APPCIRCLE INC.
INFORMATION SECURITY POLICY
SUMMARY | It includes the purpose, scope and responsibilities regarding the company's information security processes. |
EDITOR | IT Director |
DATE OF ENTRY INTO FORCE | 14.03.2023 |
Information Security Policy
1. PURPOSE AND SCOPE
This policy aims to oversee the development and regular updating of the control infrastructure for measures to ensure the confidentiality, integrity and accessibility of information systems and data within the Company. Information, like other important business assets, is an asset that is necessary for the activities of an organisation and, as a result, must be appropriately protected. The security of information assets is ensured in line with the policies defined by the Company. The purpose of information security is to prevent unauthorised access to information (Confidentiality), to ensure that information and information assets are complete, accurate and not changed inappropriately (Integrity) and to ensure that authorised users can access the data they need when they need it (Accessibility). The Information Security Policy applies to all units and service providers of the Company. The objective of the Company's Information Security Management Process is to inventory information assets, make risk assessments, implement controls and review the effectiveness of the controls implemented in order to ensure the confidentiality, integrity and accessibility of the information produced, processed and stored by the Company.
2. DEFINITIONS AND SCOPE
- Company: Appcircle Inc.
- Information: Information and knowledge are the most critical assets of an organisation. These assets should not be given out, stolen, changed in such a way that they lose their value, or lost. Information can be found in various forms. It can be printed or written on paper, stored in electronic media and sent by mail or electronically.
- Confidentiality: Information is only accessible to authorised persons,
- Integrity: Protecting information from unauthorised modification and recognising when it has been modified,
- Availability: It means that the information can be used by authorised users when needed.
- Sensitive customer data: Highly confidential data such as passwords, PINs, encryption keys that users use to prove their identity on systems,
- Information Security and Risk Committee: Represents the committee established to establish policies, procedures and processes for the management of information systems and ensuring information security, and to effectively manage the risks arising from the use of information technologies.
- Senior Management: Responsible for overseeing and approving the regular updating of the Information Security Policy.
3. BASIC PRINCIPLES OF INFORMATION SYSTEMS MANAGEMENT
It is essential that the structure of the information systems is compatible with the scale of the Company, the nature and diversity of its activities and the products offered, and its strategic objectives; and that the information systems and the data they contain are reliable, accurate, complete, traceable, consistent, accessible and meet the needs. Information systems shall, as a minimum;- All information related to the Company shall be stored or backed up and used in the domestic electronic environment in a secure manner that allows access at any time,
- Infiltration and stress testing,
- Accounting records shall be accounted in accordance with the procedures and principles determined by the Public Oversight, Accounting and Auditing Standards Board, It is established in a structure that will allow.
It is established in a structure that will allow.
A business continuity plan is established to ensure the continuous functioning of information systems. The operability and adequacy of this plan is regularly tested and necessary measures are taken if required. In the planning of business continuity, critical information technology assets and processes are identified; business impact analyses and risk assessments are performed for these.
4. COMPANY INFORMATION SECURITY POLICY
With the Company Information Security Policy;- Protects the confidentiality of customer and personnel information in order to ensure the protection of the privacy of personal information.
- Implement the infrastructure and controls that will protect the integrity of information and guarantee its continuous accessibility.
- Provides authorisation in accordance with the principle of separation of duties in design, development, testing and implementation processes and establishes an approval mechanism in critical processes.
- Provides physical and logical separation of Development, Test and Production environments.
- It ensures that the minimum authorisation principle required for the authorisation of users is ensured and authorisations are checked regularly.
- It establishes network security against threats from external networks.
- Establishes layered security architecture and ensures continuous surveillance.
- Ensures that measures to ensure security such as encryption and masking are taken in the transmission and storage of sensitive customer data and personal information.
- It ensures the reliability of the encryption keys used.
- Establishes an information security organisation to ensure the management and coordination of information security activities.
- Inventory information assets, determine ownership and manage risks on information assets.
- Carries out information security incident management activities that include the steps of detecting, reporting and preventing recurrence of information security incidents.
