Information Security Policy

GOAL

To outline the information security conditions that the employees and interested parties must comply with within the Istanbul Energy General Directorate and to determine the written rules.

SCOPE

It covers the information systems assets within the Istanbul Energy General Directorate, the personnel providing access to information systems, the business processes of software development, sales, installation, support, integration, training and consultancy services. Working environments in the location given below are within the scope of ISMS certificate.

Istanbul Energy Head Office

RESPONSIBILITY AND AUTHORITY

ISMS Manager is responsible for ensuring the up-to-date and continuity of the Information Security Policy. Updates to the Information Security policy are determined at the Management Review meetings and reflected in the document by the ISMS Manager. In every update, the document is approved by Senior Management.

INFORMATION SECURITY

Information, like other important commercial and institutional assets, is an asset that has value for an enterprise and institution and therefore must be properly protected. Information security protects from danger and threat areas to ensure business continuity and minimize losses. Information security is defined in this policy as the protection of the following information attributes.

Confidentiality: To ensure that the information is accessible only to authorized persons,

Integrity: To ensure the accuracy of the information and processing methods and unauthorized modification,

Accessibility: To guarantee that authorized users can access information and related resources as quickly as possible. The information security policy document is the document that specifies the highest level of principles to be used during the implementation of the audits created to ensure the above protections and requirements.

GOALS AND OBJECTIVES OF INFORMATION SECURITY

The objective of the Information Security Policy is to protect physical and electronic information assets that affect the entire operation of the company.

The objective of the Information Security Policy is to protect physical and electronic information assets that affect the entire operation of the company. Protecting the physical and electronic information assets, protects the reliability and image of the company, ensures compliance determined in contracts with third parties, and applies technical security controls. Another goal is to guide the employees of Istanbul Energy General Directorate to act in accordance with the security requirements of the company, to increase their awareness and awareness and to minimize the risks that may arise in the company in this way.

INFORMATION SECURITY ORGANIZATION

ISMS Management Representative is responsible for maintaining and developing Information Security related activities. ISMS Manager is responsible for the establishment and operation of the Information Security Management System. ISMS Management Representative and ISMS Manager were appointed by Senior Management. ISMS Officers were determined in the units within the scope. ISMS Officers are responsible for monitoring and coordinating the Information Security Management System activities in their units. The activities of operating, maintaining, reviewing action plans, making decisions and implementing ISMS are carried out by a committee. In this sense, ISMS Executive and Management Committee has been established. ISMS Executive and Management Committee consists of ISMS Senior Management Representative, ISMS Manager, Related Managers and ISMS Officers elected from related units. ISMS Executive and Management Committee may also meet in the event of an evaluation of business continuity drill reports or an important security breach incident.

RISK MANAGEMENT

The company’s ISO 27001 risk management framework; It covers the identification, assessment and processing of Information Security and Service Management risks. Risk Analysis and Risk Processing Plan defines how Information Security and Service Management risks are controlled. ISMS Execution and Management Committee is responsible for the management and implementation of the Risk Processing Plan.

ROLE AND RESPONSIBILITIES

In this section, information security responsibilities are defined for ISTANBUL ENERGY General Directorate.

PARTIES

RESPONSIBILITIES

ISMS Management Representative

– To realize the necessary resource and responsibility allocations for the establishment and operation of the Information Security Management System,

– Supporting the ISMS infrastructure and continuing its operation,

– Ensuring the operation of mechanisms that will enable employees to be informed about ISMS,

– To ensure the use of educational methods for the employees to understand and recognize the risks they may encounter regarding information security,

– To plan and provide the needs identified to ensure information security,

– Approving the Security Policy and ensuring its implementation within the company,

– Approving ISMS comprehensive documents,

– To confirm residual risks arising from the ISMS comprehensive Risk analysis.

ISMS Manager

 – Ensuring the establishment and operation of the Information Security Management System,

– To coordinate the Management Review meetings,

– Revision and control of ISMS documents,

– Approving ISMS comprehensive documents,

– Coordinating the information security awareness training of the employees and evaluating the training activities,

– To evaluate the results of the risk analysis, to coordinate the determination and implementation of the controls,

– To evaluate and monitor the Information Security Violation incidents,

– To follow the corrective and preventive activities related to Information Security and to approve the records.

