INFORMATION SECURITY POLICY
The purpose of this policy is to define the approach and objectives of senior management to prevent violations of law, legal, regulatory or contractual obligations and any security requirements, and to communicate these objectives to all employees and relevant parties.
This policy covers the commercial activities carried out within the Company and the protection of electronic information assets obtained from logistics, storage, accounting, finance, quality assurance, purchasing, human resources, law, sales, marketing, internal audit and information processing activities related to these transactions, and the information security processes used for the processing, storage, protection, protection, confidentiality and integrity of personal data kept within the company within the scope of the law.
2.1. Internal Scope
Administration, organizational structure, roles and obligations;
2.1.1. Departments within the scope of the Company's Senior Management; Financial and Administrative Affairs, Purchasing, Finance, IT, Corporate Communications and Business Development, Human Resources, Quality, Export, Import, Logistics, Legal, Internal Audit, Sales, Marketing
2.1.2. Roles specified in the General Management Organization Chart and responsibilities in job descriptions.
2.1.3. Policies, procedures, objectives and strategies to be fulfilled;
2.1.3.1. Information Security Management System Policy,
2.1.3.2. All Information Security management systems procedures,
2.1.3.3. Annual Information Security management systems objectives set by management,
2.1.3.4. Capabilities, understood in terms of resources and know-how (e.g. capital, time, people, processes, systems and technologies),
2.1.3.5. Management Representatives and Information Security Management System team appointed by management to establish, operate and maintain the Information Security Management System,
2.1.3.6. Relations with internal stakeholders and their perceptions and values, the culture of the organization, standards, guidelines and models adopted by the organization, and the form and breadth of contractual relationships.
2.2. External Scope
2.2.1. The social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local,
2.2.2. Global Competition Law, Policies and Procedures,
2.2.3. Confidentiality of supplier and customer data,
2.2.4. Quality Orientation,
2.2.5. Relations with stakeholders that have an impact on the organization's objectives and their perceptions and values;
2.2.6. All Company employees, including Senior Management, to ensure customer satisfaction,
2.2.7. All relevant legislation, regulatory, contractual requirements, standards,
2.2.8. Product certifications with TSE and other organizations are external.
3.1. ISMS: Information Security Management System.
3.2. Inventory: All kinds of information assets that are important for the company.
3.3. Senior Management: Top Management of the Company.
3.4. Know-How: The ability to do something.
3.5. Information Security: Information, like all other organizational and business assets, is an asset that has value to a business and therefore needs to be appropriately protected. Within the company, know-how, process, formula, technique and method, customer records, marketing and sales information, personnel information, commercial, industrial and technological information and secrets are considered as CONFIDENTIAL INFORMATION.
3.6. Confidentiality: Restricting the viewing of the content of the information to only those persons who are authorized to view the information/data (Example: Sending encrypted e-mails can prevent unauthorized persons from reading e-mails even if the e-mail is intercepted - Registered electronic mail (REM)
3.7. Integrity: The ability to detect unauthorized or accidental alteration, deletion or additions or deletions of information and to guarantee detectability (Example: Storing data stored in a database with summary information - electronic signature - mobile signature)
3.8. Accessibility/Usability: The readiness of the asset for use whenever it is needed. In other words, the systems should be in a continuous serviceable state and the information in the systems should not be lost and should be continuously accessible. (Example: Use of uninterruptible power supply and redundant power supply in chassis to prevent servers from being affected by power line fluctuations and power outages - UPS). It will be used as "Accessibility" in this policy.
3.9. Information Assets: These are the assets owned by the Company that are important for the Company to carry out its activities without interruption. Information assets within the scope of the processes subject to this policy are as follows:
3.9.1. All kinds of information and data presented in paper, electronic, visual or audio media,
3.9.2. All kinds of software and hardware used to access and modify information,
3.9.3. Networks for the transfer of information,
3.9.4. Facilities and special areas,
3.9.5. Departments, units, teams and employees,
3.9.6. Solution partners,
3.9.7. Services, services or products provided by third parties.
4.1. Management Responsibility
4.1.1. The Company Management undertakes that it will comply with the defined, enacted and implemented Information Security System, allocate the necessary resources for the efficient operation of the system, and ensure that the system is understood by all employees.
4.1.2. During the ISMS installation, the ISMS Management Representative is appointed with a letter of appointment. When necessary, the appointment is made again by the senior management by revising the document.
4.1.3. Managers at the management level help the personnel at lower levels in terms of giving responsibility and setting an example in terms of security. The understanding that starts from the upper levels and is applied is obligatory to go down to the lowest level personnel of the company. For this reason, all managers support their employees to comply with written or verbal security instructions and to participate in security activities.
