TR EN

Data Security and Personal Data Policy

1. Definitions
Data security ensures the continuity of the company’s activities, minimization of operational failures/interruptions and protection of data from large scale threats. The main elements of data security are:
a) Confidentiality
b) Integrity
c) Accessibility 

a. Confidentiality
May be defined as data being protected against access by unauthorized persons. In other words, confidentiality is to prevent unauthorized persons to uncover the contents of data. 
b. Integrity
Preservation of the contents of data, protected from amendment, erasure or destruction in any way, by unauthorized persons, knowingly or by negligence.
c. Accessibility
It means that data is available whenever needed. It is a requirement of accessibility that even in the event of any problem, data remains to be reached. This access to data must be in proportion to users’ rights. In line with the principle of accessibility, each user must definitely be able to reach those data for which he/she is authorized, during the time allotted/permitted. 

2. Scope
This policy applies to all business units that use the company’s data processing infrastructure. 

3. Purpose
The company’s management aims to ensure data security for all physical and digital information assets utilized for the data processing services, in order to minimize interruptions in the business activities of the company.
a. Policy for use of e-mail
a. The company’s e-mail system may definitely not be used for the personal social media (facebook, twitter, instagram) accounts of users.
b. Users must not respond to harmful e-messages -bad intention, spam, fake, etc.-, promptly delete and not forward to other users suspect e-messages with files attached.
c.The company’s e-mail addresses may not be used for subscribing to groups and lists through internet applications for personal use.
d. Keeping in mind that e-mails that require user name/password may be fake, user must not respond and promptly delete them. e. Employees may not send improper content (pornographic, racist, political, materials subject to intellectual property rights, etc) in their e-mails.
f.Employees must prevent unauthorized persons from reading their e-messages. The hardware and software systems used for access to e-correspondence must be protected against unauthorized access.
g. The company’s employees are responsible for preventing persons from outside the company and unauthorized persons from seeing and reading business e-mails.
h. Files attached to e-mails from unknown sources must definitely not be opened and be promptly deleted.
i. Users are responsible for the security of the password for their business e-mail address. As soon as they notice that their password has been compromised, they are obliged to contact information technology department and report the problem.
j. Employees may not continue to use the corporate e-mail system after leaving the company. When a user leaves his/her position by transferring to another business unit or by leaving the company, the supervisors inform the information technology department in the shortest possible time about necessary changes in the e-mail system. 
b. Policyfor use of internet
a. No user may use a data sharing channel other than the one proposed by the company. (for instance, programs that contain peer-to-peer connections like bittorrent, imesh, edonkey, aimster, etc. may not be used.)
b. Personal data may not be collected using chat programs like messaging and conversation programs, apart from official communication on the inter-terminal net.
c. No user may do multimedia streaming on the internet (video, music, conversation, etc) for personal use.
d. It is forbidden to upload, download and store in the company’s computers high volume files (video, music files) that are unrelated to business.
e. Software programs not approved by IT department may not be downloaded from internet and such programs may not be installed and used in the company’s system.
f. The company’s web and computers must not be used for visiting websites with indecent content and for downloading files from them.
g. IT department may monitor internet usage by employees and make statistics in order to minimize work downtime. When necessary IT department may limit internet access.
h. Political material or propaganda messages may not be shared on internet. 
c. General usage principles
a. When leaving the computer terminal for long periods, it must be turned off and access by third persons must be blocked.
b. Incidents like the theft or misplacement of a computer or data carrier which contain the company data must be reported to IT department in the shortest possible time.
c. Each user is responsible for the security of his/her computer system. He/she is responsible for attacks on the company or individuals originating fromhis/her computer (for instance, electronic banking transactions, insulting or political messages, user data, etc.).
d. Users must not get involved in incidents of harassment or other illegal actions, using the company’s computers.
e. Actions that harm web security (for instance, a person attempting to access servers despite being unauthorized to do so) or web traffic (like packet sniffing, packet spoofing, denial of service, etc.) must not be initiated.
f. Activities that threaten web security must be avoided. Dos attacks, port-network scan, etc.must not be done.
j. The company data must not be transferred to third persons.
g. Periphery unit connection must not be established from users’ private computers without prior approval of IT department .
h. Any computing instrument, software program or data must not be taken outside the company without permission.
i. It is forbidden to install and use programs of unknown source (such as magazine cds or programs downloaded from internet) apart from the software programs the company is using.
j. Employees are responsible for the security of the corporate data in the desktop and laptop computers made available by the company for their use.
k. IT department may, without informing users, access physically or remotely, the computers used by employees and make necessary security, maintenance, repair works and take technical or administrative measures as needed.
l. On the company’s computers, game and entertainment programs must not be run/copied.
m. On the company’s computers no file transfers must be made, except for those containing official documents, programs and educational materials.
n. No personal computers or other gadgets that function as servers in the web (web hosting, e-mail service, etc.) may be kept in the company’s premises without informing IT department .
o. On the company’s computers, existing settings like web settings, user definitions, source profiles, etc. must never be changed without informing IT department .
p. Unlicensed software programs must not be installed in anyway on the company’s computers. Employees who keep unlicensed software programs in their assigned computers are responsible for the consequences.
r. Unless necessary, computer sources must not be opened for sharing and in case of sharing, the rules for password must be strictly followed.
s. When a problem occurs on a computer, unauthorized persons must not attempt to fix and IT department must urgently be informed.
d. Policy for emergencies
a. Our company keeps logs. System logs must be stored for examination in emergencies.
b. It is of paramount importance to ensure continuity of the company’s activities. Technical measures for this purpose must be planned in advance and put into practice in times of emergencies.
c. Instruments and tools needed in emergencies must be identified beforehand and back-up and maintenance works must be planned and performed.
e. Antivirus policy
a. Computers not containing antivirus software program must not be connected to the web and IT department must be immediately notified.
b. It is forbidden to write and share harmful programs (such as viruses, worms, trojan-horses, e-mail bombs, etc.) in the company system.
c. No user may for any reason uninstall antivirus program from the company’s system and install another antivirus program. 

