Information Security Policy

  1. PURPOSE AND SCOPE

 

This policy has been prepared to explain the information rules and standards to be followed by QUA GRANITE AŞ employees

  1. RESPONSIBILITY

Information security basically aims for the following purposes: Each department user screens are different in our company. Not every user can see other department screens. Authorization of the system is made by the General Manager. IT is responsible for the implementation and monitoring of the Information Security policy in daily operations and systems and taking the necessary measures.

  1. SYSTEM DEFINITIONS

- Life Cycle: System used for factoring transactions.

- Facto 2000: System used for Risk Center data retrieval and transmission.

- BGA: Information Security

  1. PRINCIPLES OF INFORMATION SECURITY

The Information Security Policy of our company has been established and the instructions prepared within the scope of this policy are shown below. In addition to the security measures taken at the general system level in order to prevent any disruption in the security of Corporate Information Systems, all employees of our company must comply with these rules, which our employees must strictly comply with in this regard.

  1. Data Classification

Within QUA GRANITE Inc., data are handled in 3 classes as Top Secret, Information for Internal Use and Public Information.

CONFIDENTIAL INFORMATION: Access to these information assets is protected by certain security standards and rules. Those who need to be eaten for a specific business need access confidential information within defined controls. Sharing the information asset depends on the approval of the information asset owner. Compliance with legal rules and signing a confidentiality agreement are required for sharing with parties other than those accessing Risk Center data. It is essential that information assets in this class are appropriately labeled. High-level information such as Risk Center Data, customer files, intelligence reports, employee personal files, etc. can be handled in this class.

INFORMATION OPEN TO THE COMPANY: The sharing of this information asset is subject to a contract that includes provisions on information security. Information in this class is information that does not cause serious damage in case of leakage and is open to access and use by all employees. Telephone book, employees' work calendars can be considered in this context. Information assets in this class are not labeled.

PUBLICLY AVAILABLE INFORMATION: This information asset is publicly available internally or externally. For example, a website, brochures, press releases are considered in this context. Information assets in this class are not labeled. 

 

Confidential

Open to Company

Open to Public

Labeling

Labeled with "CONFIDENTIAL" stamp in case of printout

Not labeled

Not labeled

Replication

Only specially authorized personnel can perform it. Documents scanned in the scanner are transferred to a folder accessible only to authorized persons

All company employees can reproduce this class of information.

No restrictions

Storage

Only authorized personnel are stored on the PC/Laptop or server environment with authorized access. Strong encryption is used to access PC/Laptops. Confidential data in the form of printouts are stored in locked cabinets/rooms.

They are stored in places accessible to all employees in the company

No restrictions

Deletion

It can only be deleted from the system by authorized personnel.

Can only be deleted from the system by authorized personnel

No restrictions

Destruction

Shredding (CD, Harddisk),

Paper Trimming Machine

Shredding (CD, Harddisk), Paper Clipper

No restrictions

  1. Encryption Usage Policy
  • Defining the password from Facto 2000 system, authorization, canceling the password when leaving the job is done by the IT Department.
  • Temporary initial password is changed before the first login.
  • In order to change the password at 1-month intervals by QUA GRANITE AŞ, the system automatically gives a warning for password change.
  • Passwords should not be attached to e-mail messages or any electronic form.
  • Passwords should not be shared with anyone else and should not be written on paper or electronic media.
  • Encryption must have letters and numbers in lowercase or uppercase characters. (Ex: ABC12D).
  • It must have at least six alphanumeric characters.
  • The password should not be given to any person on the phone.
  • Passwords should not be written in e-mail messages.
  • Passwords should not be given to colleagues when you are away from work.
  • A user name and password should not be used on more than one computer.
  • "Session Exceeding Time" on the operating system is 15 minutes.Data Integrity and Protection of Records

A systemic control environment should be established to ensure data accuracy and completeness in all systems that contain Risk Center data and are used for transmission purposes.

