Information Security Policy

Purpose :  The purpose of this policy is to define the approach and targets of the top management and to inform all employees and related parties about these targets in order to prevent violations of the law, legal, regulatory or contractual obligations and all kinds of security requirements.

Scope :  This policy is the protection of electronic information assets obtained from logistics, storage, accounting, finance, quality assurance, purchasing, human resources, legal, sales, marketing, internal audit and information processing activities related to commercial activities and these transactions, company It covers the information security processes used for the processing, storage, protection, confidentiality and integrity of the personal data kept within the scope of the law.

Internal Scope
Administration, organizational structure, roles and responsibilities;

• The departments within the scope of the Company’s Senior Management; Financial and Administrative Affairs, Purchasing, Finance, IT, Corporate Communications and Business Development, Human Resources, Quality, Export, Import, Logistics, Legal, Internal Audit, Sales, Marketing
• The roles and responsibilities in the job descriptions specified in the General Management Organization Chart.
• Policies, procedures, objectives and strategies to be implemented;
  • Information Security Management System Policy,
  • All Information Security management systems procedures,
  • Annual Information Security management systems targets determined by the management,
  • Capabilities understood in terms of resources and knowledge (for example, capital, time, people, processes, systems and technologies);
  • Management Representatives and Information Security Management System team appointed by the management for the establishment, operation and maintenance of the Information Security Management System,
  • Relationships with internal stakeholders and their perceptions and values, the culture of the organization, the standards, guidelines and models adopted by the organization, contractual relationships; its shape and width.

Outer Scope

• The social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local,
• Global Competition Law, Policies and Procedures,
• Confidentiality of supplier and customer data,
  – Quality Orientation,
• Relationships with stakeholders and their perceptions and values ​​that have an impact on the organization’s goals;
• All Company employees, including the Senior Management, in order to ensure customer satisfaction,
• All relevant legal legislation, regulatory, contractual conditions, standards,
• Product certifications with TSE and other organizations are external scope.

Definitions

• ISMS:  Information Security Management System.
• Inventory:  Any information asset that is important to the firm.
• Top Management: It is the  Company’s Senior Management.
• Know-How:  It is the ability to do something.
• Information Security:  Information, like all other corporate and business assets, is an asset that has value to a business and therefore must be properly protected. Within the company, know-how, process, formula, technique and method, customer records, marketing and sales information, personnel information, commercial, industrial and technological information and secrets are considered CONFIDENTIAL INFORMATION.
• Confidentiality:  Restricting the viewing of the content of the information to the access of only those who are allowed to view the information/data. (Example: Even if the e-mail is captured by sending encrypted e-mail, unauthorized persons can be prevented from reading e-mails – Registered e-mail – KEP)
• Integrity:  It is the detection of unauthorized or accidental changes, deletion or additions and deductions of information and ensuring its detectability. (Example: Storing the data stored in the database together with summary information – electronic signature – mobile signature)
• Accessibility/Usability:  The asset is ready for use whenever needed. In other words, it means that the systems are always in a serviceable state and that the information in the systems is not lost and is always accessible. (Example: Uninterruptible power supply and use of redundant power supply in their chassis – UPS to prevent servers from being affected by power line fluctuations and power outages). It will be used as “Accessibility” in this policy.
• Information Asset:  These are the assets owned by the Company, which are important for it to carry out its activities without interruption. Information assets within the scope of the processes subject to this policy are as follows:
  • All kinds of information and data presented in paper, electronic, visual or audio media,
  • All kinds of software and hardware used to access and change information,
  • Networks that enable the transfer of information,
  • facilities and private areas,
  • Divisions, units, teams and employees,
  • Solution partners,
  • Services, services or products provided by third parties.

Responsibilities  The qualifications and competencies of the tasks whose responsibilities and authorities are determined are defined in the job descriptions. The IT Team and Management Representative are responsible for maintaining and developing information security-related activities. ISMS Team and Management Representatives have been appointed by the Senior Management. ISMS representatives from the departments within the scope have been determined. Appointments were made on the basis of names as ISMS team members.

