Information Security Policy
The policy aims to:
Safeguard company intellectual property (e.g., game source code, designs, algorithms), player data (e.g., accounts, behavioral analytics, payment information), and business operations from unauthorized access, disclosure, alteration, or destruction.
Ensure business continuity for mini-game development, publishing, and live services in a fast-paced, cloud-based environment.
Minimize risks from cyber threats, data breaches, service disruptions, or compliance failures.
Comply with applicable laws and regulations, international standards, and industry expectations for gaming/software companies.
Foster a security-aware culture across all employees, contractors, and partners.
All information assets owned, managed, or processed by the Company, including digital (source code, databases, cloud infrastructure) and non-digital (documents, intellectual property).
All locations and environments: office, remote work, cloud platforms (e.g., AWS/GCP/Azure), development workstations, CI/CD pipelines, game servers, backend services, and third-party tools.
All personnel: employees, contractors, temporary staff, management, and third parties with access to Company information.
All processes: game development (Unity/Unreal), publishing, player data handling, monetization, analytics, and administrative functions.
Exclusions: Player client-side devices (handled via app stores/auto-updates), but the Company monitors and mitigates related risks where feasible.
We will:
Identify, assess, and treat information security risks on an ongoing basis.
Implement appropriate controls to protect assets commensurate with their value and risk level.
Ensure compliance with legal, regulatory, contractual, and internal requirements.
Provide resources, training, and awareness programs to enable secure behaviors.
Promote accountability at all levels, with consequences for non-compliance.
Continually monitor, measure, and improve security performance.
Confidentiality: Information is accessible only to authorized individuals (e.g., protect unreleased game IP and player PII).
Integrity: Information remains accurate and complete (e.g., prevent tampering with game data or monetization flows).
Availability: Information and services are accessible when needed (e.g., maintain uptime for live mini-games).
Security objectives (reviewed annually):
Achieve zero critical data breaches involving player personal information.
Maintain 99.9% availability for production game services.
Ensure 100% of new code/features undergo security review prior to release.
Train 100% of staff annually on security awareness.
Senior Management / Board: Demonstrate leadership; approve policy and ISMS; allocate resources; review performance via management reviews.
CISO / Security Lead (or designated role): Own ISMS implementation; conduct risk assessments; coordinate controls; report to management.
Department Heads / Team Leads: Ensure team compliance; integrate security into workflows (e.g., secure coding in development).
All Employees & Contractors: Follow policies/procedures; report incidents/suspicions promptly; complete mandatory training.
Third Parties / Vendors: Comply with contractual security requirements; subject to due diligence and monitoring.
Risk assessment and treatment (Clause 6).
Asset management and classification.
Access control (least privilege, MFA).
Cryptography (encryption in transit/at rest).
Physical and environmental security.
Operations security (patch/vulnerability management, logging).
Communications security (network segmentation, secure APIs).
System acquisition, development, and maintenance (secure SDLC).
Supplier relationships.
Incident management and business continuity.
Compliance and internal audits.
Specific topic policies (e.g., Data Protection, Patch Management, Network Security, Vulnerability Management) provide detailed implementation.
All personnel must comply with this policy and supporting procedures.
Violations may result in disciplinary action, up to and including termination or legal proceedings.
The Company will conduct regular internal audits, risk reviews, and management reviews.
Breaches involving personal data will be reported to relevant authorities (e.g., Personal Information Protection Commission in Japan) as required.
Exceptions require documented justification, risk assessment, compensating controls, and approval by senior management (e.g., CISO/CTO).
Exceptions are time-limited (max 90 days unless renewed) and tracked.
This policy is reviewed at least annually, or following significant changes (e.g., new regulations, major incidents, cloud migrations, business expansion).
Updates are approved by senior management and communicated to all relevant parties.