Basic Information Security Policy

Date of establishment October 1, 2008
Last revised date June 29, 2023
President and CEO Noguchi, Ryo

1. Declaration

JMDC Inc. and its subsidiaries (hereinafter “the Group”) aim to realize a healthy society through its medical data and analysis capabilities. Therefore, the Group has established a Basic Information Security Policy (hereinafter, “this Policy”) and declared that it will be implemented and promoted.

2. Scope of Application

This Policy covers information related to all business activities under the management of the Group (including personal information).

3. Action Items

  • (1) Under the supervision of the CISO (Chief Information Security Officer), an information security management system shall be established for all information assets in the scope of application, taking cyber-attacks into consideration, to prevent unauthorized access, loss, alteration and leakage of information, and to minimize damage, and security measures shall be implemented, operated, monitored, reviewed, maintained and improved.
  • (2) Information assets shall be handled in accordance with relevant laws and regulations and contractual requirements.
  • (3) Preventive and recovery procedures shall be formulated and regularly reviewed so that business activities will not be interrupted by a serious failure or disaster.
  • (4) Information security education and training shall be regularly conducted for all applicable employees.
  • (5) Contractors and other suppliers who handle confidential information shall also be required to ensure appropriate information security and shall strive to protect information throughout the supply chain.

4. Liability, Obligations, and Penalties

  • (1) Responsibility for information security rests with the President. Therefore, the President shall provide the resources required by applicable staff.
  • (2) Applicable staff shall be obliged to protect customer information.
  • (3) Applicable staff must follow the procedures established to maintain this Policy.
  • (4) Applicable staff shall be responsible for reporting incidents and weaknesses in information security.
  • (5) In the event that applicable staff commit any act that jeopardizes the protection of not only customer information but also the information assets to be handled, they shall be treated in accordance with the Employee Employment Rules.

5. Evaluation of Implementation Status and Continuous Improvement

In order to confirm that this Policy and the information security regulations are being observed, the Group shall periodically evaluate the implementation status of information security measures and make continuous improvements.