PURPOSE

This policy aims to supervise development and regular updating of the control infrastructure regarding measures that will ensure the confidentiality, integrity and accessibility of the information systems and data within the Company.

SCOPE

Information, like other important business-related assets, is an asset that is necessary for an organization’s activities and therefore needs to be appropriately protected. The security of information assets is provided in accordance with the policies defined by the Company. The purpose of information security is to prevent unauthorized access to information (Confidentiality), to ensure that information and information assets are complete and accurate, and not inappropriately modified (Integrity), and to ensure that authorized users can access the data they need when they need it (Accessibility).
Information Security Policy applies to all units and service providers of the Company.
The aim of the Company’s Information Security Management Process is to inventory information assets, conduct risk assessments, implement controls and review the effectiveness of implemented controls in order to ensure the confidentiality, integrity and accessibility of information produced, processed and stored by the Company.

DEFINITIONS

Company: Pamukkale Kablo Sanayi ve Ticaret Anonim Şirketi (Pamukkale Kablo)
IT Data: Highly confidential data such as passwords, PINs, encryption keys, card numbers, personal certificates, and smart cards that users use to prove their identities on systems.
Information Security and Risk Committee: It represents the committee established for the purpose of establishing policies, procedures and processes regarding the management of information systems and ensuring information security, and effectively managing risks arising from the use of information technologies.

FUNDAMENTAL PRINCIPLES REGARDING INFORMATION SYSTEMS MANAGEMENT

• It is essential that the structure of information systems is compatible with the Company’s scale, nature, diversity and strategic goals of activities and products offered, and that information systems and the data they contain are reliable, accurate, complete, traceable, consistent, accessible and meet the needs. Information systems are established in a structure that will at least;
• Enable all information related to the Company to be stored or backed up and used electronically in the country in a secure manner and accessible at any time,
• Allow penetration and stress tests,
• Maintain a structure that will allow accounting records to be recorded in accordance with the procedures and principles determined by the Public Oversight, Accounting and Auditing Standards Board.

• A business continuity plan is created to ensure the continuous operation of information systems. The operation and adequacy of the plan in question are tested regularly and necessary measures are taken if necessary. In business continuity planning, critical information technology assets and processes are determined and business impact analysis and risk assessment are performed.
• It is essential that information systems and the data they contain are stored securely. Within this framework, data are classified according to their security sensitivity levels, appropriate security controls are established for each class, and backed up accordingly. The security of information systems and the operation of backup systems are tested regularly and necessary changes are made if necessary according to the test results.
• In ensuring information security and accessing the Company’s information systems, techniques that include identity verification and authorization mechanisms as well as non-repudiation and responsibility assignment opportunities are used.
• The principle of separation of duties is applied in the development, testing and operation of information systems.  The duties, authorities and responsibilities of departments and employees involved in the information systems management process are determined in writing. Compliance with the principle of separation of duties is tested regularly and the results are reported to the Information Security and Risk Committee.
• It is essential to ensure the confidentiality of customer and Company information obtained and stored through information systems during the execution of activities. The application principles regarding the sharing of customer information with parties other than the legally authorized authorities are determined in writing.
• Audit trails are created in sufficient detail and clarity regarding transactions carried out using information systems and causing changes in the records of company activities. Necessary measures are taken to prevent the integrity of audit trails from being compromised and to detect any compromise.
• Risk analysis is performed regarding external services to be received within the scope of information systems management.
• The operation of the implemented information systems, their compliance with strategic goals, the effectiveness and adequacy of controls are regularly monitored, taking into account developments in information technologies. The impact that the implementation of new information systems in the Company will create on the Company’s risk profile is evaluated. Within this framework, if necessary, the operation of information systems is revised.

