Information Security Policy
1. Purpose and Scope of Information Security, and the Management’s Approach to It
ZER MERKEZİ HİZMETLER VE TİCARET A.Ş. (ZER) see corporate
information as a very valuable asset. Information is crucial for the sustainability of our
business activities; therefore it must be protected properly. At ZER, we implement the
Information Security Management System (BGYS) ISO 27001 standards to minimize the impact and
the number potential risks posed on corporate information in terms of confidentiality,
integrity, and usability.
ZER has adopted the following principles particularly:
- Assure confidentiality, integrity, and usability of the data and information systems of ZER,
- Assess and systematically manage the risks posed on the information systems,
- Meet the requirements of Information Security systems,
- Fully adopt the legislation on Information safety,
- Improve and maintain Information Safety Management System,
- Provide training courses to improve tchnical and behavioral competency to raise awareness on information safety,
- Have the Board of Information Safety prepare and publish other sub procedures linked to these principles.
These information security principles of ZER are binding, and apply to all ZER employees including full time, part time, permanent or contracted personnel that have Access to ZER data or business systems irrespective of their business units or geographical locations. Third party service providers and their support personnel who are not included in the aforementioned category but have access to ZER data have to follow other specially designed security instructions and rules which include the general principles of the aforementioned policy.
2. Employees’ Responsibilities
The purpose of these Information Security principles and this
policy is to safeguard, maintain, and manage the confidentiality, integrity, and usability
of the company’s sensitive data and business support systems, and the procedures and
applications thereof. This means only the authorized personnel shall have access to the
sensitive ZER data; the information kept shall be full, accurate, and usable; and the
information and the systems shall be accessible and usable when needed. Hence, it is ZER’s
employees’ including outsourced personnel and trainees’, and dealers’, subindustry
personnel’s’ responsibility to safeguard the sensitive information within ZER while doing
their jobs.
All ZER personnel are required to not only keep ZER’s sensitive
information and data full, accurate, and usable but also adopt the principles of ZER’s
business ethics, and safeguard the confidential information given in ZER Personnel
Regulations.
ZER is committed to take the precautions set out in the Privacy Act and
be in full compliance with it.
3. Guidance on Policy Handling and Information Safety
The Board of Information Safety shall have the functional
responsibility of this policy and all standards, as well as other supporting documentation
and trainings, and the board shall also function as an advisory board, and provide guidance
to ZER on the implementation of this policy.
The Board of Information Safety shall
provide the appropriate training activities on raising the awareness of Information Safety
in all employees, and provide guidance on how to handle general information safety issues.
When necessary, the board shall support this policy with detailed standards, procedures, and
processes, and ensure they are ready to implement, when necessity arises. The board shall
also have the responsibility of communicating the requirements of this policy to
all-permanent or contracted- employees, and contractors of the company.
The chairman of
the Board of Information Safety shall have the responsibility of maintaining and preparing a
general outline of management, and keeping this policy updated, and shall ensure that the
policy and the principals thereof be constantly reviewed so that they will cover the latest
changes in the business related threats or the risks the data or the information systems of
ZER and its affiliates are exposed to.
In addition to the property and risk updates to
cover the recent risks posed on ZER data and properties, the Information Safety policies are
reviewed at least once a year. The Information Safety policies are updated with the
necessary additions to have control over the new risks or the changes in existed risks.
Moreover, any employee of ZER may request the Board of Information Safety to modify or
change any policy so that ZER can have more control over data safety when necessary. Such
requests are assessed by the Board of Information Safety.
The principles set out in
the Information Safety Policy should be followed and implemented parallel with the Personnel
Regulations set out by the Human Resources department of ZER. The employees are required to
be aware of the company’s Information Safety Policy, and follow the principles thereof.eof.
4. Supervising and Handling the Cases of Compliance or Non-compliance with the Policies
The managers of the units are fully responsible for taking
necessary actions to implement the Information Safety Policies and supervising the
system.
The Board of Information Safety is responsible for periodically inspecting
the compliance with all policies, procedures, and the relevant standards, and reporting
their observations to the persons in charge.
Any loss of ZER arising from any breach
of the Information Safety Policy, and failure of implementation of the necessary security
checks against the risks posed on the company, may result in jurisdiction to be exercised,
and the company may claim material compensation for such losses and damages pursuant to the
new Turkish Criminal Code. Furthermore, the aforementioned breach is also the violation of
the Personnel Regulations of ZER, and this may result in disciplinary action. Any breach of
Information Safety Policy observed, detected, or reported may result in disciplinary actions
that may be extended further to dismissal, and jurisdiction.
Working collectively to
implement this policy will help us protect our sensitive data and reputation, and maintain
our business achievements.
5. Objectives
In order to protect ZER’s reputation, credibility, information property, and to maintain primary and supportive business activities with as little interruption as possible, the ZER Information Safety aims to
- Ensure sustainable information systems,
- Raise the level of employees’ knowledge, awareness, and compliance with the safety requirements to the maximum,
- Ensure full compliance with the agreements entered into with third parties,
- Minimize the number of cases of violation of information safety, and turn them into learning opportunities,
- Create, access to and save information in compliance with laws,
- Implement the latest and the most effective security checks.
All ZER employees are required to support the achievement to these objectives.