign the minimum essential number of system administrators, but at least two. Have them change duties periodically.
<7>Immediately cancel the authorization assigned to anyone who has lost his or her qualification as a system administrator.

<1>Limit system user registration to the necessary equipment and limit the system user's authorization to an essential minimum.
<2>Limit the user IDs that can access the system from the outside via a network to the essential minimum.
<3>Assign one user ID to each individual and be sure to set a password.
<4>Quickly cancel the authorization of a user ID that has not been used for a long period.
<5>When a system administrator receives a notice of user ID abolishment, delete its registration immediately.
<6>Don't reveal passwords to anyone except the system user concerned.
<7>Check passwords whenever appropriate and have poor passwords by changed quickly.
<8>When a password is leaked to anyone but the system user concerned or when a doubt that this has happened, immediately have the password be changed.
<9>In assigning authorization to a system user, consider his technological competence, etc.
<10>Quickly cancel system user authorization as soon as it becomes unnecessary.

<1>Establish a scheme for preventing information leaks on communication routes.
<2>Use confidentiality functions so that information cannot be analyzed even if it is tapped or leaked on a communication route.
<3>Use an alteration detection function so that alteration of information on a communication route can be detected.
<4>Control system related files so that they cannot be accessed by system users.
<5>Distribute important information to minimize damage due to deletion, alteration, leaks, etc.
<6>Keep paper and magnetic media containing important information in a safe place.
<7>In discarding paper and magnetic media containing important information, make sure that no information may be leaked.
<8>Make file back-ups whenever appropriate and store their magnetic media in a safe place.

<1>Identify the administrators for all equipment and software.
<2>Install equipment that stores or processes important information in a place that cannot be accessed by anyone except permitted persons and strictly control it.
<3>Employ anti-tapping measures for movable equipment.
<4>Always have an understanding of the system configuration.
<5>In installing equipment or software, make sure in advance that its security functions comply with the security policy.
<6>Make sure whenever appropriate that the setup information for equipment and software complies with the system.
<7>Use equipment and software with clear information about the contact points for providers and update information.
<8>Use equipment and software for which any security problems have been solved.
<9>Make sure that equipment connected to the outside has sufficient access control functions.
<10>Before changing the system configuration, make sure that no security problems will arise.
<11>Limit the communication routes and computers that can be accessed from the outside via a network to the minimum essential.
<12>In controlling a system from the outside via a network, set certification, encryption, and access control functions.
<13>Equipment that is to be left unused for a long period should not be connected to a system.
<14>In discarding, returning, or transferring equipment or software, take measures to prevent leakage of information.
<15>Make sure whenever appropriate that software and system files have not been altered.
<16>Make the maximum use of the password strengthening functions of systems.
<17>Monitor the load status of networks.
<18>Separate networks according to forms of system utilization.

<1>Take system operation history and access records based on a system security policy.
<2>In taking system operation history and access records, implement any measures needed to prevent alteration, deletion, destruction, or leakage.
<3>Analyze recorded system operation history and access records whenever appropriate.
<4>Maintain recorded system operation history and access records for a fixed period in a safe manner.

<1>As soon as a report of an abnormality is received or an abnormality is discovered, investigate the cause rapidly.
<2>When an access is found to be unauthorized, obtain information about any damage in cooperation with the people concerned.
<3>Take any measures needed to prevent expansion of damage due to unauthorized access in cooperation with the people concerned.
<4>Perform whatever recovery procedures that were established in advance and make efforts to recover from the damage due to an unauthorized access in cooperation with the people concerned.
<5>Analyze the cause of the damage due to an unauthorized access and take measures to prevent reoccurrence in cooperation with the people concerned.
<6>To prevent expansion of damage due to an unauthorized access and to prevent reoccurrence, report the necessary information to the organization separately designated by the Minister of International Trade and Industry.

<1>Collect information about security measures whenever appropriate.
<2>Analyze collected information and quickly take any necessary actions for important information.
<3>When a system user implements security measures, provide the necessary information.
<4>Provide system users with security information whenever appropriate.

<1>Receive system audit reports and take any necessary actions to increase the effectiveness of the unauthorized access countermeasures taken by system administrators.

