KOA Group Code of Conduct for Information Security

Information System  

The generic name of a system that provides business related services, including applications and information infrastructures (IT equipment and networks, etc.).  

Information Security (“IS”)  

To protect the Company’s business information and or information systems from theft, loss, leakage, destruction, falsification and the like caused intentionally, by negligence or by natural disaster.  

IS Incidents  

The generic name for events that cause or have caused threats to IS.  

Example Leakage, loss, destruction, theft, computer viruses infection, unauthorized access, unauthorized use, and the like of business information.  

Loss, destruction, or theft of IT equipment not involving any business information shall be treated as property damage.  

Portable Memory  

Portable electromagnetic recording media such as USB memory devices, portable HDDs, printers, MOs, CD-ROMs, DVDs, floppy disks, and the like. Shall include SD card media for mobile phones and digital cameras as well.  

IT Equipment  

Servers, PCs, external HDDs, printers, MO drives, CD-ROM drives, smartphones, tablet devices, digital cameras, and the like, which can input, output, save and or record information.  

Social Media (Social Networking Services)  

Social networking sites such as Twitter, Facebook, and the like, where various information may easily be exchanged between its respective users.  

Taking or carrying out business information outside from the Company is prohibited. If there is a necessity to do so, follow the rules established less than 6 “Taking Out Business Information from the Company.”  

Use of business information for personal reasons shall be prohibited.  

Notwithstanding being employed or retired from the Company, personal use of information known through or from business practices shall be prohibited.  

Business information obtained or prepared shall be, whether personally obtained or prepared, the property of the Company, and its personal use shall be prohibited.  

Personal use of information systems used for business shall be prohibited.  

Use of information systems used for business for Internet shopping, Internet auctions, or posting to websites, whether during business hours or not, shall be prohibited.  

Use of business information, information systems, Internet bulletin boards, and or social media, where such act may violate privacy, cause damage to, or cause loss of trust or credit of the Company or its group of companies, shall be prohibited  

Business information (including pictures and video images) and information pertaining to clients is prohibited to be posted on internet forums or social media etc.  

Use of business information and information systems, where such act may violate ethics, morals or the law, shall be prohibited. Especially, extreme care shall be taken to make sure that personal data is not leaked, and to comply with the personal data protection act and other relevant regulations.  

Segregation Management of Information  

Business information shall have the segregation of information management clearly defined and shall be treated in accordance thereof. Those without clear segregation defined shall be treated as information confidential to external parties.  

Segregation management of information shall be defined by the person responsible for IS.  

Access Rights  

Business information shall be kept and maintained at locations where access is limited to only those related to the information, so that those who do not have authorization to access such information cannot access them, whether intentionally or not.  

For electronic files, access right shall be provided only to those who have authorization. For electronic files that need advanced information management, encryption and password settings shall be required so that such information may be kept secret in case it may be leaked.  

For project site offices and the like, since networks may be shared with joint venture partners or subcontractors, access rights restricting users thereto shall be strictly managed to prevent information from leaking to those not concerned.  

If an employee is relocated or retires, or a part-time employee based on service agreements with external parties or person finish their agreement term, and no longer have necessity to use information systems, their user-rights shall be terminated forthwith.  

Use of Business Information  

Business information whether on portable memory or on paper shall not be neglected or left unmanaged. Especially at locations such as project site offices, information shall be kept in secure locked locations when leaving or parting from them.  

Do not leave portable memory connected to IT equipment.  

Print-outs from printers, copy machines and or fax machines shall not be left printed-out but forthwith picked up.  

Destroying Business Information  

Destroy business information as soon as it becomes no longer necessary appropriately and without delay.  

Portable memory or IT equipment  

If recorded data is no longer necessary, delete such data without delay. If portable memory or IT equipment itself is no longer necessary, remove or return them without delay.  

In addition, if the portable memory cannot be returned, do not reuse but physically destroy and dispose them after retrieving the data inside.  

Paper Information  

Business information deemed to have stricter confidentiality than “Confidential” shall be destroyed by shredding or having it destroyed by a secure waste-disposal company. If a vendor shall be appointed due the quantity being large, enter into an agreement with such an external party, which guarantees non-leakage of information and to destroy such paper information by shredding or dissolution, so that such paper information can no longer be read.  

Information obtained from clients shall be destroyed or returned in accordance with their instructions.  

If there may be a necessity to carry or take out information, electronic information shall be saved in equipment with security features, and paper information shall be managed and maintained with the segregation of information management clearly defined and marked therein.  

IT Equipment that can be Used  

IT equipment and portable memory approved by the Company may be used, and the use of personal IT equipment and or portable memory shall be prohibited. In the event personal IT equipment and/or portable storage medium is used under unavoidable circumstances, such user shall follow the internal rules that are provided for separately.  

Among portable memory, use of non-security featured devices, such as floppy disks, CD-Rs, MOs, DVDs, and the like shall be prohibited, unless otherwise deemed necessary in executing designated works for the client.  

Introduction, Inventory, and Removal of IT Equipment  

IT equipment or portable memory shall be provided by the Company.  

