INFORMATION SECURITY POLICY


INFORMATION SECURITY POLICY

2023

1. PURPOSE

ININAL Information Security Policy has been prepared to inform all employees, suppliers, branches, representatives, business partners and stakeholders about ININAL's information security scope, aims, objectives, principles and principles and roles and responsibilities related to information security.

2. SCOPE

This policy covers the scope of information security, objectives, principles, management support, risk management framework, continuity, duties and responsibilities, compliance requirements and sanctions to be applied in case of violation of data and information within ININAL

3. ROLES AND RESPONSIBILITIES

The Information Security Committee is responsible for ensuring the currency and continuity of the Information Security Policy. Updates to be carried out in the Information Security policy are determined at the Information Security Committee meetings and reflected in the document by the Information Security Manager. The document is approved by the Board of Directors at each update. The duties and responsibilities of the relevant parties within this scope are described in the Information Security Roles and Responsibilities Procedure. All unit managers are responsible for the continuous review and improvement of the systems within their areas of responsibility, and all employees are responsible for using and implementing up-to-date documents. Details regarding the information security requirements and rules framed by this policy are regulated by information security procedures. Company employees and third parties are obliged to know these procedures and to carry out their work in accordance with these rules.

All unit managers are responsible for the continuous review and improvement of the systems within their areas of responsibility, and all employees are responsible for using and implementing up-to-date documents. Details regarding the information security requirements and rules framed by this policy are regulated by information security procedures. Company employees and third parties are obliged to know these procedures and to carry out their work in accordance with these rules.

4. DEFINITIONS AND ABBREVIATIONS

Information Security Committee : It represents the committee established to establish policies, procedures and processes for the management of information systems and ensuring information security, and to effectively manage the risks arising from the use of information technologies.
Sensitive payment data : These are passwords, codes, data that users use to prove their identity on the systems, such as card number, card expiration date,
ISMS : Information Security Management System
Company : ininal Ödeme ve Elektronik Para Hizmetleri A.Ş.
MS : Management system

5. REFERENCE DOCUMENTS

6. INFORMATION SECURITY POLICY

INİNAL; in order to ensure information security requirements arising from national, international or sectoral regulations to which it is subject, to fulfill the requirements of the relevant legislation and standards, to meet its obligations arising from agreements, and corporate responsibilities towards internal and external stakeholders:


7. INFORMATION SECURITY GOALS AND OBJECTIVES

The Information Security Policy aims to guide the company's employees, suppliers, representatives, business partners and stakeholders to act in accordance with the company's security requirements, to increase their level of consciousness and awareness and thus minimize the risks that may occur in the company, to protect the reliability and image of the company, to ensure compliance with the compliance specified in contracts with third parties, to implement technical security controls, to ensure that the company's core and supporting business activities continue with minimum interruption, to protect physical and electronic information assets that affect the entire operation of the company against internal and external intentional or unintentional threats.

8. INFORMATION SECURITY ORGANIZATION

Company management creates the information security organization within the company. In this regard, the activities related to the establishment, maintenance and management of security policies in the company with a holistic approach are carried out within the scope of the Information Security Management Process. The roles and responsibilities to coordinate and manage the security control processes of the company are determined within the scope of the Information Security Roles and Responsibilities Procedure and assigned to the relevant persons. New policies are developed to meet the needs arising from developments in security technologies.

9. RISK MANAGEMENT FRAMEWORK

The Company's risk assessment approach to information security is determined by the Information Security Committee and defined within the scope of the Information Security Management Process. The information security risk assessment approach determines the methods by which the company's information security risks will be determined, how risk levels will be calculated and how risks will be assessed. The identification, rating, processing and review of risks that may arise in relation to information assets are carried out in accordance with the determined risk assessment approach.

As a result of the risk assessment study, an "Information Systems Risk Assessment Report" is prepared, including actions to mitigate risks. The Information Security Plan is created and updated annually.

10. ANNEXES AND STANDARD FORMS USED

Information Security Roles and Responsibilities Procedure

Information Systems Risk Assessment Report

11. POLICY VIOLATION AND SANCTIONS

All company employees, suppliers, agents, representatives, business partners and stakeholders are obliged to comply with security requirements arising from applicable laws, regulations and contracts, intellectual property rights, license agreements and security requirements set by the company. Managers ensure compliance with security policies and standards in the operation of all processes in their areas of responsibility. All company employees are responsible for the use of company data in accordance with their degree of confidentiality.

Information security review activities are carried out within the scope of the Information Security Management Process to audit compliance with the Company's information security policies. The status of compliance with the Information Security Policy is reported to the Board of Directors at least once a year.

12. OVERVIEW, PUBLICATION AND INTERNAL CONTROL, AUDIT, REPORTING

Revisions to legislation or information security implementation processes require a review of the policy. The revised and updated policy is approved by the Board of Directors. The approved policy is published unclassified on the common file server accessed by all employees of the organization and on the ININAL website.

This policy is reviewed and audited at least (1) once a year under the responsibility of the Information Security Manager within the scope of service delivery and activities with a security approach.

13. DOCUMENT REVISION CHECKS

Document Revision Information
Revision Description Date Revision No.
Establishment of Information Security Policy March 2015 01.0
Annual Review April 2016 01.1
Annual Review August 2017 01.2
Annual Review May 2018 01.3
Annual Review May 2019 01.4
Annual Review November 2020 01.5
Annual Review December 2021 01.6
Revision and update within the scope of ISMS 28.07.2022 02.0
Annual Review 11.07.2023 02.1

POL_001_Information_Security_Policy

Release Date: 10.03.2015
Revision: 02.1

Integrity: Low
Accessibility: Low

Confidentiality: Unclassified