1. Information Security Declaration
As an outsourcing service provider, Bewith, Inc. ("the Company") not only manages its own information assets, but also handles numerous information assets entrusted by its clients, while acquiring additional information assets as part of its daily business operations. Safeguarding these critical information assets is indispensable for earning clients' trust and maintaining the Company's competitive edge.
This Security Policy outlines the basic policies of the Company's measures to protect information assets. While security measures encompass technical solutions, the most crucial element is the awareness and responsibility of each employee handling information assets. The Company hereby declares that all employees*, fully understand the intent of this policy and commit to taking appropriate actions to prevent unauthorized disclosure or leakage of information assets.
President, Representative Director, and Chairman of the Security Committee
Kenji Iijima
Established on December 27, 2003
Updated March 1, 2025
-
*Includes officers and full-time and fixed-term employees, as well as temporary staff from external agencies.
2. Security Policy
2.1. Objectives and policies
The Company recognizes the impact of security on decision-making, business continuity, cost reduction, management efficiency, and the utilization of information assets. As a basic policy, it is committed to implementing appropriate security measures for both its information assets and those entrusted to the Company by clients.
Following this basic policy, the Company will define the scope of information assets, establish the organization responsible for implementing measures, and clarify the roles and responsibilities of officers and employees. Additionally, to promote and oversee security measures across the Company, it has established and operates an information security management system (ISMS) and a personal information protection management system (collectively "ISMS"). These systems are regularly reviewed and continuously improved.
2.2. Compliance with laws, regulations, etc.
By operating the ISMS established under this policy, the Company will ensure compliance with laws, regulations, national guidelines, other norms, and internal rules, as well as contractual obligations and the requirements of information security-related standards for which it has obtained certification.
2.3. Scope of application and target audience
This policy applies to all information assets held by the Company and all employees responsible for handling such assets.
2.4. Obligations of all employees
All employees must comply with this policy and other relevant internal regulations to protect all information assets under their management. They must actively prevent the loss, theft, unauthorized use, or accidental leakage of information assets.
In addition to ensuring compliance with the rules, the Company will establish the necessary systems and document procedures to ensure that all employees act appropriately in their daily operations to maintain information security and respond effectively during emergencies.
When outsourcing business to external vendors, the Company requires them to implement security measures at the same level as those outlined in this policy, ensuring proper management and handling of its own information assets and those of its clients.
Employees dispatched by the Company to external workplaces shall adhere to the security policies of their respective workplaces.
2.5. Information security management structure
The Company has established a Security Committee to advance the protection of our information assets, including those entrusted to it by clients.
The Committee, comprising the director responsible for company-wide security management and representatives from each department, develops security standards (security guidelines) in line with this policy, leads the implementation of information asset protection measures, and assesses their effectiveness.
The Company regularly and swiftly reviews this policy and the security standards to address changes in technological, societal, and legal environments, as well as newly identified business risks, taking appropriate actions as needed.
The Company has established a Security Management Department to act as the secretariat for this Committee. The Security Management Department advances company-wide protection measures as instructed by the Committee, supports the implementation of these measures in each department, and conducts awareness and training activities for all employees.
2.6. Categorization and management of information assets
The Company classifies information assets based on confidentiality, integrity, and availability, identifying the owner and manager of each asset to ensure proper management.
2.7. Systematic approach to risk assessment
Aligned with the ISMS framework, the Company has established risk evaluation criteria for information assets and systematically assesses the risks associated with each asset.
2.8. Identification of risks and application of control measures
Based on the results of systematic risk assessments, the Company implements appropriate control measures tailored to the nature and severity of each risk to ensure and maintain information security to the greatest extent possible. The specific control measures applied are defined in the Declaration of Application.
2.9. Education and training
To maintain the level of information security competence required for each position, the Company regularly conducts necessary education and training for all employees. This ensures understanding and compliance with this policy while fostering greater information security awareness.
2.10. Auditing and evaluation
The Company regularly performs ISMS audits and assessments and takes action to improve based on the results to further strengthen security measures.
2.11. Effective date
This policy is effective as of March 1, 2025.