INFORMATION SECURITY MANAGEMENT POLICY

PURPOSE
 Our primary objective, in line with our organization's management approach, is to ensure the trust of the institutions and organizations we serve and to ensure the security of the information assets we use in providing our services. In this context, the relationships we have with our internal and external stakeholders are invaluable. The continuity of the products and services we offer, the confidentiality of the information we hold, and the integrity of the data belonging to our customers or our internal information assets are of the utmost importance.
 Regarding information security, the aim is to define the management’s approach to prevent violations related to legal, regulatory, contractual obligations, and security requirements, and to communicate this approach to all employees and relevant parties.

SCOPE
 This policy covers the protection of electronic information assets obtained from commercial activities, logistics, storage, accounting, finance, quality assurance, purchasing, human resources, law, sales, marketing, internal auditing, and IT activities within the organization. It also includes the processing, storage, protection, confidentiality, and integrity of personal data held by the company in accordance with the law, as well as the information security processes used to protect these assets.

Internal Scope

  • All departments and employees within the organization’s top management,
  • Roles and responsibilities outlined in the General Management Organizational Chart,
  • Physical workspaces of the organization,
  • The structure of used software, hardware, and equipment,
  • Employee participation in risk and opportunity assessments,
  • Occupational Health and Safety and Environmental (OHS-Ç) objectives and activities,
  • Policies, procedures, objectives, and strategies to be implemented:
    • Information Security Management System (ISMS) Policy,
    • All ISMS procedures,
    • Annual ISMS objectives set by management,
    • Resources and capabilities in terms of knowledge (e.g., capital, time, people, processes, systems, and technologies),
    • Management Representatives and ISMS team assigned by management for the establishment, operation, and maintenance of the ISMS,
    • Relationships with internal stakeholders and their understandings and values, the organization’s culture, standards, guides, models, and contractual relationships,
    • The form and extent of relationships with third parties.

External Scope

  • International, national, regional, or local social, cultural, political, legal, financial, technological, economic, environmental, and competitive environments,
  • National and International Competition Law, Policies, and Procedures,
  • Supplier and customer data confidentiality,
  • Quality focus,
  • Relationships with stakeholders who influence the organization’s objectives and their understandings and values,
  • Relevant legal regulations, regulatory, contractual obligations, standards,
  • Product certifications with TSE and other organizations,
  • Keeping up with technological innovations,
  • Suppliers,
  • Natural disasters, energy outages, cyberattacks.

RESPONSIBILITIES

The responsibilities assigned to individuals in this policy and other documents defined under the ISMS are outlined in the table below. If a new document is created after the publication date, and a new responsibility or responsible person is identified, the new document will revise and include the updated information.

Responsible(s)

Responsibility(ies)

Management

The organization’s management undertakes to comply with the established and implemented ISMS, allocate the necessary resources for the efficient functioning of the system, and ensure that the system is understood by all employees. Managers are also responsible for leading by example in terms of security, assigning tasks to lower-level personnel, and ensuring that this understanding is passed down to all levels of staff. They are responsible for providing written or verbal support to employees regarding compliance with security instructions and participation in security-related activities. Senior management is responsible for creating the budget for information security efforts.

Management Representative

The ISMS Management Representative is appointed during the ISMS installation phase with an appointment letter. If the representative leaves or a change is necessary for any reason, the document is revised, and a new appointment is made by top management. The responsibilities of the Management Representative are: - Lead the ISMS team, - Approve the team selection and the related appointment documents, - Oversee and approve ISMS work on behalf of top management, - Review and approve the continuous improvement of the existing ISMS structure, - Make decisions on behalf of the organization during crisis situations when management cannot be reached, - Appoint qualified personnel to manage ISMS practices and continuous evaluation, improvement, risk, and opportunity analyses, - Approve all ISMS documentation (manuals, policies, procedures, asset management, processes, flowcharts, instructions, plans, forms, lists, minutes, guides, etc.) before final approval by the Board.

