Group Common Information Security Policy

Enacted: March 14, 2024
Implemented: April 16, 2024

Our group and its affiliates deeply recognize that it is a significant social responsibility to protect our information assets from potential severe threats and to implement reasonable information security measures necessary to ensure the continuity and stability of our business operations. The following basic policy on information security is established to achieve this.

Note: The “Group” refers to Change Holdings Corporation and its consolidated subsidiaries, excluding investment limited partnerships, special purpose entities, general incorporated associations, listed subsidiaries, and their subsidiaries.

Definition of Information Security

– Confidentiality: Ensuring that only authorized individuals can access information assets.
– Integrity: Maintaining the accuracy and completeness of information assets and their processing methods.
– Availability: Ensuring that necessary information assets can be accessed when needed.

Information Security Objectives

1. To ensure the confidentiality of information assets and prevent their disclosure.
2. To ensure the integrity of information assets and prevent their alteration.
3. To ensure the availability of information assets and maintain them in a usable state when needed.
4. To minimize damage and implement preventive measures against recurrence in the event of an information security incident.

Scope of Application

Our group and its affiliates manage all information assets owned based on this policy.
Officers and employees of the group must understand and comply with this policy and related regulations, and when outsourcing group tasks, contracts are made to ensure that the outsourced tasks comply with this policy.

Information Security Framework

For the following companies within our group and its affiliates, an “Information Security Manager” is appointed to be responsible for information security. Moreover, Change Holdings Corporation establishes an “Information Security Committee” to implement information security measures.

– Change Holdings Corporation
– Change Corporation
– Trust Bank Corporation
– GovMates Corporation

Implementation of Information Security Risk Assessment

Our group and its affiliates establish and maintain an information security management system in alignment with the organization’s strategic risk management. They also perform risk assessments related to the confidentiality, integrity, and availability of information assets, the threats to these assets, and vulnerabilities in information security, implementing appropriate risk mitigation measures for high risks.

Compliance with Laws and Regulations Related to Information Security

Officers and employees of our group must comply with laws and guidelines related to information security, such as copyright law, the law prohibiting unauthorized access, and personal data protection law.

Information Security Education

Our group and its affiliates ensure the thorough dissemination of this policy to their officers, employees, and outsourced entities, and continuously conduct necessary training to maintain information security.

Ensuring Business Continuity
In case of business interruptions due to disasters or malfunctions, our group and its affiliates take necessary measures to minimize damage and ensure business continuity.

Continuous Improvement of Information Security

Our group and its affiliates conduct regular or as-needed internal audits to check if information security is maintained. They also review changes to information systems, new threats to information security, and other environmental changes in a timely manner to continuously improve information security.

Disciplinary Actions for Violations

Officers or employees who violate this policy or related regulations are subject to disciplinary actions as defined by the regulations of our group or its affiliates.

Date: May 1, 2024
Company: Orb Inc.
CEO: Masahiro Okabe