– Reviewing the Information Security Policy periodically and ensuring the approval of ISMS Management Representative.

Unit Managers

– To know and comply with the Information Security Policy,

– To comply with the behaviors to be followed within the scope of ISMS,

– To convey the suggestions that are deemed necessary for the healthy functioning of ISMS to the relevant person and to contribute to the improvement of the system,

– To report security violation incidents related to the information systems he notices to the Unit Manager,

– To participate in Information Security Awareness trainings.

3rdparty on

– To know and comply with the Information Security Policy,

– To comply with the behaviors to be followed within the scope of ISMS,

– To comply with the Confidentiality Agreements committed,

– To forward suggestions and violation incidents that are deemed necessary for the proper functioning of ISMS.

– Understanding the Requirements of the Interested Parties and acting in accordance with the Communication table.

INFORMATION SECURITY POLICY

9.1 General Principles

Details of the information security requirements and rules outlined by this policy are regulated by ISMS procedures. Employees of the General Directorate of ISTANBUL ENERGY and 3rd parties are obliged to know these procedures and carry out their work in accordance with these rules.

Unless otherwise specified, these rules and procedures are essential for the use of all information stored in printed or electronic media and for the use of all information systems.

Information Security Management System is configured and operated on the basis of the TS ISO / IEC 27001 “Information Technology Security Techniques and Information Security Management Systems Requirements” standard.

Consultancy Services Directorate carries out the implementation, operation and improvement works of ISMS with the contribution of the relevant parties. ISMS Manager is responsible for updating ISMS documents when necessary. It is the responsibility of the relevant directorates to update documents such as attachments, forms and instructions.

The information systems and infrastructure offered to the employees or third parties and any information, documents and products produced using these systems belong to the company, unless there are legal provisions or contracts requiring otherwise.

Business continuity management is applied to protect critical business processes from the effects of major disasters and operating errors.

Trainings that will increase the awareness of information security of employees and contribute to the functioning of the system are regularly given to existing company employees and new employees.

All actual or suspicious violations of information security are reported; nonconformities causing violations are identified, measures are taken to prevent their repetition by finding the main reasons.

9.2 Basic ISMS Principles

When necessary, confidentiality agreements are made with employees and third parties aimed at securing the privacy needs of the institution.

Security requirements and controls are expressed in specifications and contracts by analyzing the security requirements that may occur in outsourcing situations.

Inventory of information assets is created in line with information security management needs and asset ownerships are assigned.

Corporate data are classified and the security needs and usage rules of the data in each class are determined.

Information security controls to be applied in recruitment, job changes and turnover processes are determined and implemented.

Physical security controls are applied in parallel with the needs of the assets stored in safe areas.

Necessary controls and policies are developed and applied against physical threats that they may be exposed to inside and outside the firm for information assets belonging to the firm.

Procedures and instructions regarding capacity management, relations with third parties, backup, system acceptance and other security processes are developed and implemented.

Audit logging configurations for network devices, operating systems, servers and applications are adjusted in parallel with the security needs of the respective systems. Audit records are protected against unauthorized access.

Access rights are assigned as needed. The safest possible technologies and techniques are used for access control.

Security requirements are determined in system supply and development, and it is checked whether security requirements are met in system acceptance or tests.

The necessary infrastructure is created for reporting information security violation incidents and weaknesses. Violation incident records are kept, necessary corrective and preventive actions are implemented and learning from security incidents is provided through awareness trainings.

Continuity plans are prepared for critical infrastructure, and maintenance and application is carried out.

Necessary processes are designed to comply with laws, internal policies and procedures, technical security standards, and compliance is ensured through continuous and periodic surveillance and inspection activities.

9.3 ISMS Rules to Follow

Acceptable Usage Rules that must be followed determines the rules to be followed for information storage, transmission and usage forms in corporate business processes and related works for employees and 3rd parties.

The following behaviors; otherwise, unless there is a clear job description, instruction or procedure, it is considered as a violation of the Information Security Policy.