INFORMATION SECURITY POLICY

With the Information Security Policy, the Company;

• Protects the confidentiality of the information of the relevant persons within the framework specified in the Personal Data Protection Law No. 6698 in order to ensure the protection of the privacy of personal information.
• Implements the infrastructure and controls that will protect the integrity of the information and guarantee its continuous accessibility.
• Provides authorization in accordance with the principle of separation of duties in the design, development, testing and implementation processes and establishes an approval mechanism in critical operations.
• Ensures the physical and logical separation of the Development, Test and Production environments.
• Ensures that the minimum authorization principle required for authorizing users is provided and that the authorizations are regularly checked.
• Establishes network security against threats that may come from external networks.
• Establishes the layered security architecture and ensures its continuous monitoring.
• Ensures the reliability of the encryption keys used.
• Ensures the security of sensitive data used by applications running on mobile devices (sensitive data cannot be used by other applications, cannot be accessed in case of loss/theft).
• Takes measures to ensure the security of applications running on mobile devices and provides the necessary updates.
• Creates an information security organization to manage and coordinate information security activities.
• Creates an inventory of information assets, determines ownership and manages risks on information assets.
• Carries out information security incident management activities, which include the steps of detecting, reporting and preventing recurrence of information security incidents.
• Implements an awareness program at a sufficient level for all personnel and ensures the participation of all employees to meet information security requirements.
• Takes the necessary physical and environmental security measures to ensure the security of information in areas where information is processed.
• Determines and implements the security requirements in the acquisition, development and maintenance of information systems.
• Requires employees to comply with the determined information security policies, processes, legal and regulatory obligations by obtaining their written commitments.
• Carries out business continuity activities to prevent interruptions in business activities and to ensure continuous access to information.
• Implements the necessary security controls in all relevant areas to control access to information and prevent unauthorized access.
• Applies necessary security controls in the operation of information systems activities and defines roles and responsibilities in this regard.

MAIN TOPICS OF INFORMATION SECURITY POLICY

INFORMATION SECURITY ORGANIZATION

The Company management establishes the information security organization within the Company. The organization carries out its work on the establishment, maintenance and management of security policies in the Company with a holistic approach.

• INFORMATION SECURITY ROLES AND RESPONSIBILITIES

In order to carry out the activities of planning, implementing and controlling Information Security in the Company, the Information Security and Risk Committee, Information Security Officer, Physical Security Officer, Information Asset Owners and Company employees take part. The duties and responsibilities of relevant parties within this scope are clearly defined in addition to this policy.
The Company’s Information Security Policy is prepared by the Information Security Officer, reviewed at least once a year by the Information Security and Risk Committee and approved by the Board of Directors. While creating the Information Security Policy, the Company’s security strategy, security requirements, legal and regulatory obligations are taken into consideration.
The Company’s Executive Management ensures that the Information Security Policy is implemented.

MANAGEMENT OF INFORMATION ASSETS

All data belonging to the Company created, transmitted, stored or shared verbally in printed and digital media are included in the scope of the Company’s information assets. The applications, software and hardware used in the transmission, processing, access, storage and destruction of data are also included in the scope of information assets.
The Company ensures the confidentiality, integrity and accessibility of information assets and all assets related to this data, preventing them from being accidentally or intentionally damaged, changed, disclosed or lost. To this end, it classifies information assets by conducting asset assessments. It ensures that the Company’s information is used in accordance with this classification. An owner is assigned to each asset and the responsibilities related to the assets are assigned to these owners.

ASSESSMENT OF RISKS

The Company’s risk assessment approach regarding information security is determined and defined by the Information Security and Risk Committee.  The information security risk assessment approach determines the methods by which the Company’s information security risks will be determined, how risk levels will be calculated and how risks will be evaluated. The work on identifying, rating, processing and reviewing risks that may occur regarding information assets is carried out in accordance with the determined risk assessment approach.

CREATING SECURITY AWARENESS

The company determines awareness training requirements for all personnel and provides training to its personnel accordingly. All newly hired employees must be informed about information security. The company obtains signed approvals from its own employees and supplier company employees that they know and will comply with information security policies.

PHYSICAL AND ENVIRONMENTAL SECURITY

The company takes physical security measures to prevent unauthorized physical access, intervention and damage to buildings and areas where information processing activities take place within the scope of the Additional BUSINESS CONTINUITY MANAGEMENT PROCEDURE to this policy.
The loss, damage, theft, endangerment of information assets and interruption of the organization’s activities are prevented by applying security controls to the equipment used in information processing activities.