Inventory of IT equipment shall be periodically spot-checked to catch loss or theft thereof at an early stage, and completely remove those that are no longer necessary.  

Protection of IT Equipment, etc.  

High portability equipment, such as note PCs with business information saved thereon, shall be connected with security wires or placed and kept in locked areas or compartments for which physical security may be obtained (such as locked cabinets, etc.) .  

If IT equipment with business information saved therein shall be taken or carried out, use equipment that encrypts internal data.  

If business information is saved in PCs, security measures shall be taken for them, including desktop computers, such as by connecting and securing them with security wires at head office departments and project site offices to prevent theft.  

When newly procuring PCs, procure PCs which have encrypt data capacities as much as possible whether for use inside the Company or not.  

Do not change settings of IT equipment provided by the Company, other than settings which would strengthen the security thereof (such as password changes, fingerprint authentication, etc.)  

Inserting memory cards (miniSD, microSD, etc.) to tablet devises is prohibited.  

Measures to be Taken when Incidents Occur  

If IT equipment or portable memory with business information saved therein may be lost or stolen, and information has leaked or has a risk of being leaked, such incident shall be treated as an IS incident and measures shall be implemented in accordance with 12 “Measurers to be Taken when Incidents Occur.”  

If the need to take or carry out business information from the Company arises, obtain prior approval from those responsible for IS.  

Example of Carrying Out Business Information  

Presentation and or meetings at client’s office.  

Presenting business data to subcontractors.  

Carrying an emergency contact list for nighttime or weekend troubles.  

Those responsible for IS shall, upon receiving request to take or carry out business information, check the following points and if deemed appropriate, approve such request.  

Purpose  

Necessity  

Non-necessary information for the purpose is not included therein.  

Minimum information will be taken or carried out.  

Period of information being taken or carried out.  

Information taken or carried out shall be returned without delay.  

Location data is taken to.  

Security measures.  

Use IT equipment or portable memory which has security measures incorporated therein to prevent leakage of information.  

If there may be no choice but to use equipment and or devices not described in (a) above, encryption or password protection shall be placed on electronic information which require high level information management.  

sentence.information_security_content-6-3_title  

Beware of theft or loss  

Outside of the Company, business information or IT equipment or portable memory with business information saved therein shall not be separated from the body carelessly. (example: placed on shelves of trains or left in parked cars.)  

If planned to take abroad, check travel advisories of such country to confirm status of its safety prior to leaving, and take ample anti-theft measures in accordance thereof.  

Prevention of unauthorized access  

Electronic files, such as those strictly confidential with information that requires high level information management, shall be encrypted and password protected, and managed strictly.  

Prevention of virus infection  

When connecting USB memories or similar devices with business information saved therein, confirm that the connecting PC has anti-virus protection.  

When connecting IT equipment or portable memory provided by external parties or person to PCs with business information saved therein, confirm that the equipment or memory has anti-virus protection.  

In the event you feel that IT equipment or portable recording medium with business information saved therein may have a risk of being infected by viruses, scan and examine them by using anti-virus software without delay.  

When sending faxes or e-mails, make sure that the numbers and or addresses are correct each time to prevent information leakage.  

Use only e-mail addresses provided by the Company when sending out business information. Use of personal e-mail addresses whether receiving or sending out e-mails is prohibited.  

When sending out business information via e-mail, to protect from the risks of interception and miss sending, send it as attachments with encryption and password protection placed thereto. Keep the e-mail texts business information contents to a minimum.  

Transactions of electronic files using the Internet shall follow rules and steps as defined by the Company. If clients request different procedures, confirm that security for such procedure has been obtained, and also obtain prior approval from the Internet Security Development Team (“ISD Team”).  

When receiving a questionable or strange email, do not open the link or the file attached thereto and destroy the e-mail in its entirety.  

USB memory devices shall be used when carrying out data and shall be initialized before and after use. When saving data to be presented in portable memory, such as USB memory devices manually test them for virus infections by specifying the device to prevent handing over virus to the receiver of information.  

When physically moving paper or portable memory with business information recorded therein, confirm with those in charge of IS, on how to move such information, and choose the most appropriate way. The following shall be ways to physically move information.  

Hand carry  

Send by postal mail or courier service  

Company’s internal courier service (between head office and site office, use of external vendor)  

Although the risk of being sent to wrong addresses are low since it being sent by scheduled delivery by an external vendor, as the carrying bag is a zipper cloth bag, there may be higher risks that the delivery item may be stolen compared to usual courier services, and therefore, is not suitable for strictly confidential information.  

Registered mail  

Delivery route and status is records from the sender to receiver.  

Security Delivery Service  

Delivery service with security strengthened, where the receiver is fixed to one person (no substitutes allowed), and location of delivery can be checked via GPS, and the delivery item is place in a locked security box. Since there are many options and prices depending on its security level, choose the one most appropriate for the purpose.  

Connection to the Company network of IT equipment is prohibited other than those provided and permitted to be used by the Company.  