  • Appropriate systemic control environments have been established on the systems where the Risk Center data are located and transmitted in order to ensure the accuracy and completeness of the data.
  • The General Manager/ Assistant General Manager informs the Risk Center Management when there is a suspicion that the controls established on the systems where the data are located and transmitted are disrupted or the integrity of the data is compromised.
  • Logs are kept in a time-stamped manner within the Company. They should be periodically reviewed by the IT Manager at the end of each month.

1.Data Security and Access Policy

Data kept in all information systems containing Risk Center data should be classified in appropriate data security policies and subjected to different levels of access controls.

Access to the Managed Information Systems was performed only by valid and authorized users.

Authorized user access to the Managed Information Systems should be at the lowest possible level and at a level that can perform the responsibilities specified in the job descriptions.

User access to Managed Information Systems must be provided with personalized authentication components.

 Access to Managed Information Systems should be restricted as follows to the extent possible.

 Physical Network Access: Only known and registered devices and/or cards should be connected to the local network backbone. Network equipment is organized in such a way that it can identify foreign network devices attempting to connect to the network.

 Logical Network Access: All identified users on Information Systems are authenticated at the network level before being granted access to resources available on the network.

 Operating System Access: Only users who need interactive system access are allowed to connect directly to network servers.

 Application Access: All users are authenticated before using the applications required to perform the tasks defined for them. A user/authorization request is made through the Credit Bureau for the personnel who will access the Risk Center Data and the Risk Center.Accessibility of Data

Authorization controls related to the factoring software in use are periodically reviewed by the Internal ControlManager on a quarterly basis [March/June/September/December].

Appropriate system infrastructure has been established to ensure that all critical systems within QUA GRANİTE AŞ, which contain Risk Center data or are used for transmission purposes, are accessible.

Risk and interruption impact assessments regarding the system infrastructure are addressed in the business continuity plan in order to ensure the accessibility of the systems containing Risk Center data. Service levels for system accessibility are determined in the plan. It is recorded with tests.

  1. Rules for Using E-Mail
  • The Company's e-mail system may not be used to send messages that contain elements intended to harass, abuse or in any way harm the rights of the recipient.
  • Emails containing chain messages and any executable files attached to messages must be deleted immediately upon receipt and must never be forwarded to others.
  • In case of subscribing to lists on the internet for personal use, company e-mail addresses must not be used.
  • Do not reply to harmful e-mails such as spam, chain e-mails, fake e-mails, etc.
  • Considering that e-mails requesting users to enter their User Code/Password may be fake e-mails, they should be deleted immediately without any action.
  • Employees shall not send inappropriate content (pornography, racism, political propaganda, material containing intellectual property, etc.) via e-mail.
  • Company employees are responsible for preventing corporate e-mails from being seen and read by persons outside the organization and unauthorized persons.
  • Files attached to e-mails of unknown origin must not be opened and must be deleted immediately. These attached files may contain malicious code such as viruses, e-mail bombs and trojan horses.
  • Webmail should not be used from a computer whose security is not assured.
  • Electronic mails should be reviewed frequently, incoming messages should not be left on the general electronic mail server for a long time and should be saved in a personal folder on the computer.
  • Employees of our Company should not seek personalization in the e-mails they send, receive or store. In case of illegal and insulting e-mail communication, authorized persons may inspect e-mail messages without prior notice and may initiate legal and administrative proceedings against the user.
  • Users are responsible for the security of the password of their e-mail address and the legal proceedings arising from the e-mails sent. They are obliged to contact the authorities and notify the authorities as soon as they realize that the passwords have been cracked.
  • E-mail boxes that are not used for six months may be removed by the IT Department. Personnel leaving the institution cannot use the corporate e-mail system. If the user with an e-mail address changes department, retires or leaves the job for any reason, the change in the institution must be notified to the IT Department as soon as possible by the authorities.
    1. Antivirus Policy
  • All computers must have the institution's licensed Antivirus software installed and must not be prevented from running.
  • The computer without antivirus software installed should not be connected to the network and the IT Department should be notified.
  • It is forbidden to create and distribute malicious programs (e.g. viruses, worms, trojan horses, e-mail bombs, etc.) within the institution.
  • No user can remove the Antivirus program from the system for any reason and install another Antivirus software on the system.

