1. Basic policy
ERINES Inc. (the “Company”) recognizes the information entrusted to it by customers and business partners, along with the information assets involved in its business operations, as critical assets supporting the Company’s business. To protect these information assets and meet the trust placed in the Company by customers and society, the Company hereby declares that it will maintain and operate an information security management system and continuously improve it.
2. Scope
This policy applies to all information assets handled by the Company, and to all officers and employees of the Company (including full-time, contract, dispatched, part-time, and contractors — anyone engaged in the Company’s work).
3. Organizational structure
The Company clarifies the responsibilities for information security and appoints an Information Security Manager under a top-level officer. The Information Security Manager is responsible for maintaining this policy and the related internal regulations, monitoring operational status, and overseeing improvement activities.
4. Management of information assets
The Company classifies the information assets it handles by importance and operates them under handling rules appropriate to each classification. Confidentiality, integrity, and availability are ensured throughout the lifecycle of information assets — acquisition, use, storage, transport, and disposal.
5. Risk assessment and countermeasures
The Company periodically — and on an ad hoc basis when needed — identifies, analyzes, and evaluates information security risks, and applies countermeasures proportionate to the size of each risk. Significant risks are addressed with priority, and the response status is monitored continuously.
6. Access control and technical measures
The Company enforces access control to information assets based on the principle of least privilege, granting only the access necessary for work. Alongside this, the Company continuously implements technical measures including encryption of communications and stored data, strengthened authentication, monitoring and detection of unauthorized access and malware, and vulnerability management.
7. Education and training
The Company provides information security education and training to officers and employees at the time of hire and periodically thereafter, so that each person understands and acts in line with this policy and related rules.
8. Supplier management
When the Company outsources part of its work, it evaluates the supplier’s information security level in advance and selects suppliers that meet an appropriate level. The Company executes the necessary contracts with suppliers and supervises their information security management on an ongoing basis throughout the engagement.
9. Incident response
The Company maintains procedures covering detection, reporting, initial response, recovery, and prevention of recurrence in case an information security incident occurs or is suspected. When one occurs, the Company will move quickly to limit the scope, identify the cause, and notify affected stakeholders.
10. Compliance
The Company complies with laws, government guidelines, and other norms related to information security, and faithfully performs the security-related obligations of its contracts with customers.
11. Business continuity
Against risks that may interrupt business activities — disasters, system failures, cyberattacks, and others — the Company implements measures to maintain the continuity of critical operations, and prepares and maintains the necessary plans.
12. Continuous improvement
The Company continuously reviews and improves this policy, related rules, and operations based on changes in the internal and external environment, technology trends, risk assessment results, and audit results, raising the level of information security over time.