Avşa Danışmanlık - Finansal Yazılım Hizmetleri

Avşa Consultancy Corporate Information Security Policy

A. Objective This policy has been prepared to ensure the protection of Avşa Consultancy's information in terms of confidentiality, integrity and accessibility.

B. Scope This policy applies to all IT and related information assets of Avşa Consultancy.

C. Text of the directive

1. All policies that constitute Avşa Consultancy's information security must comply with the ISO27001 standard.

2. All Avşa Consultancy personnel are responsible for information security.

3. When accessing company resources and information, there must be prior knowledge about the resources and information accessed. Data about which there is no information should not be accessed. Information owners should be consulted on matters where there is any doubt about the information.

4. Avşa Danışmanlık Information Security Board has been established to manage and guide security. The ISMS board will meet regularly at least every six years and consists of unit managers representing the groups and the ISMS Manager.

5. An "Information Security Portal" will be established within the company. The purpose of this portal is to create corporate information resources that can be accessed electronically by employees who have problems, information and questions about information security.

6. Information Security shall be based on Confidentiality, Integrity and Accessibility when processing, transmitting and maintaining information.

7. All critical information assets (hardware, software, devices, data) of the company will be identified and appropriately protected.

8. All information assets of the company will be inventoried. All information assets will be classified appropriately and records will be kept considering the business needs of the company, and physical assets will be labeled according to their categories.

9. Personnel are prohibited from accessing information assets for which they are not authorized.

10. All necessary precautions shall be taken for the security of information assets when they are transmitted and transported.

11. All software to be used within the company will be subjected to appropriate security audits before being migrated to the real environment.

12. The Company's senior management is authorized to monitor all information traffic, regardless of the medium used.

13. The boundaries of the information network (Avşa Consultancy) will be protected and periodically monitored using appropriate hardware and software.

14. Appropriate security measures will be taken to protect against attacks against the information network.

15. All security breaches that occur in electronic media must be reported to the "Avşa Danışmanlık" ISMS Manager. The Information Security Manager will take the necessary measures to prevent these security breaches from occurring again in the future and to resolve them in a short time.

16. Necessary measures will be taken to ensure Business Continuity.

17. Appropriate Security Awareness trainings will be planned and implemented by the Information Security Board for company employees.

18. Company information will only be used for the purpose approved by the management.

19. Appropriate and detailed procedures will be put in place for business critical areas.

20. Physical Security will be emphasized. Therefore, entrance and exit doors, office rooms and product receiving/transfer areas (warehouses, entrance doors, etc.) will be secured and relevant procedures will be established.

21. Information Security Policies and Procedures will be reviewed annually, except in special circumstances.

22. In order to manage unexpected security incidents within the company, the ISMS Board will establish a "Security Crisis Desk" when necessary.

23. Company employees shall carry their security access cards on their person in a visible manner.

24. It is forbidden to discuss confidential information belonging to the Company in public places, to give or transfer it to suspicious persons whose identity cannot be verified.

25. At the end of the meetings, the whiteboard used will be cleaned and the relevant documents and note papers will be removed from the table. It will be ensured that people other than Avşa Consultancy staff will not enter the meeting rooms without the accompaniment of Avşa Consultancy staff. The rules will be published in a clearly visible manner.

26. Employees are prohibited from leaving confidential information, files and papers in the open.

27. Security Audit of computer systems will be conducted every year in accordance with ISO27001 standards.

28. For all Information Critical systems, appropriate Business Impact Analysis and Risk Assessment will be performed by the team appointed by Avşa Consultancy Information Security Manager or external resources.

29. Avşa Consultancy Information Security Board will select the necessary security measures to be taken for the assets for which a Risk Assessment has been made and ensure that they are planned and implemented.

30. No Avşa Consultancy employee may engage in any activity outside the national and international laws on information security adopted by the Republic of Turkey.

D. Sanction

In case of violation of the Corporate Information Security Policies, action is taken based on the laws and relevant articles specified in the Information Security Policy Sanctions Document with the approval of the Information Security Board and the relevant manager.