Information and Cyber Security Policy
Information Security Policy
The fundamental rules that must be followed to ensure the confidentiality, integrity, and availability of our information assets are defined below. Furthermore, additional compliance rules are detailed in the sub-policies and procedures established within the scope of the ISMS (Information Security Management System).
General Principles
a. The details regarding information security requirements and rules outlined by this policy are regulated through ISMS procedures. Organization employees and third parties are obliged to know these procedures and conduct their operations in compliance with these rules.
b. Unless stated otherwise, it is essential that these rules and procedures are taken into consideration for the use of all information systems and all information stored or processed in printed or electronic formats.
c. The Information Security Management System is structured and operated based on the TS ISO/IEC 27001:2022 "Information technology - Security techniques - Information Security Management Systems - Requirements" standard.
d. All information systems and infrastructure provided to employees or third parties by the Organization, as well as any information, documents, and products generated using these systems, belong to the Organization unless otherwise required by legal provisions or contracts.
Core ISMS Principles
a. Employment contracts and agreements made with employees and third parties contain non-disclosure commitments aimed at securing the Organization's confidentiality needs.
b. Security requirements that may arise during outsourcing situations are analyzed, and security terms and controls are explicitly stated in specifications and contracts.
c. An inventory of information assets is created in line with information security management needs, and asset ownerships are assigned.
d. Corporate data is classified, and the security requirements and usage rules for each data classification category are determined.
e. Information security controls to be executed during recruitment, change of duty, and termination of employment processes are defined and implemented.
f. Physical security controls are applied in parallel with the needs of the assets stored in secure areas.
g. Necessary controls and policies are developed and implemented for the Organization's information assets against physical threats they may be exposed to both inside and outside the Organization.
h. Procedures and instructions regarding capacity management, relations with third parties, backup, system acceptance, and other security processes are developed and implemented.
i. Audit logging configurations for network devices, operating systems, servers, and applications are adjusted in parallel with the security needs of the respective systems. Audit logs are protected against unauthorized access.
j. Access rights are assigned on a need-to-know basis. The most secure technology and techniques available are utilized for access control.
k. The necessary infrastructure for reporting information security incidents and vulnerabilities is established. Incident records are maintained, required corrective actions are implemented, and learning from security incidents is ensured through scheduled awareness training.
l. Continuity plans for critical infrastructure are prepared, maintained, and exercised.
m. Processes required for compliance with laws, internal policies and procedures, and technical security standards are designed; compliance assurance is provided through continuous and periodic monitoring and auditing activities.
n. Management Review meetings are conducted in accordance with the "Management Review Procedure."
Acceptable Use Rules to Be Followed
The rules to be followed are specified in the policies and procedures prepared within the scope of the ISMS. All rules are primarily included in the "Acceptable Use of Assets Policy" document. All employees and third parties within the scope of the ISMS must comply with the specified rules.