Information Security Policies

Basic Policy on Information Security
June 9, 2020

Article 1. The purpose of this basic policy is to define the basic information security measures to be implemented by RTC in order to maintain the confidentiality, integrity and availability of the information assets held by, Inc. (hereinafter referred to as “RTC”) to maintain the confidentiality, integrity and availability of the information assets held by RTC.

Article 2. In this outline, the meanings of the terms listed in the following items shall be as prescribed respectively in those items.

(1) Network: A communication network for interconnecting computers, etc., as well as the hardware and software of said computers, etc. (2) Information system: A system for processing information, consisting of computers, networks and electromagnetic recording media.
(2) Information system: A system that consists of computers, networks, and electromagnetic storage media to process information.
(3) Information security: Maintenance of confidentiality, integrity, and availability of information assets.
(4) Information security policy: This means this basic policy and the information security measures standards separately stipulated by RTC.
(5) Confidentiality: The state in which information can be accessed only by authorized persons.
(6) Integrity: Ensuring that information is not destroyed, tampered with, or erased.
(7) Availability: It means to ensure that the persons authorized to access the information can access the information without interruption when necessary.
(8) Internet-connected system: An information system connected to the Internet related to Internet mail, homepage management systems, etc., and the data handled by such information system.
(9) Harmless communication: Communication that is secured by converting the body of Internet mail into text and transferring screens to terminals, etc., so that computer viruses and other malicious programs do not adhere to the mail.
(10) Employees, etc.: Full-time employees, temporary employees, contractors, designated administrators, and those who use the network by agreement.

(Targeted Threats)

Article 3. RTC shall implement information security measures based on the following threats to information assets.

(1) Leakage, destruction, falsification, or erasure of information assets, fraudulent disclosure of important information, or internal fraud due to intentional factors such as unauthorized access, virus attacks, cyber attacks including denial-of-service attacks, or intrusion by outsiders
(2) Leakage, destruction, falsification, or erasure of information assets due to unauthorized removal of information assets, violation of regulations such as use of unauthorized software, inadequate design and development, program defects, operational or configuration errors, inadequate maintenance, inadequate internal or external audit functions, inadequate outsourcing management, management defects, equipment failure, or other unintentional factors (3) Earthquakes, lightning, erasure, etc.
(3) Suspension of services or operations due to disasters such as earthquakes, lightning, fire, etc.
(4) Malfunctions in system operations due to personnel shortages caused by large-scale and widespread illnesses
(5) Spillover from infrastructure failures such as power supply disruptions, communication disruptions, water supply disruptions, etc. (Scope of Application)

Article 4. The information assets to which this basic policy applies shall be as follows

(1) Networks and information systems, their related equipment and electromagnetic recording media
(2) Information handled by networks and information systems
(3) System-related documents such as information system specifications and network diagrams
(4) Printed and paper documents related to items (1) through (3) (Obligation of compliance by employees, etc.)

Article 5. Employees shall share a common understanding of the importance of information security, and shall comply with the Information Security Policy and Information Security Implementation Procedures in the execution of their duties. (Information Security Measures)

Article 6. RTC shall take the following information security measures to protect its information assets from the threats described in Article 3.

(1) Establish a company-wide organizational structure to promote information security measures for RTC’s information assets.
(2) Classify the importance of RTC’s information assets according to confidentiality, integrity and availability, and implement information security measures based on such classification.
(3) Physical measures shall be taken to manage server equipment, server rooms, communication lines, and personal computers of employees, etc.
(4) Human measures shall be taken to ensure information security, including the establishment of rules to be observed by employees, etc., as well as sufficient education and awareness-raising.
(5) Technical measures such as computer management, access control, countermeasures against unauthorized programs, and countermeasures against unauthorized access shall be taken.
(6) The company shall take operational measures for the information security policy, such as monitoring information systems, checking compliance with the information security policy, and ensuring security when outsourcing, etc. In addition, an emergency response plan shall be formulated to respond promptly and appropriately in the event of a security breach of information assets, etc. (7) In the case of using external services, the company shall establish an emergency response plan.
(7) When using external services, the following necessary measures shall be taken.

(a) In case of outsourcing, the company shall confirm that the outsourced service provider has the necessary security measures in place, conclude a contract with the outsourced service provider that specifies information security requirements, and take the necessary measures based on the contract.
(b) When external services are used in accordance with the terms and conditions of the contract, the regulations for the use of such services should be prepared and measures should be taken.
c. When using social media services, establish operational procedures regarding information that can be transmitted, responsible persons for each social media service used, etc.

(8) To verify compliance with the information security policy, information security audits and self-inspections shall be conducted periodically or as necessary to improve operations and information security, and the information security policy shall be reviewed as necessary. (Formulation of Information Security Measures Standards)

Article 7. In order to implement the measures, etc. specified in the preceding article, the Information Security Measures Standards shall be established, which stipulate specific compliance items and judgment criteria. (Formulation of procedures for implementation of common items)

Article 8. Specific procedures to implement the information security measures based on the information security measures standards in the preceding article shall be defined by the Common Matter Implementation Procedures. The procedures for common matters shall not be disclosed to the public, since public disclosure may cause serious hindrance to the operation of the RTC.

pplementary Provisions This outline shall apply from June 9, 2020.