Basic Policy on Information Security

Xspear Consulting, Inc. (the “Company”) hereby establishes this Basic Policy on Information Security (this “Policy”) to appropriately protect all information assets handled by the Company and to implement sound risk management, thereby fulfilling the trust placed in the Company by its customers and society. (The handling of personal information is separately stipulated in the Personal Information Protection Policy.)
Through the application of this Policy, the Company seeks to ensure information security for its information assets from the perspectives of confidentiality, integrity, and availability.

Implementation of security management measures

(1)Implementation of organizational security management measures

The Company establishes and appropriately operates an organizational structure for implementing security management measures, mechanisms for confirming the status of information asset handling, and an organizational structure for responding to incidents such as information asset leaks.

(2)Implementation of personnel security management measures

The Company appropriately supervises personnel, provides regular education and training on information security, and ensures the proper handling of information assets.

(3)Implementation of physical security management measures

The Company designates and manages areas in which information assets are handled, prevents theft and leakage of information assets, and takes necessary measures—such as deletion—after the handling of such information assets is completed.

(4)Implementation of technical security management measures

The Company restricts access rights to information assets to the necessary and appropriate scope, implements access controls, identifies and authenticates individuals with access rights, and takes thorough measures to prevent unauthorized access from outside the Company, as well as theft and leakage of information assets.

Outsourced management

When outsourcing the handling of information assets to an external organization, the Company endeavors to ensure that the outsourced services maintain an information security level equivalent to that of the Company. The Company also establishes evaluation criteria, evaluates the subcontractor, and implements appropriate measures based on the results of such evaluations.

Business continuity

The Company establishes a business continuity framework, protects information assets from system failures and disasters, and implements the necessary measures to promptly resume business operations so as to prevent prolonged interruptions to the Company’s business activities.

Analysis, evaluation, assessment, and improvement

The Company conducts risk assessments of its information assets from the perspectives of confidentiality, integrity, and availability, regularly evaluates risks based on the status of controls against threats and vulnerabilities, and implements appropriate measures based on such assessments.
The Company also regularly audits and reviews the development and operation of relevant rules and management frameworks, and continuously improves them to maintain and enhance the reliability and security of its information assets.

Compliance

The Company complies with laws and regulations, standards, governmental guidelines, internal rules, and contracts related to information security.