4. Password
Password is an important tool for computer security. It is the first line of defense for user accounts. A weak password may expose the entire web security to risk. The standards and rules for creating strong passwords, protecting them and frequency of code changes are given below: 

5. General information
a. Rules for password use 
a. All passwords must be strong enough not to be easily detected.
b. Passwords (for e-mail, internet, pc, etc.) must be changed at most every six months.
c. Passwords must not be mentioned or attached in e-mail messages or in any electronic medium, not shared with any person, not be noted in physical or electronic media.
d. Passwords should not be told over the phone.
e. Passwords must not be shared with colleagues even outside office hours.
f. User must not share his/her password with third persons and not write it on paper or in electronic medium. g*Computer locks itself after wrong password is entered five times in a row.
j. Warnings are sent to employee when multiple persons are connected to a computer.
k. Screen lock must definitely be used and its’settings must be adjusted frequently. 
b. General rules for creating password
a. Passwords are used for different purposes, including user identification, web access, e-mail access, screen locking, forwarding access, etc. Every user must take utmost care in creating strong passwords.
b. Password must contain lower key upper key letters (A-Z, A-Z) numbers and symbols (such as (0-9,!’^+%&/O=?_;*)
c. Consist of at least eight characters
d. Code breaking and guessing drills may be performed at certain intervals. If security tests succeeding, guessing or breaking such passwords, user shall be asked to change them. 
c. Standards for password protection
a. Passwords used for the company work must not be used in any way outside of office (for example, password for internet access, banking transactions or at other places)
b. Different passwords must be used for different operating systems. for instance a password for unix system, another password for windows system must be used.
Please find below the NOT DO list. 

  • Mention password over the phone to any person
  • Mention password in e-mail messages 
  • Share password with your supervising manager 
  • Talk about passwords in the presence of other people 
  • Use names of family members as password 
  • Write password on any document .tell passwords to family members *Give password to colleagues while away from office 

If anyone asks you to tell your password, mentioning this document as reference, you must tell that person to contact IT department chief. The ‘password remember’ option in applications and browsers (for example: chrome, internet explorer, etc.) must not be selected. 

d. Standards for application development
1. People who work on developing applications must make sure that their programs contain the security features described below. 2. They must support individual identity verification (not user group verification).
3. Must not retain passwords in text form or any other easily detectable form.
4. Must support rule management system. (for example: a user must be able to continue functioning even if he/she does not know another person’s password.)
e. Password use for users working remotely
Remote access to the company’s computer system must be with one-way password algorithm or very strong passwords.
f. Server security
Standards and rules for achieving server security are as follows:
i)Inventory list and responsibilities
System administrators are responsible for managing all internal servers of the company.
Server configurations are designed only by this group of administrators.
a. All servers and mobile instruments must have been recorded in the company’s inventory. Inventory list entries must contain at least the following information:

  • Location of server and name of responsible person 
  • Hardware and operating system 
  • Main function and installed applications
  • Version of operating system 

bProvided that proper measures are taken to ensure personal data security, all data files of the company must be up to date.
c. At the company’s premises, no personal mobile instrument or data carrier,other than the permitted operating systems, may be connected or used. 

ii* General rule for configuration 
a. Operating system shall be configured according to the instructions given by IT department
b. Unused services and applications shall be closed
d. Operating system on the servers, software programs for servers and antivirus security software programs must be updated continuously. If possible, patches and antivirus updates must be automatically made by software but be activated only after testing and approval stages as per change management rules.
e. Standard security rules must not be followed for access to applications and unnecessary services must not be opened.
f. System administrators must refrain from using group user names such as ‘’administrator’’ or ‘’root’’ except for when necessary and use their own individual user names which are duly authorized. Administrator group user names must be renewed. If necessary,each administrator must log in using his/her individual user name and then switch to administrator group accounts.
g. If technically possible, priority entries must be made over secure channels(SSH or encrypted net like IpsecVPN).
h. Servers must be located in system chambers with restricted physical access.
iii. Monitoring
a. All security related incidents in the critically important systems must be logged and stored as explained below: 

