INFORMATION SECURITY POLICY
1.Purpose and Scope of Information Security and Management Commitment to the Subject
Kplus considers corporate information to be an extremely valuable asset. Information is critically important for the continuity of our business operations and must be appropriately protected. By implementing the Information Security Management System (ISMS) in accordance with the ISO 27001 standard, Kplus aims to minimize the risks and impacts related to the Confidentiality, Integrity, and Availability of corporate information.
This policy has been approved by Kplus senior management.
Kplus senior management is particularly committed to ensuring the implementation of the following matters:
-
Ensuring the confidentiality, integrity, and availability of Kplus information and information systems
-
Identifying risks to information assets and systematically managing those risks
-
Fulfilling the requirements of Information Security Standards
-
Complying with all legal regulations related to Information Security
-
Evaluating opportunities for continuous improvement and carrying out efforts to sustain the Information Security Management System
-
Conducting trainings to enhance technical and behavioral competencies in order to increase information security awareness
-
Ensuring that the subordinate procedures related to this policy are prepared and published by the Information and Communication Technologies (ICT) officers
Kplus Information Security Policies apply to all personnel—whether full-time, part-time, permanent, or contract—who use corporate information or business systems, regardless of geographic location or business unit, and compliance is mandatory. All individuals who fall outside these classifications but require access to corporate information, such as third-party service providers and their associated support personnel, are also required to adhere to the general principles of this policy as well as any other applicable security responsibilities and obligations.
2.Responsibilities of All Employees
The purpose of Information Security and this policy is to protect, maintain, and manage the confidentiality, integrity, and availability of information, as well as all supporting business systems, processes, and applications. This means ensuring that Kplus-owned information remains in authorized hands, that the information is complete, accurate, and available, and that information and systems are ready for use when needed. Therefore, all internal and outsourced personnel, including interns—regardless of their position or role—are responsible for carrying out their duties in a manner that safeguards the organization's information.
In addition to ensuring that Kplus-owned information is complete, accurate, and readily available, all personnel are also required to protect confidential information as stated in their employment agreements and to comply with the organization's principles of business ethics.
Kplus is committed to taking the measures outlined in the Personal Data Protection Law and to operating in full compliance with its Personal Data Protection Policy.
3.Policy Ownership and Guidance on Information Security
The functional ownership of this policy, along with all standards, supporting documents, and training activities, shall be carried out by the Information Security Managers. This management will also serve as the source of guidance and advice regarding the implementation of the policy across the entire organization.
The Information Security Managers shall ensure that all employees receive appropriate training to raise awareness on information security matters and will provide guidance in handling information security incidents in general. When necessary, they will ensure that this policy is supported by detailed standards, procedures, and processes, and that these are readily available when needed. They are also responsible for ensuring that the requirements of this policy are communicated to all employees (permanent or temporary) and all contractor personnel.
The Information Technology Manager shall be responsible for establishing the overall management framework for Information Security and ensuring its continuity. They will also be responsible for regularly reviewing this policy to ensure it remains current and continues to reflect the business requirements of the organization and its affiliates, as well as any changes in the risk environment or emerging threats to information and information systems.
Information Security policies are reviewed at least once a year in parallel with asset and risk updates to ensure they reflect the current risks faced by Kplus information assets. To keep new risks and changes in existing risks under control, the Information Security Policies are updated with necessary additions. Additionally, any employee of the organization may request changes to the Information Security Policies in order to support their improvement and better reflect the controls needed by the organization. Such requests are reviewed and evaluated by the Information Security Management.
The principles of the Information Security Policy must be applied in parallel with Kplus Human Resources personnel regulations. Employees are also responsible for being aware of the Information Security Policy and for complying with its principles.
4.Auditing, Compliance with Policies, and Resolution of Non-Compliance Cases
Each department manager is primarily responsible for taking the necessary measures to ensure compliance with the Information Security Policy and for overseeing the system.
The Information Security Management is responsible for the periodic auditing of compliance with all published policies and procedures—particularly the main Information Security Policy—and for reporting the results to the relevant parties.
Violations of the Information Security Policy may result in harm to Kplus due to the failure to implement necessary controls against risks. Such violations may also lead to criminal liability under the new Turkish Penal Code and to financial liability for damages. Therefore, any such violation also constitutes a breach of the company’s Personnel Regulations and may result in disciplinary action. Information Security Policy violations identified through supervision, audits, or reporting may lead to internal disciplinary measures, including termination of employment, and may even result in the initiation of legal and criminal proceedings.
Working together to implement this policy will help ensure the continuous protection of our information and reputation, as well as the ongoing success of our business.
5.Information Security Policy
Kplus Information Security is established to protect the organization’s reputation, reliability, and information assets, and to ensure that core and supporting business activities continue with minimal interruption
-
To protect the information assets that the organization processes, stores, and shares with other entities in accordance with the principles of confidentiality, integrity, and availability
-
To manage information assets, identify their security value, needs, and risks, implement controls against security risks, and to develop and continuously improve the management system established for this purpose
-
To assess the risks arising from activities in line with the organization's vision and mission, and to identify the needs and opportunities for continuous improvement
-
To keep pace with technological developments and changes within the scope of the services provided
-
To ensure business continuity by reducing the impact of information security risks
-
To comply with applicable national and international regulations, legal and related legislative requirements, contractual obligations, and the organization's responsibilities toward internal and external stakeholders
-
To possess the capability to respond promptly to potential information security incidents and to minimize their impact
-
To maintain and improve the level of information security over time through a cost-effective control infrastructure
-
To enhance the organization’s reputation and protect it from adverse effects based on information security
-
To safeguard personal data in accordance with the Personal Data Protection Law
-
To conduct training programs that enhance employees’ awareness and competencies in information security, and to become a model organization in the industry by integrating with other management systems and providing the necessary support
Each Kplus employee is responsible for contributing to these objectives.
General Manager
PLT.00 | 00| 04.01.2020