The information systems and applications provided by the company are used for business purposes. Personal uses that do not hinder business processes and do not violate the Information Security Policy and ISMS procedures are considered to be acceptable.

In accordance with the principles of “Clean Table and Clean Screen” in the work areas, measures should be taken in such a way that the information cannot be seen by others, except for the information in General feature;

Non-generic documents should not be left at the tables.

While working on non-generic files, computer screens should not be left in a position that everyone can see.

Non-general documents should be removed from desktops and stored in drawers and cabinets with necessary protections when not in use to prevent them from being seen by other people.

Except for non-general documents, the company should not examine, change, store, copy, delete and share the documents that are not delivered or delivered directly to the business.

Except as clearly stated by the company, they should not share, sell, transfer, publish, and share the institution’s information with third parties.

Unit employees should keep the desk and cabinet drawers locked in the environment they work in and should not share the keys with anyone other than those responsible.

When computers are out of active use, encrypted screensavers should be activated. • Computer systems should be kept off except working hours.

Employees should only use the usernames and passwords provided to them.

Employees must not say, write, save or electronically store the username and password information given to them, which will allow unauthorized persons to capture them.

The company’s information and communication systems and equipment (Internet, e-mail, telephone, pagers, fax, computers, mobile devices and mobile phones, etc.) should be used to carry out the business of the company. These systems should not be used in any way that is illegal, against the company’s other policies, standards and guidelines, or in any way that could harm the company.

All computers that will access resources on the company’s information systems should be included in the domain and used.

Unless necessary, computer resources should not be shared. In case resources are shared, only relevant people should be empowered.

Confidential and sensitive information should be encrypted electronically before being sent to the company and especially outside the company.

It should not comply with the “Physical Security Procedure” required to protect documents, electronic media and information systems that contain confidential information.

The company should not share information systems, databases, files, network topologies, device configurations and similar resources with third parties unless explicitly authorized by the company.

Company employees are responsible for protecting the company information in accordance with the principle of confidentiality as long as they work or leave the company (retirement, resignation, etc.).

Users of portable systems must follow the “Portable Media Use Procedure” to ensure the security of these systems.

All possible systems, especially user computers and servers, should be used in accordance with the “Anti-Virus and Malware Protection Procedure” to protect against malware.

The “Information Processing Procedure” should be followed while processing, storing and transferring confidential information in an electronic environment.

“Equipment Disposal Procedure” should be followed in the destruction of confidential information and information containing environments.

Access to all information systems, except public systems (e.g. public websites), should be password protected. Passwords must be defined and used in accordance with the “Password Policy”.

The “Information Processing Procedure” should be observed in the transmission of confidential information via mail, fax, telephone, e-mail and similar electronic methods.

It should not share information other than public information on the internet, in newsgroups, mailing lists and forums.

The commissioning and development of new information systems should be done in accordance with the “New Information Systems and Improvement Procedure”.

The e-mail accounts allocated to employees and third parties where necessary should be used in accordance with the “E-mail Procedure”.

Whether the computing systems comply with the technical security requirements should be checked in accordance with the “Procedure for Checking Technical Gaps”.

The information processing systems of the company should not be left out of use, relocated and taken out of the company without permission.

It must not remove or disable security software (e.g. anti-virus, personal firewall, etc.) specified by the company in writing from the computing systems.

It should not install and use client-to-client file sharing programs (P2P) on corporate computers.

Do not install and run software prohibited by the company on computers owned by the company. • The software licensed by the company should not be reproduced, shared or taken out of the company.

Information should not be transferred between systems not included in the domain and systems included in the domain.

Unless confidentiality agreements are signed with the parties and supervised by the authorized company employee, they should not be connected to the information systems and equipment of the institution and should not be allowed to work.

Personal computer applications (e.g. e-mail programs, office applications, software development tools, network test tools, etc.) should not be installed and used on server systems.

Server services (e.g. HTTP, Telnet, SSH, etc.) that are not required for business processes and are not allowed to be used should not be run on information systems. • The institution provided by the company and whose usage purposes and formats are notified in writing should not be used to connect to the internet or other networks by a method other than network connection methods (eg ADSL modem, 3G modem, GPRS, etc.).

Employees should not attempt to enter into information systems internally or externally, even though they are not authorized.