  • All logs related to security must be retained for minimum 1 week and be accessible online.
  • Daily backup tapes must be retained for at least one month. 
  • Weekly backup tapes for logs must be retained for at least 1 month.
  • Monthly full backups must be retained for at least 6 months.
  • Log records must be outside of the building. 

b. The person in charge shall examine the logs related to security and take necessary measures. Incidents/issues related to security are not limited to the list below: 

  • Port scan attacks
  • Attempts by unauthorized persons to reach privileged accounts 
  • Incidents/issues occurring in servers not related to the existing application in use 

iv. Compliance 
a. Inspections shall be carried out by an authorized person assigned to the company by certified organizations.
b. Inspections shall be managed by IT department .
c. Utmost care shall be taken to make sure that inspections do not interfere with the functioning of the organization (the company). v. Operation
a. Servers, their electrical wiring and net connections must be located in controlled temperature and humidity environments.
b. Maintenance work on servers and their software must be done once a year by qualified experts.
c. Unauthorized entry into system rooms must be blocked. Entry to and exit from system rooms must be subject to access controls. 

6. Identity VerificationAnd Authorization
The standards and rules to be followed and the measures to be taken for identity verification and authorization in information systems are as follows: 

a. For each user who will have access to the company’s information systems, based on his/her corporate role, it will be determined to which systems using which identity verification method he/she will access.
b. For the persons not employed by our company and for extranet users, who need to access our company’s systems, profiles and identity verification methods shall be determined.
c. For all applications, packet programs, data bases, operating systems and all other log-on accessible systems used by our company and accessible in our web, roles and rights for every user must be determined.
d. User rightson all our corporate systems (including those that users give each other for their own systems) must be reviewed periodically and in line with the principle of minimum exposure, must be revised.
e. Continuous updating of access and rights levels must be ensured.
f. Users are responsible for the security of the systems assigned to them by the company for use at work.
h. Users must keep access passwords given to them by the company confidential and not share with any person.
ı. Attempts by users logged-in to our systemsfor access to beyond unauthorized levels must be monitored and breaches must be controlled.
i. Each user must be notified in writing about his/her access rights and those who breach rules must be penalized.
j. In order to monitor user activities, for each and every user a personal user account must be opened.
l. The identities of those persons from outside who will connect to our company’s wi-fi service must be noted. Passwords for wi-fi service at meeting rooms must be matched with the participants’ list. 

PERSONAL DATA SECURITY 

1. Definition of personal data
In law no.6698 personal data is defined as all the information relating to an identified or identifiable natural person. For example, name, family name, date of birth, place of birth, finger print, voice record, family information, telephone number, etc. The basic rules for keeping personal data confidential are explained below. 

2. General rules 
Attention must be paid to the matters listed below in order to ensure security of all personal and corporate data: 

a. Determining which employee shall access which data using which rights must be done carefully. Authorization must be given on the basis of corporate role and it must be impossible for unauthorized users to access sensitive data.
b. Personal data belongs to the data subject. Authorized employees must be able to access only those personal data that are needed for their own work. However, with written permission issued by the person put in charge by company, other employees may access personal data unrelated to their work.
c. Without explicit consent of the data subject, employees may not share personal data of that data subject, even in oral conversation, with third parties like relatives or friends or organizations.
d. Personal data of our clients may not be transferred to third persons, even for commercial purposes.
e. In the event of a request by our client, a copy of the contents of his/her personal data must be delivered. Notwithstanding the relevant provisions of the legislation in force, personal data files of our clients must not be transferred to third persons and organizations in the form of a printed document or an electronic message.
f. All necessary measures must be taken in order to prevent access to the personal data of our clients and employees. (any document containing personal data must not be left in the open, computer screens must not be on which may prompt others to read).
g. While talking on the phone, care must be taken to prevent personal data being overheard by third persons.
h. All personal data files must be stored in physically protected places.
ı. Accessto the electronic files of the company on the internet must not be possible. 

3. Rightof data subject to control destiny of his/her personal data
Data subjects have the right to know how their data are processed, to request information on data, to ask for updating of data when necessary and to finally ask for erasure of file. The company is obliged to meet such demands of users or clients. 

4. Lawfulness of data processing 
All data that exist at the company or coming in to or going out fromthe company and all steps of the processing of such data must be lawful and respectful of personal data subjects’ rights. All personnel of the company must respect the confidentiality of personal data of the company’s clients. 

5. Right to receive information 
The clients of the company have the right to know where and how their personal data are used. Proper measures to facilitate the exercising of these rights are taken by the company.