4.1.4. Senior Management creates the budget required for information security comprehensive studies.
4.2. Management Representative Responsibility
4.2.1. Planning the ISMS (Information Security Management System), determining the acceptable risk level, determining the risk assessment methodology,
4.2.2. Providing the necessary resources for supporting and complementary activities in ISMS installation, providing/improving user capabilities and raising awareness, conducting trainings, ensuring communication, providing documentation requirements,
4.2.3. Execution and management of ISMS practices, ensuring continuity of assessments, improvements and risk assessments,
4.2.4. Assessment of ISMS and controls through internal audits, objectives and management review meetings,
4.2.5. Responsible for maintaining the existing structure in ISMS and ensuring continuous improvements.
4.3. Responsibility of ISMS Team Members
4.3.1. Conducting asset inventory and risk analysis studies related to its departments,
4.3.2. Informing the Management Representative to conduct a risk assessment when there is a change in the information assets under its responsibility that may affect information security risks,
4.3.3. Ensuring that department employees work in accordance with policies and procedures,
4.3.4. Raising awareness, ensuring communication and providing documentation requirements within the scope of ISMS related to their departments,
4.3.5. Responsible for maintaining the existing structure and ensuring continuous improvements in ISMS.
4.4. Internal Auditor Responsibility Responsible for conducting and reporting audit activities in the internal audits assigned in line with the internal audit plan.
4.5. Responsibility of Department Managers Responsible for the implementation of the Information Security Policy and ensuring that employees comply with the principles, ensuring that third parties are aware of the policy and reporting security breach incidents related to information systems.
4.6. Responsibility of All Employees
4.6.1. Carrying out its activities in accordance with information security objectives, policies and information security management system documents,
4.6.2. Follows the information security targets related to his/her unit and ensures that the targets are achieved.
4.6.3. To pay attention to and report any information security vulnerability observed or suspected in systems or services,
4.6.4. In addition to the service contracts (consultancy, etc.) made with third parties and not under the responsibility of Purchasing, it is responsible for making a confidentiality agreement and ensuring information security requirements.
4.7. Responsibility of Third Parties Responsible for knowing and implementing the information security policy and complying with the behaviors determined within the scope of ISMS.
7.1. Details of the information security requirements and rules outlined in this policy, Company employees and third parties are obliged to know these policies and procedures and to carry out their work in accordance with these rules.
7.2. Unless otherwise stated, these rules and policies are essential for the use of all information stored and processed in printed or electronic media and all information systems.
7.3. The Information Security Management System is structured and operated based on the TS ISO/IEC 27001 "Information Technology Security Techniques and Information Security Management Systems Requirements" standard.
7.4. Carries out the implementation, operation and improvement of the ISMS with the contribution of the relevant parties. The ISMS Management Representative is responsible for updating the ISMS documents when necessary.
7.5. Information systems and infrastructure provided by the Company to employees or third parties and all kinds of information, documents and products produced using these systems belong to the company, unless there are legal provisions or contracts requiring otherwise.
7.6. Confidentiality agreements are made with employees, consultancy, service procurement (security, service, catering, cleaning company, etc.), suppliers and interns.
7.7. Information security controls to be applied in recruitment, job change and resignation processes are determined and implemented.
7.8. Trainings that will increase employees' awareness of information security and enable them to contribute to the functioning of the system are regularly provided to existing company employees and newly recruited employees.
7.9. All actual or suspected violations of information security are reported; nonconformities that cause violations are identified, the main causes are found and measures are taken to prevent recurrence.
7.10. Inventory of information assets is created in line with information security management needs and asset ownership is assigned.
7.11. Corporate data are classified and the security needs and usage rules for each class of data are determined.
7.12. Physical security controls are applied in line with the needs of assets stored in secure areas.
7.13. Necessary controls and policies are developed and implemented for the company's information assets against physical threats that they may be exposed to inside and outside the company.
7.14. Procedures and instructions regarding capacity management, relations with third parties, backup, system acceptance and other security processes are developed and implemented.
7.15. Audit log generation configurations for network devices, operating systems, servers and applications are set in line with the security needs of the relevant systems. Audit logs are protected against unauthorized access.
7.16. Access rights are assigned as needed. The most secure technology and techniques possible are used for access control.
7.17. Security requirements are determined in system procurement and development, and it is checked whether the security requirements are met during system acceptance or testing.
7.18. Continuity plans for critical infrastructure are prepared, maintained and exercised.
7.19. The processes required for compliance with laws, internal policies and procedures, and technical security standards are designed, and compliance assurance is ensured through continuous and periodic surveillance and audit activities.