Information Security Policy - Enda

INFORMATION SECURITY POLICY

For Sisel Mühendislik Elektronik Sanayi ve Ticaret Anonim Şirketi ("Company"), information assets (all types of data, documents, software, hardware, systems, infrastructure components and related services) are critical for conducting and ensuring the continuity of corporate activities; all employees who use, manage, process or have access to the Company's information assets, as well as third parties acting on behalf of the Company (service providers/suppliers/business partners), are responsible for complying with obligations related to the protection of information assets.

The purpose of this Policy is to protect the Company's information assets against all threats, whether internal or external, intentional or accidental, to ensure the uninterrupted sustainability of the Company's core and supporting business processes; to safeguard the confidentiality, integrity and availability elements of information security; and to define the corporate control approach within this framework. The Company is based on the principle that the information security culture is operated within a holistic structure not only with technical measures, but also with process management, authorization, awareness, audit and continuity principles.

All employees who access and use common information assets within the Company are expected to exercise due diligence within the scope of their duties and responsibilities; to act in a manner that protects corporate reputation, trade secrets, customer/employee/visitor data and operational information.

The principle of confidentiality is essential as per corporate values. Accordingly; unless explicit consent for sharing is given by the owner of the information, authorization is made by the relevant unit, or there is an explicit obligation under applicable legislation, information cannot be shared with third parties; unauthorized access, disclosure, copying or removal from the organization are unacceptable.

In line with its commitment to design and maintain information security management based on international standards, the Company aims to adopt a control framework compatible with the ISO 27001 Information Security Management System approach and good practices in service management. In this context, the Company commits to:

  • Establishing the necessary administrative and technical mechanisms to provide secure access to the information assets of the Company and its stakeholders, to manage access according to role/need/authority principles and to establish traceability,
  • Protecting the confidentiality, integrity and availability of information assets; reducing unauthorized access, data loss, data leakage, alteration, corruption and service interruption risks to reasonable levels,
  • Identifying, assessing and managing risks that may arise on the information assets of the Company and its stakeholders; applying risk acceptance, risk avoidance, risk reduction, risk control and risk transfer methods in line with risk appetite,
  • Protecting corporate reliability, service quality, operational integrity and brand reputation; systematically operating preventive and corrective measures to reduce the impact of information security incidents,
  • In case of detection of information security breach, vulnerability or policy violation; implementing necessary investigation, reporting, corrective action and disciplinary/sanction processes according to the nature of the incident within the framework of current internal regulations and legislation,
  • Meeting information security requirements arising within the scope of national/international/sectoral regulations, contractual obligations and standard requirements to which it is subject; establishing secure transactions within the framework of corporate responsibilities towards internal and external stakeholders,
  • Reducing the impact of information security threats on business/service continuity within the scope of business continuity approach; operating appropriate business continuity and redundancy principles for critical processes, improving incident response and recovery capability,
  • Maintaining and continuously improving the information security level with the established control infrastructure; keeping policies and controls up to date with audit, review and performance measurement mechanisms,
  • Providing training to develop the competencies of employees in order to increase information security awareness; providing regular briefings in areas such as confidentiality, data security, password security, social engineering, email security, portable media use,
  • Taking the necessary organizational and technical measures to ensure the security of personal data within the scope of the Personal Data Protection Law No. 6698 (KVKK) and its secondary regulations and, where applicable, data protection regimes such as the General Data Protection Regulation (GDPR); observing the principles of legality and security in personal data processing activities,
  • Establishing the necessary governance structure to strengthen data leakage prevention controls and processes through restricting access authorizations, traceability of records, secure storage and destruction principles, specifically for personal data security,
  • Maintaining compliance with applicable legislation, standards and internal regulations regarding the Company's information security and service management processes; implementing policy provisions in line with operational requirements.

This Policy is binding for Company employees, third parties accessing or providing services to information assets on behalf of the Company, and all stakeholders processing Company information assets. In cases that constitute a violation of the Policy provisions, necessary administrative/technical actions are taken according to the nature of the incident; relevant processes are operated without prejudice to the Company's contractual and legal rights.

ENDA Assistant
💬
Product Selection Assistant

Click here to find the right product for you!

Please choose your preferred language.