Information Security Policy Statement
Revision history 1st edition
Approved by: Shintaro Tsuji
Contents: JIS Q 27001:2014 (ISO/IEC 27001:2013)
Newly established for the purpose of compliance
Approval date: April 1, 2021
(hereinafter referred to as "the Company") uses a large number of information assets in the planning, development, operation, and sales of web applications and in the management of employees (hereinafter referred to as "the business"). Therefore, we recognize that it is not only an essential requirement to promote our corporate activities with the trust of society, but also a serious social responsibility. Therefore, in consideration of the importance of information security, we have established this Information Security Policy (hereinafter referred to as "the Policy"), and will establish, implement, maintain, and improve an information security management system to specifically implement the Policy.
2 Definition of information security
Information security is defined as the maintenance of confidentiality, integrity, and availability.
(1) Confidentiality means that information assets are protected from unauthorized access and are not leaked to unauthorized persons. (A characteristic that prevents the use or disclosure of information to unauthorized individuals, entities, or processes.
(2) Integrity means that information assets are protected from falsification and errors and are maintained accurately and completely. (Characteristics of accuracy and completeness)
(3) Availability means that information assets are protected from loss, damage, and system shutdown, and are available when needed. (Characteristics of access and use when requested by authorized entities)
3 Scope of Application
This policy applies to all information assets managed by the Company. The scope of information assets is not limited to electronic devices and electronic data, but includes all forms of media, including paper.
Quicken Corporation (all employees)
Head Office (Address: 3F, 2-33-2 Honcho, Shibuya-ku, Tokyo)
Planning, development, operation and sales of web applications
Documents, data, information systems, and networks related to the above business and various services
The following items shall be implemented in accordance with this policy and our information security management system.
(1) Information security objectives
We will formulate information security objectives that are consistent with this policy and that take into account applicable information security requirements as well as the results of risk assessment and risk response, make them known to all employees, and review them periodically as necessary in response to changes in our environment, even if there are no changes.
(2) Handling of information assets
a) Access privileges shall be granted only to those who need them for business purposes.
b) Information shall be managed in accordance with legal and regulatory requirements, contractual requirements, and the provisions of our information security management system.
c) Information assets shall be appropriately classified and managed according to their importance in terms of value, confidentiality, integrity, and availability.
d) Information assets shall be continuously monitored to ensure that they are being managed appropriately.
(3) Risk assessment
a) We will conduct risk assessments and implement appropriate risk responses and control measures for information assets that are judged to be the most important based on the characteristics of our business.
b) Analyze the causes of accidents related to information security and take measures to prevent recurrence.
(4) Business continuity management
We will minimize business interruptions caused by disasters or malfunctions and ensure business continuity capabilities.
We will provide all employees with information security education and training.
(6) Compliance with regulations and procedures
We will comply with the rules and procedures of the information security management system.
(7) Compliance with legal and regulatory requirements and contractual requirements
We will comply with legal and regulatory requirements and contractual requirements related to information security.
(8) Continuous improvement
We will work to continuously improve our information security management system.
(9) Policies for information security
We will establish the following information security policies related to the Information Security Policy.
Policies related to mobile devices
Policy on the use of cryptographic control measures
Clear desk and clear screen policy
Policy for information transfer
Policy for Security Sensitive Development
Policy on Information Security for Supplier Relationships
5 Responsibilities, Obligations, and Penalties
The responsibility for the information security management system, including this policy, rests with top management, and employees in the applicable scope are obligated to comply with the established rules and procedures. Employees who neglect their duties and commit violations will be punished in accordance with the employment regulations. Employees of subcontractors will be dealt with in accordance with individually stipulated contracts.
6 Periodic Review
The information security management system shall be reviewed periodically and as necessary to maintain and manage the system.