BASIC INFORMATION SECURITY POLICY

1.Purpose of the Basic Information Security Policy

In recent years, concerns about information security, such as the leakage of personal and corporate information and the intrusion of viruses and worms, have heightened. Customers increasingly demand the proper handling of information and the provision of secure services. In response to these demands, APRE Co., Ltd. (hereinafter referred to as “the Company”) believes that maintaining trust with customers, providing optimal products and services, enhancing customer satisfaction, and building and maintaining good relationships with customers are essential to our business. Therefore, we establish this Basic Information Security Policy to ensure the confidentiality, integrity, and availability of information assets. All officers and employees involved in the Company’s business must comply with this Basic Information Security Policy and strive to maintain and improve information security.

2.Scope of Application

This Basic Information Security Policy applies to all information system-related assets utilized by the Company. Information system-related assets, as referred to herein, include information (such as documents and data), hardware, software, services, and the facilities and equipment involved in protecting and utilizing these assets.

3.Fundamental Measures

The fundamental measures for the Company’s information security are as follows:

(1)Establish risk evaluation criteria and a risk assessment framework, and define a systematic approach to risk assessment based on these. Specifically, identify the threats and vulnerabilities of information assets, with a focus on availability for information assets related to procurement, production, logistics, and sales, and on confidentiality for the maintenance and management of customer information assets. This approach will clarify the security requirements.


(2)Identify risks and implement measures to address them, thereby stabilizing business continuity and further enhancing customer satisfaction.


(3)Conduct information security education and training for relevant employees to raise awareness and understanding of security.

4.Organization

The Risk Management Committee shall decide on the procedures based on the Basic Information Security Policy, review and evaluate security requirements, and implement countermeasures. Additionally, the committee will determine other initiatives to promote the dissemination of information security activities. Based on the decisions of the Risk Management Committee, the entire company shall work together to implement measures aimed at smoothly advancing information security activities.

5.Information Security Management Officer

The officer responsible for managing the Company’s information security shall be the Head of the Corporate Division.

6.Compliance with Laws and Regulations

All officers and employees involved in the Company’s business must comply with applicable laws, such as the Personal Information Protection Act and the Unauthorized Computer Access Act, as well as business-related contractual obligations.

7.Audits

The Compliance with the Company’s Basic Information Security Policy, as well as related procedures and guidelines, shall be regularly audited by the Corporate Planning Office.
 

Enforced on November 1, 2022

Revised on May 1, 2024

APRE Co., Ltd.
Representative Director Atsuyuki Kikuchi