POLICIES
INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY

1. PURPOSE AND SCOPE

This policy has been prepared to establish a framework for protecting the confidentiality, integrity, and availability of all information assets of the DIAS Group of Companies, ensuring compliance with legal and regulatory requirements and international standards such as ISO 27001, and managing information security risks.

This policy covers all existing information assets, processes, locations, and related parties within the DIAS Group of Companies. All subsidiaries, employees, suppliers, business partners, and third-party service providers within the DIAS Group are evaluated within the scope of this policy.

1.1. Management Commitment

Within the scope of the ISMS, senior management undertakes to fulfill the following responsibilities regarding information security and privacy:

  • To ensure compliance with the requirements stipulated by laws, standards, and procedures regarding information security and privacy,
  • To establish and manage the Information Security Management System effectively in accordance with the TS ISO/IEC 27001:2022 standard and relevant legislation,
  • To ensure the establishment of the necessary organizational structure, resources, and infrastructure to enable reporting of information security and privacy breaches and to take prompt action,
  • To ensure that necessary security measures are taken and monitored in processes involving the storage, transmission, modification, access, and processing of information assets,
  • To ensure that in-process controls are established in line with the principle of segregation of duties,
  • To communicate this policy to all employees and provide the necessary resources and training for its implementation,
  • To ensure internal controls are carried out to monitor compliance with and continuous improvement of the Information Security Management System, and to consider their results in Information Security Committee and Management Review meetings,
  • To ensure the establishment of appropriate control mechanisms to evaluate suppliers’ and subcontractors’ compliance with Information Security and Privacy requirements,
  • To manage incident response processes in case of security and privacy breaches, conduct investigations, and ensure the implementation of corrective and preventive actions in line with relevant procedures and a risk-based approach,
  • To ensure that this policy is accessible to relevant parties and communicated to employees through appropriate communication channels,
  • To determine measurable information security objectives annually in line with this policy and monitor them.

1.2. Information Security Rules

  • The fundamental rules to be followed to ensure confidentiality, integrity, and availability of information assets are defined in this document. Additional rules are also included in sub-policies and procedures established within the scope of the ISMS.
  • Details regarding the information security requirements and rules outlined in this policy are regulated through ISMS procedures. Employees and third parties are responsible for knowing these procedures and conducting their activities in accordance with these rules.
  • Unless otherwise specified, compliance with information security policies and procedures is mandatory in all environments and information systems containing information.
  • The Information Security Management System is structured and operated based on the TS ISO/IEC 27001:2022 standard.
  • All information, documents, and products created using information systems and infrastructures provided by the DIAS Group of Companies are the property of the organization, unless otherwise stated or required by applicable legislation or contracts to which the DIAS Group is a party.
  • Information security and confidentiality commitments are added by the Information Security Directorate to contracts and employment agreements with employees and third parties to safeguard the organization's information security needs.
  • In cases of outsourcing, security requirements are analyzed, and necessary security controls are implemented by the Information Security Directorate, with related provisions included in specifications and contracts.
  • An inventory of information assets is created in line with information security management needs, and ownership of assets is assigned.
  • The DIAS Group’s corporate risk management framework includes the identification, assessment, and treatment of information security and privacy risks. Risk assessment defines how these risks are controlled.
  • Data belonging to the DIAS Group is classified, and security requirements and usage rules for each class are determined by the Information Security Directorate and relevant teams.
  • Information security controls to be applied during recruitment, role changes, and termination processes are defined and implemented.
  • Physical security controls are applied in line with the needs of information assets stored in secure areas.
  • Necessary controls and policies are developed and implemented to protect institutional information assets against physical threats they may face inside and outside the organization.
  • Procedures and instructions related to capacity management, third-party relationships, backup, system acceptance, and other security processes are developed and implemented.
  • Audit logging configurations for network devices, operating systems, servers, and applications are set in accordance with their security requirements. Audit logs are protected against unauthorized access.
  • Access rights are defined and assigned in line with business requirements. The most secure technologies and techniques are used to minimize unauthorized access risks.
  • The necessary infrastructure is established for reporting information security incidents and vulnerabilities. All actual or suspected incidents must be reported to the Information Security Directorate without delay.
  • Incident cases are recorded, necessary corrective actions are implemented, and lessons learned from security incidents are ensured through awareness training.
  • Business continuity plans are prepared, maintained, and tested for critical infrastructure.
  • Necessary processes are designed to ensure compliance with laws, internal policies and procedures, and technical security standards, and compliance assurance is maintained through continuous and periodic monitoring and audit activities.
  • Management Review meetings are held in accordance with the frequency and procedures determined by the organization.
  • The rules to be followed are specified in policies and procedures prepared within the scope of the ISMS. All employees and third parties within the scope of the ISMS must comply with these rules.
  • Exception requests for the requirements defined within this policy may only be implemented for a defined period and scope, provided that a risk assessment is conducted and written approval is obtained from the Information Security Directorate and Senior Management.