Information Security Policy
Nisso Group Basic Policy on Information Security
NISSO HOLDINGS (hereinafter, the "Company") recognizes that information handled through its business activities is one of its important management assets, and positions ensuring information security as both a corporate social responsibility and an essential element for sustainable growth and maintaining and enhancing corporate value.
Based on the following fundamental principles, the Company is committed to ensure information security company-wide through the efforts of its officers, employees, dispatched staff, and outsourced personnel engaged in the Company's business operations, etc. (hereinafter, collectively referred to as "employees, etc.").
1.Purpose and Positioning
The Company has established this Basic Policy with the aim of appropriately and securely protecting information entrusted to it by its clients, business partners, shareholders, employees, etc., and other stakeholders, as well as information created in the course of the Company's business activities, and reducing risks such as unauthorized use, leakage, falsification, loss, or unavailability.
This Basic Policy is the highest level basic policy regarding information security within the Company, and the specific rules and operational procedures shall be entrusted to the separately established Information Security Regulations and related rules, standards, and procedures.
The regulations are broadly divided into those "for all employees, etc." and those "for IT system administrators."
2.Basic View
1.Viewing information as a management asset
The Company views information not merely as business data, but as important management assets that support management decisions, competitiveness, and social credibility.
2.Security management covering all types of information
The Company recognizes that information security is not an issue limited to information systems and IT infrastructure, but rather an issue that concerns all types of information, including paper media, business processes, and human actions/behavior, as well as information systems and cloud services.
3.Ensuring confidentiality, integrity, and availability
The Company's fundamental principle is to ensure the confidentiality, integrity, and availability of information assets, and to implement appropriate preventive and management measures, as well as corrective actions, in accordance with the importance of information and the degree of risk involved.
3.Basic Views on the Use of AI Products and the Information Handled
1.Purpose
・Used to improve productivity, reduce workloads, and support decision-making.
・Important decision-making, product creation, automated processing, autonomous processing, or information utilization will not be performed without human judgment.
2.Location of responsibility
・Legal and ethical responsibility for final decisions regarding operations made using AI, as well as for the results of such decisions, including products, usage information, automated processing, autonomous processing, etc., shall be borne by the division responsible for the relevant operations, not by AI itself.
4.Management Structure
The Company will establish a management structure based on clearly defined roles and responsibilities in order to promote information security company-wide.
•The Company has appointed a person in charge for overseeing information security and implements company-wide controls under the involvement of management.
•Taking into account the differences in management methods and characteristics, such as information managed through information systems and information managed through paper media and business processes, the Company will assign appropriate roles accordingly and manage them in an integrated manner.
•Officers and employees, etc., recognize that information security is not the responsibility of a specific division alone, but a company-wide responsibility, and will fulfill their responsibilities according to their respective duties.
5.Management of Outsourcing Contractors
When outsourcing operations, the Company will conduct appropriate selection, contract and supervision, taking into account the importance of the information handled by the outsourcing contractors and the associated risks.
The Company will clarify the obligations of its outsourcing contractors regarding information security and the protection of personal information through contracts and other means, and will conduct necessary and reasonable management and supervision.
In addition, in order to reduce the risk of information leakage, etc., through outsourcing contractors, the Company will strive for continuous verification and review.
6.Auditing System
In order to ensure that policies, rules and regulations related to information security are properly established and implemented, the Company will establish an independent oversight and auditing system.
The Internal Auditing Division, based on its respective role, regularly reviews and evaluates the status of information security management and promotes necessary improvements.
In addition, the relevant division will consider countermeasures for threats and vulnerabilities discovered through audits and other means, and will implement appropriate measures.
7.Compliance with Laws and Regulations
The Company will comply with relevant laws and regulations, public guidelines, industry guidelines, and social norms regarding information security and the handling of information.
The Company will appropriately comply with laws and regulations regarding the generation, use, storage, and provision of information, including the Act on the Protection of Personal Information, laws and regulations regarding intellectual property rights, and the Unfair Competition Prevention Act.
8.Education, Accident Response, and Continuous Improvement
1.Education and awareness
The Company will provide continuous education and awareness activities to officers and employees to ensure they understand the importance of information security and personal information protection.
2.Response to accidents and problems
In the event of an information security incident or a problem related to personal information, the Company will prioritize preventing further damage and ensuring a swift recovery, and will respond promptly and appropriately in accordance with relevant laws and regulations and internal (company) regulations.
3.Continuous improvement
The Company will regularly inspect and evaluate its management structure, regulations, and operational status of information security and personal information protection, and strive for continuous improvement.
9.Application and Review
This Basic Policy applies to all officers and employees, etc., of the Company.
The Company will review this Basic Policy as necessary in light of changes in its business operations, information technology, laws and regulations, etc.
Date of Enactment: (June 1, 2026)
Ryuichi Shimizu
Representative Director, President & Executive Officer
NISSO HOLDINGS Co., Ltd.
※This Basic Policy serves as the common basic policy for the Nisso Group.