1.Internet Usage Policy

  • No user will be able to use internet services via peer-to-peer connection (Torrent etc.)
  • Messenger, Facebook, Twitter, etc. messaging and chat programs should not be used except for official conversations over the network between computers, and files should not be exchanged through these chat programs.
  • No user will be able to do Multimedia Streaming (Video, mp3 streaming and watching) over the internet. This creates problems for other users to access the data as it consumes bandwidth in internet access.
  • Excessive surfing of non-work related websites is prohibited during working hours.
  • Sending and downloading high volume files that are not related to work is prohibited.
  • Software that has not been approved by the institution cannot be downloaded over the Internet, and such software cannot be installed and used on the institution's systems.
  •  Internet sites contrary to the general understanding of morality should not be accessed and files should not be downloaded over the computer.
  • It is forbidden to download and/or install all kinds of files and programs such as screen savers, patches, desktop pictures, tools that are stated to be auxiliary, repairing programs over the internet, as they damage computer operating systems.
  •  The IT Department may make observations and statistics about the internet usage of employees in order to prevent loss of work. Restrictions may be made on the internet when necessary..
  1. General Usage Policy
  • In case of prolonged absence from the computer, the computer should be locked and 3rd parties should be prevented from accessing the information.
  • Computers that are not connected to the Domain should be removed from the local network and no information should be exchanged between the devices on the local network and such devices.
  •  In case of theft/loss of a laptop computer, the IT Department should be notified as soon as possible.
  • All users are responsible for the security of their own computer system. The owner of the system is responsible for any attacks against the institution or person that may arise from these computers (e.g: electronic banking, e-mail with insulting-political content, user information, etc.).
  • Port or network scanning should not be performed.
  • Activities that threaten network security should not be carried out. Port-network scanning etc. should not be performed.
  • Company information should not be transmitted to third parties outside the organization.
  • No peripheral connections should be made on users' personal computers without the approval of the IT Department.
  • Devices, software and data must not be taken out of the company without authorization.
  • It is forbidden to install and use programs of unknown origin (magazines, CDs or programs downloaded from the internet, etc.) except for the software used by the company.
  •  It is forbidden for unauthorized personnel to see or obtain confidential and sensitive information in the company.
  • Special attention must be paid to the confidentiality and privacy of corporate or personal data. These data cannot be given to third parties and institutions in electronic or paper media, without prejudice to the provisions of the relevant legislation of the company on this subject.
  • Personnel are responsible for the security of corporate information on desktop and laptop computers allocated to them and used in corporate work.
  •  Persons authorized by the IT Department can access the employee's computer on-site or remotely and perform security, maintenance and repair operations without notifying the user. In this case, authorized personnel providing remote maintenance and support services cannot view, copy or change personal or corporate information on the personal computer.
  •  Programs for gaming and entertainment purposes must not be run or copied on computers.
  • No files other than official documents, programs and educational documents should be exchanged on computers.
  • Computers and devices should not be used as servers in the network system (web hosting, e-mail service, etc.) without the knowledge of the IT Department.
  •  Existing settings on computers (network settings, user definitions, resource profiles, etc.) should not be changed in any way without the knowledge of the IT personnel responsible for the units and the relevant technical personnel.
  •  Unlicensed programs should not be installed on computers in any way. Personnel who host unlicensed software on their computers are responsible for the relevant laws.
  •  Computer resources should not be shared unless necessary, and if resources are shared, the rules of using passwords must be followed.
  • When a problem occurs on the computer, unauthorized persons should not intervene and the IT Department should be notified immediately.
  1. Information Security Awareness and Training

Depending on the needs of the parties accessing Risk Center data, information security awareness training programs/notices are organized. Users are trained in security methods and the correct use of information processing tools to reduce potential security risks.

