BASIC POLICY ON INFORMATION SECURITY

Purpose of Information Security

For-A Company Limited and its affiliates will protect information assets from all threats, and in order to do this, we will implement all necessary information security measures. Ensuring continuous and stable business activities is the social responsibility of For-A Company Limited and its affiliates, and we have adopted this Information Security Policy in order to achieve this.

All officers and employees of For-A Company Limited and its affiliates understand and comply with the Basic Policy on Information Security, relevant regulations, and the ISMS Manual.

Definition of Information Security

Information security means protecting information assets from threats, and ensuring and maintaining confidentiality, integrity, and availability of information.

Confidentiality: Ensuring that only those with permission are able to access the information
Integrity: Ensuring that all data and handling methods are correct and complete
Availability: Ensuring that permitted users are able to access information and related assets when required

Goals of Information Security

We have adopted the following information security goals.

1. Ensure confidentiality of information assets, and ensure that information does not leak
2. Ensure integrity of information assets, and ensure that information is not destroyed
3. Ensure availability of information assets, and ensure that necessary information can be used when it is required
4. If there is an information security incident, minimize damage, swiftly restore operation, and prevent recurrence

Scope of Application

The scope of application to For-A Company Limited and its affiliates is stipulated separately in “ISMS Scope of Application” which applies to all information assets handled within the scope of application.

Application includes all personnel who handle information assets. Agreements affirming the content of this policy have been entered with all external contractors, ensuring this content applies to them.

Information Security Organizational Structure

In order to implement information security, the Integrated Information Management Department (Management Headquarters) has been established.

Information security managers have been appointed in order to maintain information security.

Conducting Risk Assessment

We have established and maintain an ISMS from the perspective of organizational and strategic risk assessment.

We conduct risk assessments concerning confidentiality, integrity, and availability of information, as well as threats and vulnerabilities, in order to minimize risks by responding to high risks, etc.

Compliance with Laws and Regulations

All officers and employees must comply with laws such as the Copyright Act, laws relating to prohibition of unauthorized computer access, etc., and the Personal Information Protection Act, as well as industry guidelines relating to information security.

Education

We ensure thorough dissemination of the content of this policy to all officers, employees, loaned staff, and external contractors, and conduct ongoing education as necessary in order to maintain information security.

Business Continuity Management

We have implemented measures to minimize work stoppages due to disasters and accidents, etc., and ensure business continuity.

Continuous Improvement

In order to confirm compliance with information security measures, we conduct regular and ad-hoc internal audits.

In addition to generating improvement through these audits, we conduct continuous improvement by conducting reviews according to changes in information systems and environmental changes such as new threats.

Penalties

Employees that commit actions in breach of regulations relating to information security are subject to disciplinary action, etc., under the Rules of Employment.