INFORMATION SECURITY POLICY
1. Purpose: The purpose of this policy is to define the approach and targets of the top management and to inform all employees and related parties about these targets in order to prevent violations of the law, legal, regulatory or contractual obligations and all kinds of security requirements.
2. Scope: This policy is the protection of electronic information assets obtained from logistics, storage, accounting, finance, quality assurance, purchasing, human resources, legal, sales, marketing, internal audit and information processing activities related to commercial activities and these transactions within the Company. covers the information security processes used by the company to process, store, protect and preserve the confidentiality and integrity of the personal data kept within the scope of the law.
3. Internal Scope
Administration, organizational structure, roles and responsibilities;
1. Departments within the scope of the Company's Senior Management, Financial and Administrative Affairs, Purchasing, Finance, IT, Corporate Communications and Business Development, Human Resources, Quality, Export, Import, Logistics, Legal, Internal Audit, Sales, Marketing
2 The roles and responsibilities in the job descriptions specified in the General Management Organization Chart.
3. Policies, procedures, objectives and strategies to be implemented;
1. Information Security Management System Policy,
2. All Information Security management systems procedures,
3. Annual Information Security management systems objectives determined by management,
4. Capabilities understood in terms of resources and knowledge (eg, capital, time, people, processes, systems and technologies),
5. Management for the establishment, operation and maintenance of the Information Security Management System. Appointed Management Representatives and Information Security Management System team,
6. Relationships with internal stakeholders and their perceptions and values, culture of the organization, standards, guidelines and models adopted by the organization, contractual relationships;
encompasses its form and width.
4. Outer Scope
1. International, national, regional or local, social and cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment,
2. Global Competition Law, Policies and Procedures,
3. Supplier and customer data confidentiality,
4. Quality Orientation,
5. Relationships with stakeholders that have an impact on the organization's goals, and their perceptions and values;
6. All Company employees, including the Senior Management, to ensure customer satisfaction,
7. All relevant legal legislation, regulatory, contractual conditions, standards,
8. Product certifications with TSE and other organizations are external scope.
5. Definitions
0. ISMS: Information Security Management System.
1. Inventory: Any information asset that is important to the firm.
2. Top Management: It is the Company's Top Management.
3. Know-How: It is the competence to do something.
4. Information Security: Information, like all other corporate and business assets, is an asset that has value to a business and therefore must be properly protected.
Within the company, know-how, process, formula, technique and method, customer records, marketing and sales information, personnel information, commercial, industrial and technological information and secrets are considered CONFIDENTIAL INFORMATION.
5. Confidentiality: It is the restriction of viewing the content of the information to the access of only those who are allowed to view the information/data.
(Example: Even if the e-mail is captured by sending encrypted e-mail, unauthorized persons can be prevented from reading e-mails - Registered e-mail - KEP )
6. Integrity: It is the detection of unauthorized or accidental changes, deletion or additions and deductions of information and ensuring its detectability.
(Example: Storing the data stored in the database together with summary information - electronic signature - mobile signature)
7. Accessibility/Usability: It means that the asset is ready for use whenever needed. In other words, the systems are constantly available and the information in the systems is not lost and is constantly accessible. (Example: Uninterruptible power supply and use of redundant power supply in their chassis - UPS to prevent servers from being affected by power line fluctuations and power outages).
It will be used as “Accessibility†in this policy.
8. Information Asset: These are the assets owned by the Company, which are important for it to carry out its activities without interruption.
Information assets within the scope of the processes subject to this policy are as follows:
1. All kinds of information and data presented in paper, electronic, visual or audio media,
2. All kinds of software and hardware used to access and change information,
3. Networks that enable the transfer of information,
4. Facilities and private areas,
5. Departments, units, teams and employees,
6. Solution partners,
7. Services, services or products provided by third parties.
5. Responsibilities The qualifications and competencies of the tasks whose responsibilities and authorities have been determined are defined in the job descriptions. The IT Team and Management Representative are responsible for maintaining and developing information security-related activities. ISMS Team and Management Representatives have been appointed by the Senior Management. ISMS representatives from the departments within the scope have been determined.
Appointments were made on the basis of names as ISMS team members.
0. Management Responsibility
1. The Company Management undertakes to comply with the Information Security System defined, put into effect and being implemented, to allocate the necessary resources for the efficient operation of the system, and to ensure that the system is understood by all employees.
2. During the ISMS installation, the ISMS Management Representative is appointed with the assignment letter. When necessary, the document is revised by the senior management and the assignment is made again.
3. Managers at the management level help the personnel at lower levels in terms of security in terms of giving responsibility and setting an example. The understanding that starts from the upper levels and is applied must go down to the lowest level personnel of the company. Therefore, all managers support their employees to comply with the written or verbal safety instructions and to participate in the work on security issues.
4. Senior Management creates the budget required for comprehensive information security studies.
1. Management Representative Responsibility
1. Planning the ISMS (Information Security Management System), determining the acceptable risk level, determining the risk assessment methodology,
2. Providing the necessary resources for supportive and complementary activities in the establishment of the ISMS, providing/improving user capabilities and creating awareness, conducting trainings, communication Providing documentation requirements,
3. Execution and management of ISMS applications, ensuring the continuity of evaluations, improvements and risk assessments,
4. Internal audits,
evaluation of
targets and management review meetings, and ISMS and controls,
5. Responsible for maintaining the existing structure and ensuring continuous improvements in ISMS.
2. Responsibility of ISMS Team Members
1. Carrying out asset inventory and risk analysis studies related to their departments,
2. Informing the Management Representative for risk assessment when there is a change in information assets under his/her responsibility that may affect information security risks,
3. Department employees comply with policies and procedures. to ensure that it works
,
5. Responsible for maintaining the existing structure and ensuring continuous improvements in ISMS.
3. Responsibility of Internal Auditor Responsible for carrying out and reporting audit activities in assigned internal audits in line with the internal audit plan.