COMMUNICATION AND OPERATION MANAGEMENT

Processes are created and responsibilities are defined to ensure that the facilities, environments and tools where information is processed are operated and managed in a secure manner and in accordance with their purpose. When defining responsibilities for processes, the role that performs a job and the role that controls the job are not given to the same person.
In order to protect the integrity of software and information, security checks are performed against malicious codes and applications.
Backup activities are performed to ensure the integrity and usability of information and information assets. Protection of information and supporting infrastructure in the network is ensured.
In order to prevent unauthorized disclosure, modification, removal or destruction of assets and interruption of business activities, precautions are taken and standardized for the processing of information. Security checks are applied to ensure the security of information and software received and given with external institutions or within the Company.
The security requirements of the website services are met.
Audit trails are created for information system applications and monitoring activities are carried out in order to detect unauthorized information processing activities.
Penetration tests are carried out by a competent and independent external company at least once a year.

ACCESS CONTROL

In order to control access to information, user access is managed based on security requirements and unauthorized access is prevented. Access authorizations are provided in accordance with the principle of separation of duties and the principle of minimum required authorization. Authorizations are reviewed regularly.
Unauthorized access to network-related services is prevented with security controls for network access. Access controls for operating systems and applications are implemented. Information security requirements are met for those using mobile computing and remote working services.

NETWORK SECURITY

Network control security systems are established to ensure security in network traffic. Layered security architectures such as external firewall, IPS, internal firewall, SSM (where one security layer is breached and another security layer is activated) are used in network security. Systems used in network security are kept under constant surveillance. VPN and SSL are used in connections established with the external network.

INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

Security requirements are applied in information systems acquisition, development and maintenance operations. Controls are implemented to prevent corruption, loss, unauthorized modification and misuse of information in applications. When necessary, cryptography is applied to ensure the confidentiality and integrity of information. Security controls are applied to ensure the security of system files and system data. Changes to be made to applications and systems are carried out in a controlled manner and security risks are reduced. It is ensured that software developments provided from outside meet information security requirements.

INFORMATION SECURITY INCIDENT MANAGEMENT

Information security incidents, violations and weaknesses related to information systems are reported through channels to be determined in addition to this policy. Reporting is carried out in a way that ensures corrective measures can be taken in a timely manner. All employees, suppliers and third-party users are ensured to participate in reporting information security incidents. As a result of incidents, remedial activities are implemented and recurring incidents are prevented.

INFORMATION SYSTEMS CONTINUITY MANAGEMENT

Information continuity activities are carried out to prevent interruptions in business activities and to protect important business processes from information system disruptions. It is ensured that these activities meet information security requirements.

COMPLIANCE

All Company employees are obliged to comply with the security requirements arising from relevant laws, regulations and contracts, intellectual property rights, license agreements and security requirements determined by the Company. Managers ensure compliance with security policies and standards in the operation of all processes in their areas of responsibility. All Company employees are responsible for the use of Company data in accordance with their confidentiality levels. Information security review activities are carried out to monitor compliance with the Company’s information security policies. The compliance with the Information Security Policy is reported to the Board of Directors at least once a year.

REVIEW OF THE INFORMATION SECURITY POLICY

The Company’s Information Security Policy is reviewed at least once a year by the Information Security Officer and, if deemed necessary, updated and submitted to the Board of Directors for approval. New policies are produced to include the needs that arise due to developments in security technologies.

RESPONSIBILITY FOR IMPLEMENTING THE INFORMATION SECURITY POLICY

All employees are made aware of the Information Security Policy. The latest version of the policy is announced to all personnel and published in a common area that the personnel can access at all times. Personnel must comply with the general provisions that concern them. The administrative manager of the personnel is responsible for checking whether the personnel comply with the general provisions that concern them. Compliance with information security policies is regularly monitored.

ENFORCEMENT

This regulation regarding information security shall enter into force as of the date of approval by the executive management. All applications and workflows regarding the Company’s information security shall be created/updated in accordance with the policy provisions.