Programs and tools for breaking the encryption and password mechanisms should not be loaded and used in the information systems of the company.

No modifications, upgrades or extensions should be made on the firm’s information systems without the firm’s knowledge and consent.

Files that are not work related or protected by copyright (eg music, movies, book files, etc.) should not be downloaded, stored, reproduced, and shared on company computers and information systems.

Company information systems should not be used for entertainment purposes (games, etc.) outside of work.

Chained e-mail should not be sent with company e-mail account.

Except for the “reporting” method and interlocutors specified in the Information Security Violation Incident Management Procedure, the information or security vulnerabilities observed in the company information systems or processes should not be forwarded, disclosed, published or accessed to other systems and information beyond its authority. It should not be used to increase its powers.

10. Sanctions

If it is determined that the policies and procedures of the Istanbul Energy General Directorate are not followed, the sanctions determined in the related articles, principles and contracts applicable to the employee responsible for this violation or the 3rd party are applied.

MANAGEMENT RESPONSIBILITY

11.1 Management Commitment

Istanbul Energy General Directorate establishes and executes the Information Security Management System to fulfill the requirements specified in ISO / IEC 27001 in order to achieve its targets and policies.

Management of ISTANBUL ENERGY General Directorate undertakes to comply with the Information Security Management System that has been defined, put into effect and implemented and that it will allocate the resources required for the system to operate efficiently, improve its effectiveness, continuously and ensure that it is understood by all employees. As a result of this commitment, it organizes information security awareness programs throughout the company and continues infrastructure investments.

While the ISMS is being established, the ISMS Management Representative and ISMS Manager are appointed by the senior management with an appointment letter. When the ISMS Management Representative and the ISMS Manager change, the document is revised by the senior management when it leaves the job and the appointment is made again. It is up to the senior management to determine and change the ISMS Manager.

Managers at the management levels help to give responsibility and set an example to the staff at lower levels regarding security. It is obligatory to go down to the lowest level personnel of the company with a security understanding starting from the upper levels. For this reason, they support the personnel working on security in order for the managers of the company to comply with the security procedures both in written and verbally and to participate in the studies on security.

The top management of ISTANBUL ENERGY General Directorate creates the budget required for comprehensive information security studies.

12. MANAGEMENT REVIEW

Management Review meetings are held by ISMS Executive and Management Committee. This committee meets at least once a year with the participation of ISMS Management representative or for the periodic evaluation of the suitability and effectiveness of the Information Security Management System when needed. The meetings are held in accordance with the Management Review Procedure.

ACCESS TO THIRD PARTIES ‘KNOWLEDGE

In the event that third parties who are not employees of the General Directorate of ISTANBUL ENERGY need to use information systems (e.g., external maintenance and repair personnel), the ISMS Manager is responsible for keeping these people aware of the information security policies related to the company. For this purpose, agreed and approved security agreements should be made before signing the contract in temporary or permanent employment contracts. If necessary, time must be allocated for third party personnel to comply with the policy.

PROVIDING EXTERNAL SOURCE

While the management of the information network and / or user computer environments is given to external sources, information security needs and conditions should be explicitly included in an agreed agreement between the two parties.

UPDATING AND REVIEWING THE INFORMATION SECURITY POLICY

ISMS Manager is responsible for ensuring the continuity and review of the policy document. Information Security Policy organizational changes, business conditions, legal and technical regulations, etc. reasons are evaluated in terms of compatibility with today’s conditions.

The Information Security Policy Document should be reviewed at least once a year. Apart from this, it should be reviewed after any changes that affect the system structure or risk assessment, and if any changes are required, they should be recorded as a version change and each version should be approved by senior management. Each version change must be published to all users via e-mail, server or in writing. In the reviews;

The effectiveness of the policy should be monitored through the nature, number and impact of recorded security failures.

The timeliness of the policy should be observed through the impact of technological changes.

The policy should be reviewed after any changes that affect the system structure or risk assessment.

RELATED DOCUMENTS

All ISMS Documentation

As the company management, I declare that the implementation and control of the “Information Security Management System Policy” and the enforcement of the necessary sanction in security breaches are supported by the management.