4. Responsibility of Department Managers They are responsible for the implementation of the Information Security Policy and ensuring that the employees comply with the principles, ensuring that the third parties are aware of the policy, and reporting security breaches related to the information systems they have noticed.
5. Responsibility of All Employees
1. To carry out its work in accordance with the information security targets, policies and information security management system documents,
2. Follow up the information security targets related to its own unit and ensure that the targets are achieved.
3. Paying attention to and reporting any observed or suspected information security vulnerability in systems or services
.
6. Responsibility of Third Parties Responsible for knowing and implementing the information security policy and complying with the behaviors determined within the scope of ISMS.
6. Information Security Objectives Information Security Policy is to guide the company's employees to act in accordance with the company's security requirements, to increase their awareness and awareness, to ensure that the company's basic and supportive business activities continue with minimum interruption, to protect its reliability and image, and to It aims to protect the physical and electronic information assets that affect the entire operation of the company in order to ensure compliance with the agreements made with the parties.
The targets set by the Management are monitored at specified periods and reviewed at the Management Review meetings.
7. Risk Management Framework The Firm's risk management framework; It covers the identification, assessment and processing of information security risks. The Risk Analysis, feasibility statement and risk treatment plan define how information security risks are controlled. ISMS Executive and Management Committee is responsible for the management and realization of the risk treatment plan.
All these studies are explained in detail in the asset inventory and risk assessment instruction.
8. General Principles of Information Security
0. Details regarding the information security requirements and rules outlined by this policy, Company employees and 3rd parties are obliged to know these policies and procedures and to carry out their work in accordance with these rules.
1. Unless otherwise stated, these rules and policies must be taken into account for all information stored and processed in printed or electronic media and for the use of all information systems.
2. The Information Security Management System is configured and operated based on the TS ISO/IEC 27001 "Information Technology Security Techniques and Information Security Management Systems Requirements" standard.
3. It carries out the implementation, operation and improvement of the ISMS with the contribution of the relevant parties.
It is the responsibility of the ISMS Management Representative to update the ISMS documents when necessary.
4. Information systems and infrastructure provided by the company to employees or 3rd parties, and all kinds of information, documents and products produced using these systems belong to the company unless there are provisions of law or contracts that require otherwise.
5. Confidentiality agreements are made with employees, consultancy, service procurement (Security, service, catering, cleaning company, etc.), Supplier and Intern.
6. Information security controls to be applied in recruitment, job change and dismissal processes are determined and implemented.
7. Trainings that will increase the information security awareness of the employees and enable them to contribute to the operation of the system are regularly given to existing company employees and newly recruited employees.
8. All actual or suspected breaches of information security are reported;
nonconformities causing violations are detected, main reasons are found and measures are taken to prevent recurrence.
9. An inventory of information assets is created in line with information security management needs and asset owners are assigned.
10. Institutional data is classified and the security needs and usage rules of the data in each class are determined.
11. Physical security controls are implemented in parallel with the needs of the assets stored in secure areas.
12. Necessary controls and policies are developed and implemented for the information assets of the company against the physical threats they may be exposed to inside and outside the company.
13. Procedures and instructions regarding capacity management, relations with third parties, backup, system acceptance and other security processes are developed and implemented.
14. Audit record generation configurations for network devices, operating systems, servers and applications are adjusted in line with the security needs of the relevant systems.
It is ensured that audit records are protected against unauthorized access.
15. Access rights are assigned according to need.
The safest possible technology and techniques are used for access control.
16. Security requirements are determined in system procurement and development, and it is checked whether security requirements are met during system acceptance or testing.
17. Continuity plans are prepared, maintained and exercised for critical infrastructure.
18. Necessary processes are designed for compliance with laws, internal policies and procedures, technical security standards, and compliance assurance is ensured through continuous and periodic surveillance and audit activities.
9. Violation of the Policy and Sanctions If it is determined that the Information Security Policy and Standards are not complied with, the sanctions determined in the relevant articles of the contracts, which are also valid for the 3rd parties, are applied according to the Disciplinary Directive and Procedure for the employees responsible for this violation.
10. Management Review Management review meetings are held by the ISMS Quality Management Representative, with the participation of Senior Management and Department managers.
These meetings, where the suitability and effectiveness of the Information Security Management System are evaluated, are held at least once a year.
11. Updating and Reviewing the Information Security Policy Document ISMS Management Representatives are responsible for maintaining and reviewing the policy document. Policies and procedures should be reviewed at least annually. Apart from this, it should be reviewed after any change that will affect the system structure or risk assessment, and if any changes are necessary, it should be approved by the senior management and recorded as a new version.
Each revision should be published so that all users can access it.
Data Controller Title: TOYOTETSU AUTOMOTIVE PARTS IND. and TRA. Inc.
Mersis No: 0859019537000018
E-mail Address: toyotetsu@toyotetsu.com.tr
Registered Electronic Mail Address: toyotetsu@hs01.kep.tr
Physical Mail Address: TOSB Automotive Sub-Industry Specialized Organized Industrial Zone 5th Street No:4 41420
Sekerpinar, Cayirova - KOCAELI / TURKEY