1 Objective

BBF Inc. (hereinafter referred to as “Our company”) answers to diversified customer needs by appropriately incorporating the latest information and communication technologies such as the Internet into the business in the mail order industry.
Our company recognizes the the importance of personal information management in the information and communications business. Based on the lessons learned from the recent occurrence of incidents involving personal information, to prevent information security incidents, security policy is defined and operated as follows for building an environment and system for information security in order to earn trust from our customers and stakeholders as well as minimize business loss.

2 Definition of information security

Information security refers to ensuring and maintaining confidentiality, integrity, and availability.
(1) Confidentiality: Property that makes information unusable or private to unauthorized individuals, entities (organizations, etc.) or processes. (Protects information from leakage and unauthorized access)
(2) Integrity: Property that protects the accuracy and completeness of assets. (Protects information from tampering and mistakes)
(3) Availability: Property allowing access and usage when requested by an authorized entity (such as an organization). (Protects against loss or damage of information or system shutdown)

3 Scope of application

[Organization]: BBF Inc. EC division
[Facility]: Uchisaiwai-cho Tokyu Bldg.7F, 1-3-2, Uchisaiwai-cho,
Chiyoda-ku, Tokyo 100-0011 Japan
[Target]: All employees in the EC division
[Business]: Planning, construction, and operation of mail-order sales of fashion lifestyle related products using the Internet, mobile phones, etc.
[Assets]: The above business, documents related to service, data, information system

4 Matters to be executed

(1) In order to protect all information assets in the scope from their external and internal issues and protect them from threats (leakage, unauthorized access, tampering, loss, damage), the information security management system shall be based on the risk management process for establishment, implementation, operation, monitoring, revision, maintenance and continuous improvement.
(2) The handling of information assets shall comply with the relevant laws and contract requirements.
(3) Preventive and recovery procedures shall be established and regularly reviewed so that business activities will not be interrupted by a serious failure or disaster.
(4) Information security education and training shall be regularly conducted for all applicable employees.

5 Liability, obligations and penalties

(1) The CEO is responsible for information security. For this reason, the CEO shall provide the resources necessary for the applicable staff to establish, implement, operate, monitor, review, maintain and continuously improve information security.
(2) Staff in scope shall be fully aware of the purpose of the security policy and comply with the procedures established to maintain information security.
(3) Staff in scope shall recognize that they are responsible for protecting information assets important to our company.
(4) Staff in scope shall provide service and contribute positively to the improvement of information security performance and the effectiveness of ISMS in order to effectively manage information security.
(5) Staff in scope shall take responsibility and have the obligation to promptly report incidents and weaknesses in information security.
(6) In the event that the staff in scope commits any act that jeopardizes the protection of not only customer information but also the information assets handled, the staff shall be strictly disciplined in accordance to the employee employment regulations.

6 Periodic revision

Revision to information security management system should be executed periodically in accordance to environment changes.

January 5, 2016
Jun Tamura