Information Security Awareness Training is provided to all employees to ensure Information Security. The training is recorded with the attendance list.

  1. Management of Information Security Incidents

An Information Security incident is an error or event related to the confidentiality, integrity and accessibility of information that causes or may cause material and moral, reputational, etc. damages to QUA GRANITE A.Ş.

In the event of a significant Information Security Incident / Error, the following should be done:

  1. The personnel who sees the incident fills in the Information Security Incident Notification Form related to the error and notifies the IT personnel.
  2. IT Personnel must record and document all evidence related to the incident under their responsibility.
  3. All actions taken during the response to the incident must be recorded in detail (camera recording, screenshot, audit log, photograph, printout, etc.).
  4. In order to prevent the error from occurring again, information and information technology security controls should be reviewed immediately and recorded with the Corrective/Preventive Action form.
  5. The company should provide relevant audit trails and other documentation required for internal problem analysis, compensation negotiations with external parties or legal proceedings.
  6. When necessary, the company should delegate the actions to be taken to senior management and activate business continuity plans to minimize the impact to the organization.
  7. In the event of incidents related to Risk Center data, Risk Center Management should be informed as soon as possible and the necessary details should be communicated.
  8. If the incident requires an urgent intervention, the incident is intervened without any written approval. After the intervention is carried out, an informative report is prepared for the Senior Management within 5 business days.Management of Information Security Risks

The objectives of the risk assessment are to identify and prioritize information security risks from the perspective of QUA GRANITE A.Ş and to plan the actions required to reduce them to a level acceptable to the Company Management.

By all parties accessing critical systems and Risk Center data within the Company,

- Risk assessment is applied to determine the IT security control requirements and management priorities on critical systems and systems hosting Risk Center data.

- The resources to be spent for IT security controls must be balanced and compatible with the following:

o Possible damages and sanctions that may arise from a significant IT security breach, threats and assessments of the likelihood of the threat being realized,

o Risk and security controls are reviewed when necessary in line with changing regulations, needs and priorities.

In addition, where appropriate and useful, risk management techniques may be applied to all information systems as a whole or to individual system components or services.

The Risk Assessment Process is carried out taking into account the following issues;

- The importance of the information, equipment, software and information system assets to the company,

- All company activities, products and services supported by Information Systems

- Possible damages to the company's stakeholders and customers, violations of existing contracts, legislation and laws, financial losses and reputational damage caused by a significant breach of organizational information,

- Considering the existing controls and the threats that will arise, the realistic possibility of such a breach is the environment in which the system is used and operated and the lifespan in which the information can be used effectively,

- Additional controls needed to reduce those risks to an acceptable level,

- Actions required to establish and operate appropriate additional controls.

If it is decided that the risks identified as a result of this assessment are unacceptable and that the risks cannot be adequately prevented or reduced through further methods, information technology security improvement plans are prepared and implemented.

  1. Policy Violation and Sanctions

Company employees must read, implement and comply with the Information Security Policy. In order to be informed about and comply with the issues defined in the Information Security Policy, a written commitment is obtained from all relevant parties regarding information and compliance.

In case of violation of this Policy, failure to fully comply with the rules in the implementation section or failure to implement these rules, warning, reprimand, fine or contract termination penalties are applied. The decision regarding the application of these penalties is made by the Senior Management.

  1. Policy Updates

It is essential that the Company's Information Security Policy is up-to-date. Review and update work is carried out at least once a year to ensure currency. When deemed necessary by the Company Management, updates may be made without waiting for periodic review.

I have read, understood and accepted the Information Security Policy.

NAME SURNAME

T.R. IDENTITY NUMBER:

DATE:

SIGNATURE: