1.REVISION

2.PURPOSE

This policy aims to monitor, oversee and supervise the activities for the development and regular updating of the control infrastructure relating to the measures for ensuring the confidentiality, integrity and accessibility of information technologies and data across the Company

3. SCOPE

Information, like any other important business-related asset, is an asset that is essential to an organization's operations and, as a result, must be appropriately protected. The security of information assets is ensured in line with the policies defined by the Company. The purpose of information security is intended to prevent unauthorized access to information (Confidentiality), ensure that information and information assets are complete and accurate and not inappropriately altered (Integrity), and that authorized users can access the data they need when they need it (Accessibility). The Information Security Policy is applicable to all units and service providers of the Company. The objective of the Company's Information Security Management Process is to take inventory of information assets, conduct risk assessment, implement controls, and review the effectiveness of the controls applied in order to ensure the confidentiality, integrity and accessibility of the information produced, processed, and stored by the Company.

4. DEFINITIONS

The following words and terms shall have the following means:  

Company: Sümer Varlık Yönetim A.Ş.
Risk Center Data: highly confidential data transmitted and stored by the Risk Center.  

5. BASIC PRINCIPLES OF INFORMATION SYSTEMS MANAGEMENT

• It is essential that the structure of information technologies is compatible with the scale of the Company, the quality and diversity of the activities and products offered, and its strategic objectives; and that the information technologies and the data they contain are reliable, accurate, complete, traceable, consistent, accessible, and meet the needs.  Information technologies are established based on a structure that will as a minimum allow the following;

• Storing or backing up and using all information related to the Company in a secure and timely manner in electronic environment in the country,

• Penetration and stress testing,

• Keeping accounting books and records in accordance with the procedures and principles established by the Public Oversight, Accounting and Auditing Standards Board.

• IS Continuity Plan is created to ensure the continuous operability of information technologies. The operability and adequacy of the said plan are regularly tested; necessary measures are taken if required. In the planning of business continuity, critical information technology assets and processes are determined; risk assessment is carried out with business impact analysis.

• It is essential to store information technologies and the data it contains securely. In this context, data are classified according to their degree of security sensitivity, security controls are established at the appropriate level for each class and backed up accordingly. The security of information technologies and the operation of backup systems are regularly tested, and necessary changes are made if required according to the test results.

• In ensuring information security and accessing the Company's information technologies, techniques including authentication and authorization mechanisms, non-deniability and non-repudiation and responsibility assignment opportunities are used.

• The principle of segregation of duties is applied in the development, testing and operation of information technologies. The duties, powers and responsibilities of the departments and employees involved in the information technology management process are determined in accordance with the principle of segregation of duties.

• It is essential to ensure the confidentiality of customer and Company information obtained and stored through Information technologies during the execution of activities. Letters of undertaking are determined and signed by the employees involved in sharing of customer information with parties other than those authorized by law.

• Audit trails of sufficient detail and clarity are created regarding the transactions carried out using information technologies and causing changes in the records of the company's activities.  Necessary measures are taken to prevent the deterioration of the integrity of the audit traces and to detect any deterioration.

• The operation of the information technologies put into practice, their compliance with the strategic objectives, the effectiveness and adequacy of the controls, and the developments in information technologies are regularly monitored.  The impact of the implementation of new information technologies on the risk profile of the Company is evaluated. In this context, if necessary, the operation of information technologies is revised.

6. INFORMATION SECURITY POLICY

The Company, with its Information Security Policy;
• Protects the confidentiality of customer and staff information to ensure that the privacy of personal information is protected.
• Implements the infrastructure and controls that will protect the integrity of information and guarantee its continuous accessibility.
• Provides authorization in accordance with the principle of separation of duties in design, development, testing and implementation processes and establishes an approval mechanism in critical transactions.
• Provides physical and logical separation of Development, Test, and Production environments.
• Ensures that the minimum authorization principle required for the authorization of users is enabled and that the authorizations are checked regularly.
• Establishes network security against threats that may come from external networks.
• Establishes a layered security architecture and ensures continuous surveillance.
• Ensures that security measures such as encryption and masking in the transmission and storage of Risk Center data and personal information are taken.
• Ensures the reliability of the encryption keys used.
• Establishes an information security organization in order to ensure the management and coordination of information security activities.
• Maintains the inventory of information assets, identifies ownership, and manages risks on information assets.
• Performs information security incident management activities that include the steps of detecting, reporting and preventing the recurrence of information security incidents.
• Implements an adequate awareness program for all employees and ensures the participation of all employees in order to meet information security requirements.
• Takes the necessary physical and environmental security measures in order to ensure the security of the information in the areas where the information is processed.
• Determines and implements the security requirements in information technology acquisition, development and maintenance.
• Obliges employees to comply with the determined information security policies, processes, legal and regulatory obligations by obtaining their written commitments.
• Implements the necessary security controls in all relevant areas to control access to information and prevent unauthorized access.
• Implements the necessary security controls in the operation of information technology activities and defines relevant roles and responsibilities.

7. REVIEW OF INFORMATION SECURITY POLICY

The Company's Information Security Policy is reviewed by the Information Security Officer at least once a year and updated if deemed necessary and submitted to the approval of the Board of Directors. New policies are developed to include the requirements that arise due to the developments in security technologies.

8. RESPONSIBILITY FOR THE IMPLEMENTATION OF THE INFORMATION SECURITY POLICY

The responsibility of checking the Information Security Policy of all employees is on the administrative supervisor of the personnel.  It is ensured that the personnel are aware of the Information Security Policy. The final version of the policy is announced to all employees and published or distributed to a common platform where employees can access continuously. All employees must comply with the general provisions that are relevant them. Compliance with the general provisions that are relevant for employees is regularly monitored.

9. ENFORCEMENT

This regulation on information security enters into force as of the date of approval of senior management and the board of directors. All applications and workflows of the Company regarding information security are created/updated in accordance with the provisions of the policy.