[First Edition] Information Security Policy

Last update: April 1, 2021

______________________
ISMS-01_
Information Security Policy Statement
Revision history 1st edition
Approved by: Shintaro Tsuji
Contents: JIS Q 27001:2014 (ISO/IEC 27001:2013)
Newly established for the purpose of compliance
Approval date: April 1, 2021
______________________

1 Objective

(hereinafter referred to as "the Company") uses a large number of information assets in the planning, development, operation, and sales of web applications and in the management of employees (hereinafter referred to as "the business"). Therefore, we recognize that it is not only an essential requirement to promote our corporate activities with the trust of society, but also a serious social responsibility. Therefore, in consideration of the importance of information security, we have established this Information Security Policy (hereinafter referred to as "the Policy"), and will establish, implement, maintain, and improve an information security management system to specifically implement the Policy.

2 Definition of information security

Information security is defined as the maintenance of confidentiality, integrity, and availability.
(1) Confidentiality
(1) Confidentiality means that information assets are protected from unauthorized access and are not leaked to unauthorized persons. (A characteristic that prevents the use or disclosure of information to unauthorized individuals, entities, or processes.
(2) integrity
(2) Integrity means that information assets are protected from falsification and errors and are maintained accurately and completely. (Characteristics of accuracy and completeness)
(3) availability
(3) Availability means that information assets are protected from loss, damage, and system shutdown, and are available when needed. (Characteristics of access and use when requested by authorized entities)

3 Scope of Application

This policy applies to all information assets managed by the Company. The scope of information assets is not limited to electronic devices and electronic data, but includes all forms of media, including paper.
(1) Organization
Quicken Corporation (all employees)
(2) Facilities
Head Office (Address: 3F, 2-33-2 Honcho, Shibuya-ku, Tokyo)
(3) Business
Planning, development, operation and sales of web applications
(4) Assets
Documents, data, information systems, and networks related to the above business and various services

4 Implementation

The following items shall be implemented in accordance with this policy and our information security management system.
(1) Information security objectives
We will formulate information security objectives that are consistent with this policy and that take into account applicable information security requirements as well as the results of risk assessment and risk response, make them known to all employees, and review them periodically as necessary in response to changes in our environment, even if there are no changes.
(2) Handling of information assets
a) Access privileges shall be granted only to those who need them for business purposes.
b) Information shall be managed in accordance with legal and regulatory requirements, contractual requirements, and the provisions of our information security management system.
c) Information assets shall be appropriately classified and managed according to their importance in terms of value, confidentiality, integrity, and availability.
d) Information assets shall be continuously monitored to ensure that they are being managed appropriately.
(3) Risk assessment
a) We will conduct risk assessments and implement appropriate risk responses and control measures for information assets that are judged to be the most important based on the characteristics of our business.
b) Analyze the causes of accidents related to information security and take measures to prevent recurrence.
(4) Business continuity management
We will minimize business interruptions caused by disasters or malfunctions and ensure business continuity capabilities.
(5) Education
We will provide all employees with information security education and training.
(6) Compliance with regulations and procedures
We will comply with the rules and procedures of the information security management system.
(7) Compliance with legal and regulatory requirements and contractual requirements
We will comply with legal and regulatory requirements and contractual requirements related to information security.
(8) Continuous improvement
We will work to continuously improve our information security management system.
(9) Policies for information security
We will establish the following information security policies related to the Information Security Policy.
Policies related to mobile devices
Access control
Policy on the use of cryptographic control measures
Clear desk and clear screen policy
Policy for information transfer
Policy for Security Sensitive Development
Policy on Information Security for Supplier Relationships

5 Responsibilities, Obligations, and Penalties

The responsibility for the information security management system, including this policy, rests with top management, and employees in the applicable scope are obligated to comply with the established rules and procedures. Employees who neglect their duties and commit violations will be punished in accordance with the employment regulations. Employees of subcontractors will be dealt with in accordance with individually stipulated contracts.

6 Periodic Review

The information security management system shall be reviewed periodically and as necessary to maintain and manage the system.



Enacted: April 1, 2021
Date of last revision: April 1, 2021
Top Management Shintaro Tsuji


Above