<1>Clarify the scope of responsibility for network service provider staff.
<2>Establish a liaison structure and recovery procedures to be applied upon discovery of unauthorized access and make sure they are known and observed thoroughly.

<1>Clarify the division of responsibilities between network service providers and network service users.
<2>Clearly present the security services that are available from network service providers.
<3>Establish a number of liaison structures with network service users and make sure they are known and observed thoroughly.
<4>Establish a scheme for limiting services to network service users who have made an unauthorized access.
<5>When a network service user so requests, disclose his or her access information, etc.
<6>Establish a scheme that enables monitoring of unauthorized access to network service users.
<7>Establish a scheme that enables recording of a network service user's access information.

<1>Control network service users' information strictly.
<2>In disclosing a network service user's information, obtain his or her approval.
<3>Don't disclose important information such as the network configuration.

<1>Install equipment related to network services in a place that cannot be accessed by anyone except permitted persons and control it strictly.
<2>Establish a scheme that enables constant control of equipment related to network services.
<3>Secure a number of communication lines for remotely controlling equipment related to network services.
<4>Separate the network providing services to network service users from networks for other applications.
<5>Limit the release of information related to a specific service to the equipment related to that service.

<1>As soon as a report of an abnormality is received or an abnormality is discovered, investigate the cause quickly.
<2>When an access is found to be unauthorized, obtain information about any damage in cooperation with the people concerned.
<3>Take measures needed to prevent expansion of damage due to an unauthorized access in cooperation with the people concerned.
<4>Perform any recovery procedures that were established in advance and make efforts to recover from the damage due to an unauthorized access in cooperation with the people concerned.
<5>Analyze the cause of the damage due to an unauthorized access and implement measures to prevent reoccurrence in cooperation with the people concerned.
<6>To prevent expansion of damage due to an unauthorized access and to prevent reoccurrence, report the necessary information to the organization separately designated by the Minister of International Trade and Industry.

<1>Collect information about security measures whenever appropriate.
<2>When a network service user implements security measures, provide the necessary information.
<3>Offer sufficient information about the security problems of networks and countermeasures and provide education for utilizing such information as necessary.

<1>Receive system audit reports and take any necessary actions to increase the effectiveness of the unauthorized access countermeasures taken by network service providers.

<1>Clarify the scope of responsibility for hardware/software provider staff.
<2>Establish a liaison structure and recovery procedures to be applied upon discovery of unauthorized access and make sure they are known and observed thoroughly.

<1>Install development-related equipment in a place that cannot be accessed by anyone except permitted persons and control it strictly.
<2>Separate development-related networks from networks for other applications.

<1>Set a clear policy for installing security functions on products.
<2>Provide products with security functions such as security protection, certification, and alteration detection functions.
<3>Integrate functions for preventing analysis of important security information into the network-related functions of products.
<4>Integrate user limiting functions into the maintenance functions of products.
<5>Set up functions that disables use of products without security settings.
<6>Delete the debug functions used for production development before shipment.
<7>Check that the security functions of products operate according to their specifications.

<1>Implement measures for products to prevent alteration, etc. in the distribution stage.
<2>In selling products, provide clear information about their limitations and recommendations for usage.
<3>Mark products with the contact point for its provider.
<4>If a security problem about a product is discovered, send this information to users and related people and implement appropriate actions to solve the problem.

<1>As soon as discovering an abnormality in a product development system, investigate the cause quickly.
<2>When an access is found to be unauthorized, obtain information about any damage in cooperation with the people concerned.
<3>Take any measures needed to prevent expansion of damage due to an unauthorized access in cooperation with the people concerned.
<4>Perform any recovery procedures that were established in advance and make efforts to recover from the damage due to an unauthorized access in cooperation with the people concerned.
<5>Analyze the cause of the damage due to an unauthorized access and implement measures to prevent reoccurrence in cooperation with the people concerned.
<6>To prevent expansion of damage due to an unauthorized access and to prevent reoccurrence, report the necessary information to the organization separately designated by the Minister of International Trade and Industry.

<1>Collect information about security measures for products whenever appropriate and utilize it in product development.
<2>Offer information about security measures through sales of products and provide education as necessary.

<1>Receive system audit reports and take any necessary actions to increase the effectiveness of the unauthorized access countermeasures taken by hardware/software providers.