ISMS Representative

The ISMS Representative is responsible for: - Planning the ISMS, determining acceptable risk levels, and defining the risk assessment methodology, - Supporting the establishment of ISMS activities and ensuring the provision of resources, training, communication, and documentation requirements, - Managing and overseeing ISMS activities, evaluations, improvements, and the continuity of risk and opportunity assessments, - Conducting internal audits, reviewing ISMS activities and controls in management review meetings, - Ensuring the ongoing improvement and sustainability of ISMS practices.

ISMS Team Leader

The ISMS Team Leader is responsible for: - Leading the ISMS team, ensuring that team members fulfill their responsibilities, and supervising the work.

ISMS Team Members

ISMS Team Members are responsible for: - Conducting asset inventory and risk analysis for their departments, - Notifying the ISMS Representative when changes affecting information security risks occur in their department, - Ensuring that departmental employees comply with policies and procedures, - Promoting awareness within the department regarding ISMS, facilitating communication, and meeting documentation requirements, - Ensuring the maintenance and continuous improvement of the ISMS structure.

Department Managers

Department Managers are responsible for: - Implementing the information security policy and ensuring compliance, - Ensuring that third parties are aware of the policy, - Reporting any information security incidents related to information systems, - Managing access rights of users whose job description has changed or who are leaving/left the organization.

All Employees

All employees are responsible for: - Conducting their work in line with information security goals, policies, and ISMS documents, - Tracking their department's information security goals and ensuring their achievement, - Reporting any security vulnerabilities or suspicions observed in systems or services, - Signing confidentiality agreements and ensuring information security requirements in contracts with third parties for services not under the responsibility of purchasing.

Third Parties

Third parties are responsible for: - Being aware of and complying with the ISMS policy and behavior defined within the ISMS.
  1. DEFINITIONS AND ABBREVIATIONS

Term

Definition/Explanation

Organization / Institution

TURK Financial Technology Inc.

Information Security

Information, like all other corporate and commercial assets, is an asset that holds value for a business and, therefore, must be adequately protected. Within the organization, processes, formulas, techniques and methods, customer records, marketing and sales information, personnel data, commercial, industrial, and technological information, and trade secrets are considered confidential information.

Confidentiality

Restricting access to information so that only those authorized to view it can access the content. (For example, even if an email is intercepted during encrypted email transmission, ensuring unauthorized individuals cannot read its contents is part of this category).

Integrity

Ensuring the ability to detect unauthorized or accidental changes, deletions, or additions to information, and guaranteeing traceability of such changes. (Example: Storing data with summary information, such as in a database, using electronic signatures or mobile signatures).

Availability

Ensuring that information or an information asset is accessible when needed. In other words, it means that systems are continuously operational, and the information within the systems is not lost and remains accessible at all times. (Example: Using uninterruptible power supplies (UPS) and redundant power sources in chassis to protect servers from power fluctuations and outages).

Information Asset

Assets owned by the organization that are crucial for the smooth operation of its activities. The information assets within the scope of this policy include:
  • Any information and data presented in paper, electronic, visual, or auditory form,
  • All software and hardware used to access and modify information,
  • Networks enabling information transfer,
  • Facilities and special areas,
  • Departments, units, teams, and employees,
  • Business partners and services, services, or products provided by third parties.

