Basic Information Security Policy
Date of establishment October 1, 2008
Last revised date July 1, 2019
President and CEO Matsushima Yosuke
JMDC Inc. and its subsidiaries (hereinafter “the Group”) aim to realize a healthy society through its medical data and analysis capabilities. Therefore, the Group has established a Basic Information Security Policy (hereinafter, “this Policy”) and declared that it will be implemented and promoted.
2. Scope of Application
This Policy covers information related to all business activities under the management of the Group (including personal information).
3. Action Items
- (1) Establish, implement, operate, monitor, review, maintain, and improve an information security management system to protect all information assets in the scope from threats.
- (2) Information assets shall be handled in accordance with relevant laws and regulations and contractual requirements.
- (3) Preventive and recovery procedures shall be formulated and regularly reviewed so that business activities will not be interrupted by a serious failure or disaster.
- (4) Information security education and training shall be regularly conducted for all applicable employees.
4. Liability, Obligations, and Penalties
- (1) Responsibility for information security rests with the President. Therefore, the President shall provide the resources required by applicable staff.
- (2) Applicable staff shall be obliged to protect customer information.
- (3) Applicable staff must follow the procedures established to maintain this Policy.
- (4) Applicable staff shall be responsible for reporting incidents and weaknesses in information security.
- (5) In the event that applicable staff commit any act that jeopardizes the protection of not only customer information but also the information assets to be handled, they shall be treated in accordance with the Employee Employment Rules.
5. Evaluation of Implementation Status and Continuous Improvement
In order to confirm that this Policy and the information security regulations are being observed, the Group shall periodically evaluate the implementation status of information security measures and make continuous improvements.