Lawson, Inc. (hereafter, the “Company”) handles important information assets such as various trade secrets and personal information when conducting the Company’s business. The information assets is appropriately protected from all accidental or deliberate threats arising both within and outside the Company, and an Information Security Policy is established as follows with the aim of providing services to customers and operating our business in a continuous and reliable manner.
1. Basic principle
This Information Security Policy (hereafter, this “Policy”) stipulates the basic policy for information security management at the Company, and all measures concerning information security are implemented in accordance with this Policy. Personnel who handle information assets are aware of the importance of information security and are required to comply with this Policy. In addition, matters concerning the implementation of this Policy are stipulated separately in documentation such as internal regulations.
2. Applicable scope
This Policy applies to all information assets handled as part of the Company’s operations and the equipment used to protect the information assets. It also applies to all personnel who handle the information assets (such as company directors and employees, franchise stores and crew members, temporary staff members and subcontractors). Information assets refers to all information including trade secrets and personal information handled by the Company. Information assets is not just information from within the Company, it also includes information obtained from outside the company from such as customers and suppliers. This information can be in the form of electronic records stored on devices such as a computer or printed on paper forms and media such as documented information.
3. Basic policy
3.1 Protection of information assets
The Company takes measures to prevent the unauthorized use such as illegal access and insider trading, as well as disclosure, loss, destruction and tampering of the information assets with regards to its collection, use and provision based on the unique characteristics of each information asset.
3.2 Classification and management of information assets
3.3 Management of access rights
The Company manages information assets to ensure that only personnel who have a legitimate business need to handle such assets can access the information. The Company takes measures to eliminate any risks against information assets being accessed illegally and without permission, while taking appropriate control countermeasures such as limiting the access to and keeping access logs for such assets.
3.4 Physical security protection measures
The Company provides appropriate protection for offices and their equipment, facilities and equipment where information assets are handled, and network devices as well as other equipment to ensure that information assets are not exposed to risks such as illegal access, disclosure, destruction or tampering.
3.5 Legal compliance
The Company identifies applicable laws such as the Act on the Protection of Personal Information and Unfair Competition Prevention Act to comply with legal requirements when handling information assets.
3.6 Response to information security incidents and accidents
The Company strives to prevent accidents and establish response procedures and systems in the event of their occurrence, works hard to coordinate countermeasures so that business activities can continue while taking appropriate action immediately in the event of an information security incident or accident occurring to minimize the damage and prevent recurrence.
3.7 Disciplinary action
The Company will take a firm stance such as disciplinary action and legal action against wrongful acts both within and outside the company that threaten information security.
4. Promotion system
The Company has set up personnel in charge of assessing and responding to information security risks in each department and company under the supervision of the Chief Compliance and Risk Officer (CRO). The Company also provides supervisory management for systems that establish, operate and manage information security across the entire company through a supervisory committee based on support from departments that supervise risk management and departments that are primarily responsible for system security.
5. Training
The Company implements appropriate training concerning information security countermeasures for company directors, employees and franchise stores.
Temporary staff members and subcontractors are required to undergo thorough training as part of their contract.
6. Continuous improvement
The Company regularly evaluates and reviews the situation for establishing, operating and managing information security or whenever necessary by means such as inspections and audits to achieve continuous improvement.
Created: January 1, 2004 (as internal regulations)
Revised: March 1, 2024