Group Information Security
Based on our Group management philosophy, “Act with integrity and Contribute to society through technology and engineering,” the Group adopts this Basic Policy for Group Information Security.
The Group recognizes that information assets used in the course of its business are essential to its operations and to the trust placed in it by society, customers, business partners, shareholders, officers, employees, and other stakeholders. The Group therefore commits to taking appropriate measures to ensure the security, safety, reliability, and proper management of such information assets and to maintaining a strong and effective information security framework across the Group.
In accordance with this philosophy and this basic policy, the Group declares that it will observe the following principles.
1. Information Security Governance
The Group will establish and maintain an appropriate governance structure for information security under its overall risk management framework.
The Group will assign clear roles and responsibilities for information security, promote coordination among relevant functions, and support effective oversight, reporting, and decision-making in relation to information security risks and measures throughout the Group.
2. Protection and Management of Information Assets
The Group will take appropriate measures to protect and manage each information asset handled in the course of its business, taking into account the nature, importance, sensitivity, and risk associated with that information asset.
Such measures may include controls relating to access management, confidentiality, integrity, availability, system security, storage, transmission, retention, and secure disposal, as appropriate.
3. Responsibilities of Officers, Employees, and Other Personnel
All officers, employees, temporary staff, secondees, contractors, and other personnel engaged in the business of the Group who handle information assets must recognize the importance of information security.
Such personnel must comply with this Policy and with related internal rules, standards, and procedures established under this Policy, and must handle information assets appropriately and responsibly in the course of their work.
4. Protection of Entrusted and Confidential Information
The Group recognizes the particular importance of information assets entrusted to it by customers, business partners, and other third parties.
The Group will use such entrusted information only for proper business purposes and will implement appropriate safeguards to protect it from unauthorized access, use, disclosure, alteration, loss, or other compromise.
5. Compliance with Laws, Regulations, and Contractual Obligations
The Group will comply with applicable laws, regulations, standards, and contractual obligations relating to information security, cybersecurity, privacy, confidentiality, records management, and protection of information assets.
Where local laws or regulations impose additional requirements, the relevant Group entity will implement measures necessary to comply with those requirements.
6. Incident Prevention and Response
The Group will work to prevent information security incidents through appropriate organizational, physical, and technical measures.
If an information security incident or suspected incident occurs, the Group will take appropriate steps to identify, report, assess, contain, investigate, remediate, and document the matter in accordance with applicable internal procedures and legal requirements.
7. Education, Awareness, and Continuous Improvement
The Group will promote information security awareness and provide appropriate education and training to relevant personnel.
The Group will also maintain and continuously improve its information security management framework in order to respond to changes in business activities, technology, legal requirements, and emerging threats to information assets.
8. Review and Implementation
The Group will implement this Policy through more detailed rules, standards, and procedures as necessary.
This Policy will be reviewed periodically and updated as appropriate to ensure its continued effectiveness and alignment with the Group’s business, risk environment, and applicable requirements.
Effective Date: 4th November 2025
Approved by: President Director