Information Security Policy

1. Purpose

The main business of the Group is Business Process Outsourcing (BPO) and the safety of information assets and business continuity are top priorities for management. We consider the safety and security of our Clients and business partners our social responsibility, and we protect their information from various threats. This document was established with the purpose of achieving the appropriate management and security of our operations.

2. Information Security Organization

2.1 Information Security Committee

The Information Security Committee comprises the Representative Director, Chairman of the Information Security Committee and representatives of relevant departments, who meet to discuss and make decisions on information security issues.

2.2 Information Security Secretariat

The Information Security Secretariat shall be established at the secretariat for the Information Security Committee.

2.3 Internal Audit

An internal audit will be completed to ensure information security is effective.

2.4 Information Security Officer

An Information Security Officer shall be appointed within each department as the staff member responsible for information security-related matters.

2.5 Internal Audit System

In order to carry out audits to check whether or not ISMS operations are being performed in accordance with the Information Security Policy, the Information Security Committee shall appoint and instate an Internal Audit Officer. The Internal Audit Officer shall appoint and instate a Internal Auditor.

2.6 Risk Management Officer

The Information Security Committee shall appoint and instate a Risk Management Officer as a general manager responsible for risk management.

2.7 Risk Assessment Officer

The Risk Management Officer shall appoint and instate a Risk Assessment Officer as the officer responsible for risk assessment.

3. Information Security Policy

3.1 Need-to-Know Principle

The Information Security Division is responsible for granting access to information. Employees are only given permission to access the information they need to complete their work.

3.2 Information Asset Management

The Director of Information Security will manage information assets and security-related information in accordance with regulations imposed by the agreement and the Group.

3.3 Selection of Measures and Classification of Information Assets

The Director of Information Security will manage information assets properly, classified according to their importance.

3.4 Monitoring

The Director of Information Security will ensure that information assets are properly managed and monitored on an ongoing basis.

3.5 Security Incident Response

In the event of an accident related to information security, the person discovering the accident shall immediately report the details of the accident to the Information Security Officer; the causes of the accident related to information security shall then be analyzed and measures to prevent a recurrence shall be implemented as necessary.

3.6 Business Continuity Management

There must be plans in place to ensure minimum interruption to business in the event of a disaster.

3.7 Education

Employees and suppliers take part in regular information security education, according to their position.

3.8 Compliance with Rules and Regulations

Employees and suppliers of the Group are required to comply with rules and regulations on information security.

3.9 Conformance to legal and contractual requirements

Company employees and employees of subsidiaries or partners are required to comply with the information security requirements of an agreement.

Shinichi Tamagami
Prestige International Inc.

October 1, 2021