Basic Policy on Information Security

Basic Policy on Information Security

Our group is committed to the proper protection and management of the information assets we handle, ensuring the accuracy and smooth operation of our business. To achieve this, we continuously improve our information security systems, maintain data integrity and protection, monitor security threats, and respond swiftly to any incidents. We also strive to raise awareness of information security among all employees and promote responsible behavior through a well-established framework. Additionally, we define clear information security requirements for third parties such as suppliers to build a secure and reliable information management system.

1. Establishment of Information Security System
   The company shall establish an information security management system and promote efforts to maintain and improve information security.
   In addition, a system for periodic audits and continuous improvement of these efforts shall be established.
2. Information Security Education and Training
   The company shall provide education and training on a regular or as-needed basis to make employees aware of the importance of information security and to ensure that information assets are handled appropriately.
3. Maintenance of Information Security Measures
   The Company shall prevent external or internal leakage, theft, loss, destruction, and unauthorized entry of confidential information, whether intentional or negligent, and shall prepare for unexpected accidents and natural disasters.
4. Protection of Information Assets
   The company recognizes the importance of all information assets in its possession from the perspective of confidentiality, integrity, and availability, and regularly assesses risks and takes appropriate management measures according to the actual conditions of business under the information security system.
5. Maintenance of Rules and Regulations Concerning Information Security
   The company shall establish rules and management standards for information security, clearly indicate the handling of information assets in general within the company, and periodically review the contents of such rules and standards.
6. Compliance with Laws and Regulations
   The company shall comply with all laws and regulations applicable to information security.
7. Response to Security Incidents and Accidents
   The company shall take prompt action and procedures in the event of a security incident or accident, or in the event that there are signs of such an incident or accident.

（Scope of Application)
Applies to all company organizations, employees, and all information assets handled by the company, and suppliers.

Information Security Management

To strengthen and maintain information security, we have established an Information Security Committee responsible for overseeing the implementation of internal policies, monitoring activities, and conducting employee education. The committee is chaired by the Managing Director of the Marketing Division, who holds the authority and responsibility for executing and managing information security measures.
Representatives from each department serve as committee members to promote initiatives within their respective departments. The Secretariat promotes and manages company-wide information security efforts. The Administration Division oversees the proper management of IT equipment, while the Internal Audit Officer is responsible for auditing our information security measures and systems.
Through these coordinated efforts, we aim to continuously enhance our information security.
In the event of emergencies such as natural disasters, accidents, or operational disruptions, we follow our Business Continuity Plan (BCP), which outlines roles, responsibilities, response systems, and procedures for maintaining critical systems. The Director and Information Security Manager are responsible for executing recovery efforts for key systems and operations.
In case of an information security incident—or a suspected one—the Director or Information Security Manager promptly reports the incident to the Secretariat. The Secretariat then notifies the Committee Chair and responds in accordance with procedures defined in our security incident response guidelines.
The Secretariat of the Information Security Committee is responsible for investigating system and device vulnerabilities, collecting relevant information, conducting root cause analysis, and formulating remediation plans. Vulnerability assessments are conducted on a regular basis, and any identified vulnerabilities are promptly addressed.
We also maintain a system for receiving reports on newly discovered vulnerabilities, which includes prioritization, cause analysis, and remediation planning.
The Secretariat provides regular training and education to all employees to ensure appropriate handling of information assets. All employees involved in information assets are required to complete this training. Information Security Committee members and managers receive role-specific training to acquire the knowledge necessary for their duties. Directors are also responsible for providing continuous education and raising awareness among employees.