ISMS | Information Security Management System |

  1. INFORMATION SECURITY MANAGEMENT POLICY

5.1.General

  • This policy outlines the information security requirements and rules that all employees and third parties are required to be aware of and adhere to in their activities.
  • These rules and policies, unless otherwise stated, should apply to all information stored and processed in printed or electronic form, as well as the use of all information systems.
  • The Information Security Management System (ISMS) should be structured and operated based on the TS ISO/IEC 27001 "Information Technology - Security Techniques - Information Security Management Systems Requirements" standard.
  • The implementation, operation, and improvement of the ISMS should be carried out with the contributions of relevant stakeholders.
  • All information systems and infrastructure provided by the organization to employees or third parties, as well as all information, documents, and products produced using these systems, shall be considered the property of the organization unless required otherwise by legal provisions or contracts.
  • Confidentiality agreements must be made with all employees, third-party companies (consultants, firms, etc.), and interns.
  • Information security controls to be applied during recruitment, job changes, and departure processes must be determined and implemented.
  • Training should be regularly provided to both existing employees and newly hired employees to increase information security awareness and contribute to the functioning of the system.
  • All actual or suspected information security breaches should be reported; discrepancies causing these breaches should be identified, root causes found, and corrective measures implemented to prevent recurrence.
  • The inventory of information assets should be created based on information security management needs, and asset ownership should be assigned.
  • Corporate data should be classified, and the security needs and usage rules for each data category should be determined.
  • Physical security controls should be implemented in accordance with the needs of assets stored in secure areas.
  • Necessary controls and policies against physical threats that may be encountered both inside and outside the organization must be developed and implemented.
  • Procedures and instructions related to capacity management, third-party relationships, backup, system acceptance, and other security processes should be developed and implemented.
  • System security requirements related to audit log generation configurations for network devices, operating systems, servers, and applications must be aligned with the security needs of the systems, and audit logs should be protected against unauthorized access.
  • Access rights must be assigned as needed, and the most secure technologies and techniques should be used for access control.
  • Security requirements should be determined in system procurement and development, and regular checks should be performed to ensure these requirements are met during system acceptance or testing.
  • Continuity plans for critical infrastructure should be prepared, and maintenance and drills should be carried out.
  • Processes to ensure compliance with laws, internal policies and procedures, and technical security standards, as well as processes to handle deviations and special circumstances, should be designed and continuously monitored through inspections and audits to ensure compliance.

5.2.Objectives

  • The ISMS Policy aims to guide the organization's employees to act in accordance with security requirements, raise awareness and consciousness levels, ensure that core and supporting business activities continue with minimal disruption, maintain the reliability and reputation of the organization, and ensure compliance with third-party contracts.
  • In line with the business strategy set by our organization, the primary goal should be to continuously protect information security regarding confidentiality, integrity, and availability by integrating the ISMS culture into both internal and external stakeholders in a standardized manner.
  • The goals set by management should be monitored periodically and reviewed during Management Review meetings.

5.3. Information Security Organization

In the organization's internal structure, the roles and responsibilities for information security are defined under the following headings:

  • Separation of Duties: Conflicting duties and responsibilities should be determined according to the separation principle to reduce opportunities for unauthorized or accidental changes or misuse of organizational assets.
  • Each asset or information security process should have a responsible person assigned, and the details of this responsibility should be documented.
  • Authorization levels should be determined and recorded.
  • Assignment of information security responsibilities should be done in alignment with the information security policies.
  • Local responsibilities for asset protection and the execution of special security processes should be clearly defined.

5.4. Risk Management Framework

  • The organization's risk management framework should identify, assess, and handle information security risks and opportunities.
  • It should also define responsibilities for information security risk management activities and the acceptance of residual risks.
  • A risk analysis, feasibility statement, and risk treatment plan should describe how information security risks are controlled.
  • The BGYS Executive and Management Committee should be responsible for managing and executing the risk treatment plan.
  • All these activities should be defined with relevant procedures and instructions and recorded.
    Threats to information security, both internal and external, should be addressed in detail within this policy and other related policies.

5.5. Policy Violation and Sanctions

  • If non-compliance with the ISMS Policy and Standards is detected, sanctions to be applied to employees responsible for the violation should be defined and communicated to the employees.
  • For third parties, the potential sanctions to be applied should be specified in the relevant clauses of the applicable contracts.

5.6. Management Review

  • Management review meetings should be organized by the ISMS Senior Management Representative, with participation from management and department heads.
  • These meetings, where the suitability and effectiveness of the ISMS are evaluated, should be held at least once a year.
  • The format and rules of the Management Review meetings should be documented and recorded.

5.7. Updating and Reviewing the Information Security Policy Document

  • The BGYS team is responsible for ensuring the continuity and review of the ISMS Policy.
  • Policy documents should be reviewed at least once a year, unless there is a significant change in the organization.
  • Any changes in the organization’s environment, business conditions, legal requirements, or technical environment that could affect the system structure or risk assessment should trigger an immediate review, and if any changes are necessary, the new version should be recorded and approved by management.
  • Each revision should be published and made accessible to both internal and external stakeholders.

Stay Connected

Subscribe to Nebim e-Bulletin and be the first to receive information about the developments.

Subscribe to Nebim e-newsletter