- Implements an adequate awareness programme for all staff and ensures the participation of all employees to meet information security requirements.
- Takes the necessary physical and environmental security measures to ensure the security of information in the areas where information is processed.
- Determines and realises the security requirements in the acquisition, development and maintenance of information systems.
- It obliges employees to comply with the determined information security policies, processes, legal and regulatory obligations by obtaining their written commitments.
- Carries out business continuity activities to prevent interruptions in business activities and ensure continuous access to information.
- Implements the necessary security controls in all relevant areas to control access to information and prevent unauthorised access.
- Applies the necessary security controls in the operation of information systems activities, defines the roles and responsibilities for this.
5. MAIN TOPICS OF INFORMATION SECURITY POLICY
5.1. Information Security Organisation
The Company management establishes the information security organisation within the Company. In this context, the works regarding the establishment, maintenance and management of security policies in the Company with a holistic approach are carried out within the scope of the Information Security Management Process. The roles and responsibilities to coordinate and manage the security control processes of the Company are determined within the scope of the Information Security Member Job Description document.
5.2. Information Security Roles and Responsibilities
The Information Security and Risk Committee, Information Security Officer, Physical Security Officer, Information Asset Owners and Company employees take part in the planning, implementation and control of Information Security in the Company. The duties and responsibilities of the relevant parties within this scope are clearly defined in the Information Security Member Job Description document. The Company Information Security Policy is prepared by the Information Security Officer, reviewed at least once a year by the Information Security and Risk Committee and approved by the Board of Directors. While formulating the Information Security Policy, the Company's security strategy, security requirements, legal and regulatory obligations are taken into consideration. The Company's Senior Management ensures that the Information Security Policy is implemented.
5.3. Management of Information Assets
All data belonging to the Company created, transmitted, stored or shared verbally in printed and digital media are within the scope of the Company's information assets. The applications, software and hardware used in the transmission, processing, access, storage and destruction of data are also included in the scope of information assets. The Company prevents accidental or intentional damage, change, disclosure or loss by ensuring the confidentiality, integrity and accessibility of information assets and all assets related to this data. For this purpose, it classifies information assets by making asset assessments. It ensures that company information is used in accordance with this classification. An owner is assigned to each asset and responsibilities related to assets are assigned to these owners.
5.4. Assessment of Risks
The Company's risk assessment approach to information security is determined by the Information Security and Risk Committee and defined within the scope of the Information Security Management Process. The information security risk assessment approach determines the methods by which the Company's information security risks will be determined, how risk levels will be calculated and how risks will be assessed. The identification, grading, processing and review of the risks that may arise in relation to information assets are carried out in accordance with the determined risk assessment approach.
As a result of the risk assessment study, the Company Information Security Plan, which includes actions to mitigate risks, is created. The Information Security Plan is created and updated annually.
6. REVIEW OF INFORMATION SECURITY POLICY
The Company's Information Security Policy is reviewed by the Information Security Officer at least once a year and, if deemed necessary, updated and submitted to the Board of Directors for approval. New policies are produced to include the needs arising due to developments in security technologies.
7. RESPONSIBILITY FOR THE IMPLEMENTATION OF INFORMATION SECURITY POLICY
It is ensured that all employees are aware of the Information Security Policy. The final version of the policy is announced to all personnel and published in a common area where personnel can access it continuously. Personnel must comply with the general provisions that concern them. It is the responsibility of the administrative supervisor of the personnel to check whether the personnel comply with the general provisions that concern them. Compliance with information security policies is regularly monitored.
8. WALKABILITY
It enters into force upon its approval by the Board of Directors and its announcement to the personnel of our Company.
9. EXECUTIVE
The Board of Directors executes the provisions of the Policy.
10. APPROVAL
Approval of the Board of Directors numbered 2023-03 and dated 14.03.2023.
11. REVISION HISTORY
History | Update | Prepared by | Approved by |
---|---|---|---|
14.03.2023 | 1.0 | IT Director | Board of Directors |
16.04.2024 | 2.0 (Review) | IT Director | Board of Directors |