Based on its Ethics Charter and Action Guidelines and its “Happy, Enjoyable, Fun” Management Philosophy, NIRAKU CORPORATION (“NIRAKU”), as a company that is widely trusted by the public, has formulated the “Basic Policy on Information Security” with the aim of appropriately using and managing the information resources utilized in its business activities, including work-related information in custody.
Going forward, in compliance with this “Basic Policy on Information Security” and NIRAKU’s separately established “Basic Policy on Protection of Personal Information,” it will strive to establish an advanced information security management system, and will take systematic, prompt and appropriate security measures.

1. Protection of Information Resources
   NIRAKU manages its information resources and information security appropriately. It strives to protect confidential information by deepening the understanding of all its employees, including officers, of the importance and responsibility of information security, and developing its systems to continue the appropriate management of information, while preventing leakage, falsifying or theft of information, as well as loss of public credibility and interruption of services.
2. Scope of Application
   NIRAKU applies this policy to all information resources held and to all employees and related persons who utilize such information resources. In addition, NIRAKU requires persons outside the Company to whom services are outsourced to maintain the same level of security as required by this policy, and to give contractual guarantees that they will do so. It also carries out continuous review and monitoring of the parties to the agreements.
3. Compliance with Rules, Laws and Regulations
   NIRAKU has developed internal rules in relation to information security, and all NIRAKU employees, including officers, comply with the requirements of rules, laws and regulations related to information security.
4. Development of Information Security Management System
   NIRAKU accurately recognize the state of its information security on a company-wide level. To allow it to carry out necessary measures promptly, it has appointed a person responsible for information security, and it engages in proactive activities through its crisis management committee to prevent the proliferation of information risks.
5. Improvement of Information Security Utilization Capacity (Literacy)
   In order to be able to perform duties with awareness of the importance and responsibility of information management, all employees regularly undertake education and training in relation to necessary information security, depending on their duties, and strive to improve their capacity to utilize information security (literacy). Furthermore, as for the information acquired under non-disclosure agreements or the like, NIRAKU carries out thorough guidance and management of employees to provide appropriate management of the information with strict observance to the agreement.
6. Monitoring
   NIRAKU undertakes continuous monitoring in all its business units to determine whether information security is being applied appropriately in accordance with the policies determined by it.
7. Response to Disasters and Disturbances
   To ensure business continuity, NIRAKU has stipulated countermeasures in preparation for occurrence of disasters or serious disturbances, etc., and has drawn up company-wide and dedicated information resources business continuity plans, and implements regular testing and continual revision of the plans.
8. Response to Breaches of Information Security
   If an incident of breach of information security occurs, to keep the extent of its impact to a minimum, NIRAKU will rapidly and smoothly implement the necessary measures including liaison with relevant persons, preservation of evidence, prevention of expansion of damage, and restoration. At the same time, it will also take measures to avoid a recurrence.
9. Continual Improvements
   NIRAKU responds to changes affecting the risk assessment of information resources handled by it, and continually reviews and endeavours to improve this policy and information security management systems.
10. Penalties
    In the event of conduct in violation of provisions of laws and regulations, relevant rules, this policy or the like that are required to be observed, strict action will be taken based on the disciplinary provisions specified in the rules of employment.