INFORMATION SECURITY POLICY

Purpose : The purpose of this policy is to define the approach and objectives of senior management and to communicate these objectives to all employees and interested parties, in order to prevent violations of the law, legal, regulatory or contractual obligations and any security requirements.
Scope: This policy protects electronic information assets obtained from logistics, storage, accounting, finance, quality assurance, purchasing, human resources, law, sales, marketing, internal audit and information processing activities related to commercial activities carried out within the Company and these transactions, It covers the information security processes used to process, store and protect personal data held within the scope of the law and to ensure that its confidentiality and integrity are not compromised.
Definitions

3.1. ISMS: Information Security Management System.

3.2. Inventory: Any information assets that are important to the firm.

3.4. Know-How: It is the ability to do something.

3.5. Information Security: Information, like all other corporate and business assets, is an asset that has value to a business and therefore must be appropriately protected. Within the company, know-how, process, formula, technique and method, customer records, marketing and sales information, personnel information, commercial, industrial and technological information and secrets are considered CONFIDENTIAL INFORMATION.

3.6. Confidentiality: Restricting the viewing of the content of the information to only those who are allowed to view the information/data

3.7. Integrity: It is the ability to detect unauthorized or accidental changes, deletions or additions or deletions of information and to guarantee detectability.

3.8. Accessibility/Availability: The availability of the asset whenever it is needed. In other words, the systems are always available and the information in the systems is not lost and is always accessible.

3.9. Information Asset: Assets owned by the Company that are important for the Company to carry out its activities without disruption. Information assets within the scope of the processes subject to this policy are:

3.9.1. All kinds of information and data presented in paper, electronic, visual or audio media,

3.9.2. All kinds of software and hardware used to access and change information,

3.9.3. Networks that enable the transfer of information,

3.9.4. Facilities and special areas,

3.9.5. Departments, units, teams and employees,

3.9.6. Solution partners,

3.9.7. Services or products provided by third parties.

Responsibilities The qualifications and competencies of the tasks with designated responsibilities and authorities are defined in the job descriptions. Senior Management is responsible for maintaining and developing activities related to information security.

4.1. Management Responsibility

4.1.1. The Company Management undertakes to comply with the defined, put into effect and implemented Information Security System, to allocate the necessary resources for the efficient operation of the system, and to ensure that the system is understood by all employees.

4.1.3. Management helps lower-level personnel take responsibility and set an example regarding security. The understanding that starts and is implemented from the upper levels must be carried down to the lowest level personnel of the company. Therefore, all managers support their employees in writing or verbally to comply with security instructions and participate in studies on security issues.

4.1.4. Senior Management creates the budget required for comprehensive information security studies.

4.2. Department Employee Responsibilities They are responsible for implementing the Information Security Policy and ensuring that employees comply with the principles, ensuring that third parties are aware of the policy, and reporting security violations related to information systems that they notice.

4.5. Responsibility of All Employees

4.5.1. Conducting its work in accordance with information security targets,

4.5.2. He/she monitors the information security targets related to his/her unit and ensures that the targets are achieved.

4.5.3. Paying attention to and reporting any observed or suspected information security vulnerabilities in systems or services,

4.5.4. In addition to service agreements (consultancy, etc.) made with third parties that are not the responsibility of Purchasing, it is responsible for making confidentiality agreements and ensuring information security requirements.

4.6. Responsibility of Third Parties It is responsible for knowing and implementing the information security policy and complying with the behaviors determined within the scope of ISMS.

Information Security Goals Information Security Policy is to guide the Company’s employees to act in accordance with the security requirements of the company, to increase their level of consciousness and awareness, and thus to ensure that the company’s basic and supporting business activities continue with the least interruption, to protect its reliability and image, and to It aims to protect the physical and electronic information assets that affect the entire operation of the company in order to ensure the compliance specified in the contracts.
Risk Management Framework The company’s risk management framework; It covers the identification, assessment and processing of information security risks. The Risk Analysis, applicability statement and risk treatment plan define how information security risks are controlled.
General Principles of Information Security
7.1. Details regarding the information security requirements and rules outlined by this policy, Company employees and third parties are obliged to know these policies and procedures and to carry out their work in accordance with these rules.

7.2. These rules and policies are essential to be taken into consideration for all information stored and processed in printed or electronic media and for the use of all information systems, unless otherwise stated.

7.3. The Information Security Management System is structured and operated based on the TS ISO/IEC 27001 “Information Technology Security Techniques and Information Security Management Systems Requirements” standard.

7.4. It carries out the implementation, operation and improvement of ISMS with the contribution of relevant parties.

7.5. The information systems and infrastructure offered by the company to employees or third parties, and all information, documents and products produced using these systems, belong to the company, unless there are legal provisions or contracts requiring otherwise.

7.6. Confidentiality agreements are made with employees, consultancy, service procurement (Security, service, catering, cleaning company, etc.), Suppliers and Interns, or relevant clauses are added to the contracts.

7.7. Information security controls to be applied during recruitment, job change and termination processes are determined and implemented.

7.8. Trainings that will increase employees’ information security awareness and enable them to contribute to the functioning of the system are regularly given to existing company employees and newly hired employees.

7.9. All actual or suspected breaches of information security are reported; Nonconformities that cause violations are identified, the main reasons are found and measures are taken to prevent repetition.

7.10. Corporate data is classified and the security needs and usage rules of data in each class are determined.

7.11. Physical security controls are applied in parallel with the needs of assets stored in secure areas.

7.12. Necessary controls and policies are developed and implemented for the company’s information assets against physical threats they may be exposed to inside and outside the company.

7.13. Procedures and instructions regarding capacity management, relations with third parties, backup, system acceptance and other security processes are developed and implemented.

7.14. Audit record generation configurations for network devices, operating systems, servers and applications are adjusted in line with the security needs of the relevant systems. Audit records are protected against unauthorized access.

7.15. Access rights are assigned based on need. The most secure technology and techniques possible are used for access control.

7.16. Security requirements are determined during system procurement and development, and it is checked whether the security requirements are met during system acceptance or testing.

7.17. Continuity plans for critical infrastructure are prepared, maintained and exercised.

7.18. Necessary processes are designed to comply with laws, internal policies and procedures, and technical security standards, and compliance assurance is provided through continuous and periodic surveillance and audit activities.

Violation of the Policy and Sanctions If it is determined that the Information Security Policy and Standards are not complied with, the sanctions specified in the relevant articles of the contracts, which are also valid for 3rd Parties, are applied to the employees responsible for this violation, according to the Disciplinary Regulation.

Management Review Review meetings are held with the participation of Senior Management and Department managers. These meetings, where the suitability and effectiveness of the Information Security Management System are evaluated, are held at least once a year.

Updating and Reviewing Information Security Policy Document
Senior management is responsible for ensuring the continuity and review of the policy document. Policies and procedures should be reviewed at least annually. Apart from this, it should also be reviewed after any changes that will affect the system structure or risk assessment, and if any changes are necessary, they should be approved by the senior management and recorded as a new version. Each revision must be published in a way that is accessible to all users.