Information Security Policy
- Home >
- Information Security Policy
Basic Information Security Policy
Through now, the Company has met customer needs with a focus chiefly on the auto industry. To protect information assets from threats such as accidents, disasters, and crime in today's advanced information society so that we can meet the expectations of customers and society by continuing to deliver technological services that will satisfy customers, we have established the following Basic Information Security Policy as a guideline for the Company's information security initiatives.
1. Development of internal controls and information security policies
The Company shall develop the management structures needed to maintain and improve security and establish the necessary information security measures in formal in-house rules.
The Company shall develop the management structures needed to maintain and improve security and establish the necessary information security measures in formal in-house rules.
2. Leadership's responsibility and continual improvement
Company managers shall take leadership in appropriate management of the information assets of the Company and its customers, through complying with this Policy.
Company managers shall take leadership in appropriate management of the information assets of the Company and its customers, through complying with this Policy.
3. Formulation and review of the objectives of information security
The Company shall formulate information security objectives and implement various activities to achieve them. Information security objectives shall be subject to approval and annual review by Company managers.
The Company shall formulate information security objectives and implement various activities to achieve them. Information security objectives shall be subject to approval and annual review by Company managers.
4. Compliance with the requirements of laws, regulations, and contracts
Company employees shall comply with the security requirements of laws, regulations, rules, standards, and contracts with customers regarding the information assets used in business activities.
Company employees shall comply with the security requirements of laws, regulations, rules, standards, and contracts with customers regarding the information assets used in business activities.
5. Employee initiatives
Company employees shall learn the knowledge and skills needed to maintain and improve information security and shall assure the implementation of information security initiatives.
Company employees shall learn the knowledge and skills needed to maintain and improve information security and shall assure the implementation of information security initiatives.
6. Continual improvement
The Company shall monitor, maintain, and continually improve the state of operation of its information security management system.
The Company shall monitor, maintain, and continually improve the state of operation of its information security management system.
7. Responding to violations and incidents
The Company shall maintain structures for responding to violations of laws, regulations, rules, standards, and contracts with customers concerning information security and to information security incidents, and it shall minimize the impact of any violations or incidents.
The Company shall maintain structures for responding to violations of laws, regulations, rules, standards, and contracts with customers concerning information security and to information security incidents, and it shall minimize the impact of any violations or incidents.
July 1, 2021
CaRepo Corporation
Yoichiro Akasu, Representative Director
CaRepo Corporation
Yoichiro Akasu, Representative Director
Individual Information Security Policies
1. Management of information assets
To manage properly information assets used within the scope of the information security management system (ISMS), the Company shall identify information assets used and choose and implement management measures in line with their importance.
To implement management measures appropriately, we shall make clear the persons responsible for subject information assets and maintain them through taking such measures as labeling by importance and identifying the scopes in which they may be used. We shall establish and implement an approval process for removal of information from the scope of the ISMS. We also shall identify risks involved in external use of such implement appropriate measures.
We shall establish and implement procedures for reliable deletion of the content of information assets when disposing of them (as waste) or reusing them, to prevent improper use of information assets.
To manage properly information assets used within the scope of the information security management system (ISMS), the Company shall identify information assets used and choose and implement management measures in line with their importance.
To implement management measures appropriately, we shall make clear the persons responsible for subject information assets and maintain them through taking such measures as labeling by importance and identifying the scopes in which they may be used. We shall establish and implement an approval process for removal of information from the scope of the ISMS. We also shall identify risks involved in external use of such implement appropriate measures.
We shall establish and implement procedures for reliable deletion of the content of information assets when disposing of them (as waste) or reusing them, to prevent improper use of information assets.
2. Organizational and human security measures
To carry out information security activities reliably within the organization, we shall make clear the roles and responsibilities of all related parties and establish and implement organizational measures such as functions for coordination among related parties, approval processes for adoption and modification of management resources, risk communication, and internal auditing.
We shall provide continual education and training for all related parties to ensure that they understand and implement information security measures and maintain records of such education and training.