• Management Responsibility
  • The Company Management undertakes to comply with the Information Security System defined, put into effect and being implemented, to allocate the necessary resources for the efficient operation of the system, and to ensure that the system is understood by all employees.
  • During the ISMS installation, the ISMS Management Representative is appointed with the assignment letter. When necessary, the document is revised by the senior management and the assignment is made again.
  • Managers at the management level help the personnel at lower levels in terms of security in terms of giving responsibility and setting an example. The understanding that starts from the upper levels and is applied must go down to the lowest level personnel of the company. Therefore, all managers support their employees to comply with the written or verbal safety instructions and to participate in the work on security issues.
  • The Senior Management creates the budget needed for information security comprehensive studies.
• Management Representative Responsibility
  • Planning the ISMS (Information Security Management System), determining the acceptable risk level, determining the risk assessment methodology,
  • Providing the necessary resources for supporting and complementary activities in the establishment of ISMS, providing/improving user capabilities and creating awareness, conducting trainings, providing communication, providing documentation requirements,
  • Execution and management of ISMS applications, ensuring the continuity of evaluations, improvements and risk assessments,
  • Evaluation of internal audits, targets and management review meetings and ISMS and controls,
  • Responsible for maintaining the existing structure and ensuring continuous improvements in ISMS.
• Responsibility of ISMS Team Members
  • Carrying out asset inventory and risk analysis studies related to its departments,
  • Informing the Management Representative for a risk assessment when there is a change in the information assets under his/her responsibility that will affect the information security risks,
  • Ensuring that department employees work in accordance with policies and procedures,
  • Creating awareness within the scope of ISMS related to departments, ensuring communication, providing documentation requirements,
  • Responsible for maintaining the existing structure and ensuring continuous improvements in ISMS.
• Internal Auditor Responsibility Responsible  for carrying out and reporting audit activities in assigned internal audits in line with the internal audit plan.
• Responsibility of Department Managers They are responsible  for the implementation of the Information Security Policy and ensuring that the employees comply with the principles, ensuring that the third parties are aware of the policy, and reporting security breaches related to the information systems they notice.
• Responsibility of All Employees
  • To carry out its work in accordance with the information security objectives, policies and information security management system documents,
  • It monitors the information security targets of its own unit and ensures that the targets are achieved.
  • Paying attention to and reporting any observed or suspected information security vulnerability in systems or services,
  • It is responsible for making confidentiality agreements and meeting information security requirements in addition to service agreements (consultancy, etc.) made with third parties that are not under the responsibility of Purchasing.
• Responsibility of Third Parties Responsible  for knowing and implementing the information security policy and complying with the behaviors determined within the scope of ISMS.

Information Security Objectives  Information Security Policy is to guide the company’s employees to act in accordance with the company’s security requirements, to increase their awareness and awareness, and thus to ensure that the company’s basic and supportive business activities continue with minimum interruption, to protect its credibility and image, and to It aims to protect the physical and electronic information assets that affect the entire operation of the company in order to ensure the compliance determined in the contracts. The targets set by the Management are monitored at specified periods and reviewed at the Management Review meetings.

Risk Management Framework  The Firm’s risk management framework; It covers the identification, assessment and processing of information security risks. The Risk Analysis, feasibility statement and risk treatment plan define how information security risks are controlled. ISMS Executive and Management Committee is responsible for the management and realization of the risk treatment plan. All these studies are explained in detail in the asset inventory and risk assessment instruction.

General Principles of Information Security

• Details regarding the information security requirements and rules outlined by this policy, Company employees and 3rd parties are obliged to know these policies and procedures and to carry out their work in accordance with these rules.
• Unless otherwise stated, these rules and policies must be taken into account for all information stored and processed in printed or electronic media and for the use of all information systems.
• The Information Security Management System is configured and operated based on the TS ISO/IEC 27001 “Information Technology Security Techniques and Information Security Management Systems Requirements” standard.
• It carries out the implementation, operation and improvement of ISMS with the contribution of the relevant parties. It is the responsibility of the ISMS Management Representative to update the ISMS documents when necessary.
• Information systems and infrastructure provided by the company to employees or 3rd parties, and all kinds of information, documents and products produced using these systems belong to the company unless there are provisions of law or contracts that require otherwise.
• Confidentiality agreements are made with employees, consultancy, service procurement (security, service, catering, cleaning company, etc.), suppliers and interns.
• Information security controls to be applied in recruitment, job change and dismissal processes are determined and implemented.
• Trainings that will increase the information security awareness of the employees and enable them to contribute to the operation of the system are given regularly to existing company employees and new employees.
• All actual or suspected breaches of information security are reported; nonconformities causing violations are detected, main reasons are found and preventive measures are taken to prevent recurrence.
• An inventory of information assets is created in line with information security management needs and asset ownership is assigned.
• Institutional data is classified and the security needs and usage rules of the data in each class are determined.
• Physical security controls are applied in parallel with the needs of the assets stored in secure areas.
• Necessary controls and policies are developed and implemented for the information assets of the company against the physical threats they may be exposed to inside and outside the company.
• Procedures and instructions regarding capacity management, relations with third parties, backup, system acceptance and other security processes are developed and implemented.
• Audit record generation configurations for network devices, operating systems, servers and applications are adjusted in line with the security needs of the relevant systems. It is ensured that audit records are protected against unauthorized access.
• Access rights are assigned according to need. The safest possible technology and techniques are used for access control.
• Security requirements are determined in system procurement and development, and it is checked whether security requirements are met during system acceptance or testing.
• Continuity plans are prepared, maintained and implemented for critical infrastructure.
• Necessary processes are designed for compliance with laws, internal policies and procedures, technical security standards, and compliance assurance is ensured through continuous and periodic surveillance and audit activities.

Violation of the Policy and Sanctions  In case of non-compliance with the Information Security Policy and Standards, the sanctions determined in the relevant articles of the contracts, which are also valid for the 3rd parties, are applied according to the Disciplinary Directive and Procedure for the employees responsible for this violation.

Management Review  Management review meetings are organized by ISMS Quality Management Representative, with the participation of Senior Management and Department managers. These meetings, where the suitability and effectiveness of the Information Security Management System are evaluated, are held at least once a year.

Updating and  Reviewing  the Information Security Policy Document  ISMS Management Representatives are responsible for maintaining and reviewing the policy document. Policies and procedures should be reviewed at least annually. Apart from this, it should be reviewed after any change that will affect the system structure or risk assessment, and if any changes are necessary, it should be approved by the senior management and recorded as a new version. Each revision should be published so that all users can access it.