1. PURPOSE AND SCOPE
To define the necessary requirements for ensuring the confidentiality, integrity and availability of WAT information systems and information assets in all corporate assets owned by the company and all its subsidiaries.
WAT has adopted the fulfillment of the following matters in particular:
- Ensuring the confidentiality, integrity and availability of WAT information and information systems
- Identifying risks to information assets and managing risks systematically,
- Fulfilling the requirements of Information Security Standards,
- Ensuring compliance with all legal legislation related to Information Security,
- Providing necessary resources for maintaining the Information Security Management System, establishing controls, evaluating continuous improvement opportunities and conducting necessary studies for oversight,
- Conducting training to develop technical and behavioral competencies to increase information security awareness,
WAT provides the establishment and oversight of controls necessary for the operation and continuity of Information Security Management System processes through sub-policies, procedures and instructions attached to this policy. Information Security Policies are valid and mandatory for all personnel using all information or business systems, whether full-time, part-time, permanent or contractual, regardless of geographical location or business unit. All persons not falling into these classifications but requiring access to WAT information, such as third-party service providers and their affiliated support personnel, must adhere to the general principles of this policy and other security responsibilities and obligations they must comply with.
2. RESPONSIBILITIES
2.1. Board of Directors and Senior Management
The Board of Directors approves the Information Security Policy, which determines information security strategy and roadmap, for establishing an effective information security management structure and mandates its implementation. For the approval of all standards, procedures and instructions to be prepared within the scope of the policy, Senior Management consisting of General Manager, Finance & Financial Affairs Director, Legal and Compliance manager is authorized by the Board of Directors. Senior Management carries out necessary resource and authority/responsibility allocations for establishing and operating the Information Security Management System. Senior Management, representing the Board of Directors, periodically participates in the Information Security Committee where information security system reviews are conducted. Senior management reports to the Board of Directors member responsible for "Information Security and Cyber Security Management".
2.2. All Employees
They are obliged to comply with all policies and procedures published in the Information Security Management System category, to report realized or potential security violations and vulnerabilities, and to carry out all activities requested by the Information Security Board.
The purpose of Information Security and this policy is to protect, maintain and manage the confidentiality, integrity and availability of information and all supporting business systems, processes and applications. This means; ensuring information remains in authorized hands; ensuring information is complete, accurate and available; and ensuring information and systems are ready for use when needed. Therefore, all WAT and outsourced personnel, interns, dealer users and sub-industry personnel, regardless of their positions or duties, are responsible for doing their jobs in a manner that protects information within WAT.
In this context, Asset and Process Owners:
- Comply with Information Security Policy and procedures announced to them.
- Ensure compliance with Information Security documents in documents such as processes, flows, instructions, guides, forms they will create for managing their own processes and systems.
- Report to [email protected] /[email protected] in cases where compliance with Information Security policies and/or procedures is not ensured or in information security violation incidents
- Not engage in activities that may adversely affect the operation of information systems or endanger information security.
- Report update/improvement requests related to Information Security documents to the Information Security Manager.
- Request access to information and corporate resources within the scope of business needs.
- Determine access rights of owned assets and Personal Data and who can access with what privileges on manager and user basis.
- Monitor asset inventory and ensure its currency,
- Are responsible for ensuring classification, updating and review of assets they own including Personal Data. WAT personnel,
Must also comply with the protection of confidential information specified in WAT Personnel Regulations Rules and WAT Global Business Ethics Principles. WAT commits to taking measures specified in the Personal Data Protection Law and working in full compliance with Koç Holding Personal Data Protection Policy.
2.3. Third Parties
Information security regulations that third parties providing goods and services to WAT and their employees must comply with are determined by relevant
contracts and security protocols. These cover at least the following matters:
- Acting in accordance with WAT Policies and Procedures regulating relationships with third parties, especially information security rules notified through contracts or protocols.
- Not sharing information and assets belonging to WAT with others without WAT approval and permission.
- Using identities given to them by WAT in accordance with contracts and instructions
- In case employees of the third party working with WAT leave their company/change duties, reporting this situation to WAT within the same day and ensuring cancellation of their authorities.
- Not copying any data and software on WAT’s devices, not taking audio recordings of the environment, not taking pictures or videos, not making shares/movements that may endanger data security or image without WAT’s approval and permission.
Conducting system access at WAT locations under the supervision of Information Technology teams.
3. Policy Ownership and Providing Guidance in Information Security
Functional ownership of this policy and all standards and other supporting documents and training activities will be carried out by IT Security Management, and this management will also be the source of advice and guide regarding the implementation of the policy throughout WAT. IT Security Management will ensure that all employees receive appropriate training to achieve appropriate awareness levels regarding Information Security matters and will generally guide the handling of information security incidents. When necessary, it will ensure that this policy is supported by detailed standards, procedures and processes and that these are ready for use when needed. It will also be responsible for ensuring that these policy requirements are transferred to all employees (permanent or periodic) and all contractor personnel.
Senior Management will be responsible for establishing the general management framework related to Information Security, ensuring its continuity, ensuring that this policy lives currently, and continuously reviewing it to ensure it continues to reflect the business-related requirements of WAT and its subsidiaries or changes in the risk environment or threats faced by their information and information systems. Information Security policies are reviewed at least once a year in parallel with asset and risk updates made to reflect current risks faced by WAT information assets. Information Security Policies are updated with necessary additions to keep new risks and changes in risks under control. Additionally, any WAT employee can request IT Security Management to change policies in order to develop Information Security Policies and better reflect the controls WAT needs. Requests made are handled and evaluated by IT Security Management. Information Security Policy principles should be applied in parallel with WAT Human Resources Personnel Regulations Rules. Employees are also responsible for being aware of the Information Security Policy and complying with these principles.
4. Auditing and Resolution of Compliance and Non-Compliance with Policies
Each unit manager is primarily responsible for taking necessary measures and overseeing the system to ensure compliance with Information Security Policy.
IT Security Management is responsible for periodic auditing of compliance with all published policies and procedures and standards, especially Information Security Policy, and reporting to relevant parties.
Information Security Policy violations may cause WAT to suffer damage as a result of not implementing controls needed against risks, as well as criminal liability according to the new Turkish Penal Code and liability for compensation of material damages. Therefore, such violation is also a violation of WAT Personnel Regulations and may result in disciplinary punishment. Information Security Policy violations identified through oversight, audit or reporting may result in application of internal disciplinary punishments, termination of employment, or even initiation of judicial and criminal legal proceedings.
Working together on the implementation of this policy will help continuously protect our information and reputation and ensure the continuity of our business success.
5. OBJECTIVES
WAT Information Security aims to protect WAT’s reputation, reliability, information assets, and ensure core and supporting business activities continue with minimal interruption:
- Fully ensuring continuity of information systems,
- Maximizing employees’ knowledge, awareness and compliance levels with security requirements,
- Ensuring full compliance with contracts made with third parties,
- Minimizing information security violation incidents and turning them into learning opportunities,
- Fully compliant production, access and storage of information according to laws,
- Implementing the most current and effective technical security controls. All employees are responsible for contributing to these objectives.