We shall make responsible persons clear and establish and implement systems for all related parties to ensure that when their relationship to information assets changes or is discontinued the power and authority granted to them and articles lent to them are revised, deleted, or returned as appropriate.
To carry out information security activities reliably within the organization, we shall make clear the roles and responsibilities of all related parties and establish and implement organizational measures such as functions for coordination among related parties, approval processes for adoption and modification of management resources, risk communication, and internal auditing.
We shall provide continual education and training for all related parties to ensure that they understand and implement information security measures and maintain records of such education and training.
We shall make responsible persons clear and establish and implement systems for all related parties to ensure that when their relationship to information assets changes or is discontinued the power and authority granted to them and articles lent to them are revised, deleted, or returned as appropriate.
3. Access controls
To protect information assets managed within the scope of the Company's ISMS from unauthorized use, misuse, and other improper access, we shall identify and authenticate users (verifying their identity), set appropriate access authorization to information assets, and implement and maintain measures for such purposes as swiftly detecting improper access and keeping access logs.
To protect information assets managed within the scope of the Company's ISMS from unauthorized use, misuse, and other improper access, we shall identify and authenticate users (verifying their identity), set appropriate access authorization to information assets, and implement and maintain measures for such purposes as swiftly detecting improper access and keeping access logs.
4. Encryption
We shall apply appropriate encryption technologies to information assets with consideration for their importance, their availability, and technological progress, in order to protect their confidentiality, authenticity, and integrity.
We shall apply appropriate encryption technologies to information assets with consideration for their importance, their availability, and technological progress, in order to protect their confidentiality, authenticity, and integrity.
5. Physical environmental security measures
We shall establish physical security levels to prevent improper access to facilities necessary to protect information assets and to information assets themselves. In accordance with these security levels, we shall implement and maintain entrance and exit control and physical measures to protect against fires, floods, earthquakes, explosions, acts of violence, and other natural disasters or human-caused damage.
We shall implement and maintain measures to prevent improper work and operational errors within high-security boundaries.
We shall implement and maintain measures to protect equipment such as personal computers and servers and the power supplies, cables, and all other facilities needed to maintain the operation of such equipment from risks such as environmental threats, disasters, and improper access.
We shall firmly establish and implement an approval process for removing equipment outside the scope of the ISMS. We also shall identify risks involved in external use of such implement appropriate responses.
We shall establish and implement procedures for reliable deletion of the content of information assets when disposing of them (as waste) or reusing them, to prevent improper use of information assets.
We shall establish physical security levels to prevent improper access to facilities necessary to protect information assets and to information assets themselves. In accordance with these security levels, we shall implement and maintain entrance and exit control and physical measures to protect against fires, floods, earthquakes, explosions, acts of violence, and other natural disasters or human-caused damage.
We shall implement and maintain measures to prevent improper work and operational errors within high-security boundaries.
We shall implement and maintain measures to protect equipment such as personal computers and servers and the power supplies, cables, and all other facilities needed to maintain the operation of such equipment from risks such as environmental threats, disasters, and improper access.
We shall firmly establish and implement an approval process for removing equipment outside the scope of the ISMS. We also shall identify risks involved in external use of such implement appropriate responses.
We shall establish and implement procedures for reliable deletion of the content of information assets when disposing of them (as waste) or reusing them, to prevent improper use of information assets.
6. Communication and operation management
To prevent such incidents such as improper acts and errors in operation of important information-processing equipment, we shall establish and implement such measures as division of job responsibilities and segregation of equipment and maintenance of operation procedures.
To maintain system availability and integrity, we shall establish and implement measures such as system capacity management and backing up information assets.
To protect systems from malware (such as malicious code or unauthorized mobile code), we shall firmly establish and implement detection, preventive, and recovery measures (including giving full recognition to the significance of raising awareness among users).
We shall recognize the risks involved in exchanging information through various means (such as physical transmission or email) and establish and implement appropriate measures to address them.