Renting or joint use of user IDs and passwords provided to each individual is prohibited.  

Authentication information for information system use shall be strictly managed (such as passwords, etc.)  

Use passwords that cannot be easily guessed. Examples of passwords not to be used  

same as user ID  

fewer than 6 characters  

repeatedly used same words  

own name  

Example of Recommended Passwords  

More than eight characters and include letters, numbers and other special characters.  

Do not maintain or place passwords at places easily visible by others.  

Do not let anyone else know your password.  

Change password as soon as you receive the initial password (if system allows such changes. the same shall apply below.)  

Change passwords periodically.  

Do not reuse old passwords.  

If you feel there is a risk that your password has been leaked, change the password without delay.  

Do not automatically save the passwords, but input the password on every occasion.  

When using a PC, be sure to set the PC in such a manner that the locking mechanism activates whenever leaving or parting from the PC.  

Only use software as approved by the Company, and do not use personal software. Obtain prior approval from the ISD Team for usage of freeware. However, the use of the following software shall be prohibited due to potential security risks involved. (Prohibition of the use)  

File sharing software (Gnutella, Winny, Share, etc.)  

Entertainment software (games, etc.)  

Wall paper (especially those with movement)  

Mouse pointers, time showing software.  

Use of software versions where support from vendors thereto has been terminated shall be prohibited, due to security updates for such program no longer being offered toward new threats and vulnerability, and measures toward the same not being available.  

Anti-virus software needs to be consistently running and have virus definition files and security patches updated on a regular basis for PCs and tablet devices, etc. (iOS is not mandatory)  

If you feel something is wrong or abnormal with the PC or tablet device, detach them from the network without delay and consult with those responsible for IS or with the ISD Team.  

Examples of abnormal behaviors  

The usual screen does not come up when starting up  

A strange message appears  

Data is being changed automatically  

Data is being broken  

Cell phones and Smartphones must be strictly managed to prevent theft and loss.  

Do not casually leave them in suit pockets or bags. There have been cases where smartphones have been pick-pocketed from the suit pocket in restaurants and bars when left unattended.  

If possible, hang them from your neck using a strap or use a strap that can be clipped or attached to pockets of suits, such as internal breast pockets.  

Attach accessories such as bells, so that you will notice it if it falls out.  

Take the following measures for cellphones and smartphones to prevent damage from expanding in case of theft or loss.  

Business information saved in its memory, such as SMS, personal e-mail address, data transaction records and or photos, shall be deleted as soon as you finish using them, so that no business information remains in the cellphone or smartphone.  

Concerning the SMS and personal e-mail addresses, do not send or forward them between cellphones (smartphones) and the Company e-mail address.  

Use of memory cards (miniSD, microSD, etc.) shall be prohibited.  

The security lock function shall be activated at all times with a passcode of over 4 digits which is hard to surmise.  

The address book is to be kept at a minimum. Do not enter personal data such as home phone numbers and home addresses even if they are a close associate.  

The cellphone (smartphone) is to be set so that the phone is locked or data wiped if the passcode is mistakenly input a certain number of times.  

For smartphones(and cellphones which may have the function), settings are to be set so that the phone can be located when displaced, and data wiped in case the phone cannot be located.  

For smartphones(and cellphones which may have the function), settings are to be set so that the phone can be located when displaced, and data wiped in case the phone cannot be located.  

In the event of a theft or loss of a cellphone or smartphone, take measures to have the phone locked or data wiped, and contact those responsible for cellphones or the management thereof in your department. If information of clients, neighbors or other parties or person related to business were saved in the cellphone and there may be risks of it being leaked (due to the security lock being switched off, etc.), submit the IS Incident Report (refer to 12. Measurers to be Taken when Incidents Occur, on how to submit the IS incident Report).  

When applicable IDs shall be either worn or carried when inside the facilities. IDs herein shall mean the following:  

ID Cards (Employment Identification, etc.)  

Admission cards or the like provided to external person or parties who visit on a frequent basis.  

Admission cards or the like provided to visitors on each occasion.  

Measures Against Visitors  

Implement measures for visitors based on rules established by each facility.  

For head office  

Forthwith report any knowledge obtained of an IS incident to those responsible for IS.  

If subcontractors (including group companies) have caused the incident, if such incident occurred under your management, your department shall implement the necessary measures.  

Those responsible for IS shall report to the ISD Team.  

Those responsible for IS in the site office shall consult with the ISD Team and implement initial measures and recurrence prevention measures. Depending on necessity, shall report to clients and or internal and or external parties. The ISD Team shall support these measures taken.  

Report Form  

A report form provided by the ISD Team shall be used for reporting. Try to describe as many details that are able to be obtained at that time for tentative reports and the report prior to its final report.  

Individuals who caused the incident shall prepare a detailed report and submit the same to the Information Security Administrator (“ISA”).  

This Policy shall be made effective as of 1 July 2014.  

This Policy has been amended as of 12 March 2018  

This Policy shall be controlled by Kajima Overseas Asia Pte. Ltd., Corporate Administration, Headquarters.