To detect unauthorized information-processing activities and for use in taking countermeasures against failure, we shall properly obtain logs of system use, work, and failures, protect the logs from unauthorized access, and retain them for appropriate periods.
To prevent such incidents such as improper acts and errors in operation of important information-processing equipment, we shall establish and implement such measures as division of job responsibilities and segregation of equipment and maintenance of operation procedures.
To maintain system availability and integrity, we shall establish and implement measures such as system capacity management and backing up information assets.
To protect systems from malware (such as malicious code or unauthorized mobile code), we shall firmly establish and implement detection, preventive, and recovery measures (including giving full recognition to the significance of raising awareness among users).
We shall recognize the risks involved in exchanging information through various means (such as physical transmission or email) and establish and implement appropriate measures to address them.
To detect unauthorized information-processing activities and for use in taking countermeasures against failure, we shall properly obtain logs of system use, work, and failures, protect the logs from unauthorized access, and retain them for appropriate periods.
7. System acquisition, development, and maintenance
To prevent information-security incidents caused by improper acts, operational errors, or other causes in the processes of information-system acquisition, development, and maintenance, we shall maintain related environments, formulate related rules, and implement related processes in accordance with response policies.
When installing information systems, we shall ensure that they satisfy information-security requirements.
When using application services via the Internet (e.g. e-commerce), we shall recognize the risks involved and establish appropriate measures.
To prevent information-security incidents caused by improper acts, operational errors, or other causes in the processes of information-system acquisition, development, and maintenance, we shall maintain related environments, formulate related rules, and implement related processes in accordance with response policies.
When installing information systems, we shall ensure that they satisfy information-security requirements.
When using application services via the Internet (e.g. e-commerce), we shall recognize the risks involved and establish appropriate measures.
8. Supplier relationship management (subcontracting and third-party services)
When subcontracting operations or using services provided by third parties, we shall identify information security requirements for the suppliers and obtain their proper agreement thereto in advance , in order to protect information security while also enhancing management efficiency.
We also shall carry out timely monitoring and review of the content of such agreements and revise them as necessary.
When subcontracting operations or using services provided by third parties, we shall identify information security requirements for the suppliers and obtain their proper agreement thereto in advance , in order to protect information security while also enhancing management efficiency.
We also shall carry out timely monitoring and review of the content of such agreements and revise them as necessary.
9. Information-security incident management
To identify any information-security events (namely, incidents and vulnerabilities that could lead to incidents) quickly and swiftly implement appropriate responses to them, we shall make clear and implement procedures for detection of information-security incidents and procedures for corrective and preventive measures to eliminate the true causes of the incidents.
To identify any information-security events (namely, incidents and vulnerabilities that could lead to incidents) quickly and swiftly implement appropriate responses to them, we shall make clear and implement procedures for detection of information-security incidents and procedures for corrective and preventive measures to eliminate the true causes of the incidents.
10. Business continuity management
We shall formulate and maintain a plan for swift resumption and continuation of business activities in the event of any information-security incident or accident having a major impact on business continuity within the scope of the Company's ISMS (business continuity plan).
We shall formulate and maintain a plan for swift resumption and continuation of business activities in the event of any information-security incident or accident having a major impact on business continuity within the scope of the Company's ISMS (business continuity plan).
11. Compliance
To prevent violations of obligations under laws, regulations, rules, or contracts related to information security and various other security violations, we shall identify related matters and implement and maintain measures to address them.
To ensure compliance reliably, we shall implement not only audit activities but also self-inspection on a daily basis and periodic technical inspection.
To prevent violations of obligations under laws, regulations, rules, or contracts related to information security and various other security violations, we shall identify related matters and implement and maintain measures to address them.
To ensure compliance reliably, we shall implement not only audit activities but also self-inspection on a daily basis and periodic technical inspection.
July 1, 2021
CaRepo Corporation
Yoichiro Akasu, Representative Director
CaRepo Corporation
Yoichiro Akasu, Representative Director