DATA SECURITY POLICIES
The data security policies of KOBIRATE A.Ş. describe and establish standards for the general and special security policies for protection of the Kobirate information systems and the confidentiality of data processed thereon; in accordance with the required standards, authentication and verification regardless of importance, all data and information are accessed by authorized individuals according to authorized level and for protection of all data treated to be confidential and assumed to be detrimental to Kobirate to disclose to the public at minimal standards.
Provided all employees and bussiness partners serving for Kobirate are included,all such individuals comply with the general and specific security policies outlined herein and take part in application thereof on all business fields in which information technoligies are employed without any exception during the entire term of business partnership.
It is a corporate policy to ensure that;
- Data is protected against unauthorized Access
- The data confidentiality is protected
- Information is not disclosed to unauthorized persons deliberately or inadvertently
- The data accuracy is ensured due to protection against unauthorized changes
- When necessary the data is made available to Access by authorized users.
- Relevant control procedures are performed by each unit
- All employees are provided training on information security
- All data security gaps,potential weaknesses are reported to the supervisor searched.The securiy chief is notified as such gaps not resolved within defined periods.
The use of computer and network
The users use the equipment allocated by Kobirate to themselves in a manner compatible with the operating fields ,on topics specified in job descriptions and so to meet corporate requirements.
The Kobirate computer and communication systems must be used for bussiness purposes only.Personal purpose uses may be allowed only by authorisation by department managers temporarily.
Maintenence and repairs of equipment allocated to the users are caused to be made exclusively by Kobirate system support unit or designated individuals and organisations.Individuals to take delivery of equipment failed or to be replaced most evidence that they are compent employees ofv the service provider concerned.
The users are under obligation to protectv equipment allocated to themselves against any wear-and-tear,damage and theft.The users may not make any equipment and software change on allocated equipment that might affect the operation thereof and the security of entire system.Only software approved by the Kobirate system support unit is used on kobirate hardwares.The users may not download or install any software without approval of information systems unit .Software loading and updating are accomplished by Kobirate’s system support unit only.
The pcs,terminals and notbooks used protected permenantly with an encrypted screen protector.They may not change the encrypted screen protectors settings to be operable automatically.If no operations is performed on computers ,the screen protector is activated automotically within 10 minutes.
Employees may not divulge to anybody their system entrance passwords including any emergency as well.
Employees may not note their passwords on materials likely to be found by others.It is ideal not to keep the passwords in writing.
Employees themselves choose their passwords. They do not use passwords proposed by others except for password assigned temporarily during the first activation or expiration of password period.
Ideal password is at least 8 characters in length which contains at least 1 capital,1 minuscule and a figure.
In order to avoid assaults and attemps likely to be made to estimate passwords,the number of succesive erroneous entries of password is restricted.After 3 unsuccessful attemps of user password the user account is inactivated and locked.
Paswoord of any user may not be allowed to remain constant ,unchanged.
All employees of Kobirate are subject to password changing rules.
The most compatible versions of anti-virus software in terms of performance/stability are used in the
Kobirate information systems.
After conduct of tests,latest updates are installed immediately into the anti_virus software in all the PCs,note-books and servers in the Kobirate systems.Irrespective of a discrimination between the operating system and tej servers/clients ,an anti-v irus software is in place in all Kobirate systems and the virus discriptions are updated.The installed anti-virus software may only be removed by the system support unit entering the relevant uninstall password.
Any message ,software,web site and document downloaded from internet on the Kobirate systems are automatically undergone a virus control.It is prohibited to use non-Kobirate diskettes,CDs and DVDs on Kobirate computers.Where necessary,these materials are controlled for virus control and then used.In case of virus contamination suspicion,the user must close his/hers computer immediately,disconnect from network linkage and inform system support unit thereof.The users must cause the files they will bring externally from abroad through portable media (Usb memory stick.cd-rom,diskette ) and all other electronic data to be made subject to virus scannning and be assure they are free of virus each time prior to tranfer toy he system.
Upon commencement of employment,the individual is notified the e-mail account.Employees may not use an e-mail account belonging to someone else to send or receive message.In case of need for reading others mails (e.g. when an employee is out of Office for vacation),it requires to divert the message and use other solutions.Employees may not divert an e-mail received by themto someone out of network environment unless the proprietory/souce of information authorised in advance or unless data in question is completely of public knowledge.Kobirate may regularly use automatic content scanning tools .Being aware of such electronic monitoring,the users must limit their cominication topics to their tasks. E-mail are not storage media for critical information.Therefore critical information must not be stored in mail box or archive files.It may be removed from e-mail environment and saved into common area.techniques for exchange of messages through the presenters of FTP or http are preferred.
The employees of Kobirate do not indicate absolutely their corporate e-mail adresses in unsafe environments on the internet ,they do not divert their mail boxes to their non-corporate e-mai l addresses.
Internet acsess in company are provided by internet server.The users do not have the right to have direct Access to internet via dial_up,adsl etc.
Any amendments to Kobirate’s corporate internet pages must be approved by the general management.
All visits made to Kobirate’s internet pages are monitored and logged so as to report if required.
NOTICE OF SECURITY VIOLATION
The recognized gaps or any potential violations are reported confidentially by users to system support unit.It is certainly prohibited to disclose Kobirate’s proprietary information without permission ,to report the security gaps,troubles,violations to any company other than Kobirate.
The employees are under obligation to inform the management any circumstances likely to interrupt the operation of information systems and to inform immediately system support unit of any data security alerts,alarms etc.
It is prohibited for the users to use Kobirate systems to transmit data to others out of the firm.
INFORMATION SYSTEMS POLICIES
THE USE OF COMPUTER AND NETWORK
Kobirate System support unit keeps the inventory of the computer and other electronic equipment owned by the Kobirate.As a minimum any record entry in the inventory to be developed must indicate the trademark and model,description,serial number of the recorded equipment ,the purpose for which it is used and the name of employee to whom it is entrusted.By periodical scannings,the current situation and accuracy of inventories are inspected and irregularities are confirmed and reported to system support unit.System support unit labels and enters in the inventory the equipment recently purchased or aquired.The Kobirate computer and communication systems are used only for bussiness purposes.Equipment is not allocated for personal uses without obtaining consensus of the depeartment executives.Repairs and maintenance of the Kobirate equipment are performed only by the individuals and organisations authorized by Kobirate.Kobirate System support unit publishes internally all necessery manuals and guidelines in order that equipment allocated to the users are used in the best and effective manner.The users are not allowed to make any software or equipment changes likely to affect the operation on allocated equipment and the security of entire system.All required measures are activated on the systems.The users may not load software to their personal computers,network providers or other systems without obtaining authorisation from information systems.Software loading and updating processes are performed only by System support unit. Adequate training is received for security of each system installed and operated in live environment and for backup procedures.Kobirate System support unit takes measures to avoid the change by the user of the IP values and other critical settings on all terminals within Kobirate.
Notices of Kobirate’s general management constitıte the reference source for opening or closing of users account.In order for employees of Kobirate to have access to information systems and sources required to be used for fulfilment of their duties,direct acsess to sources of which section with which he/she serves is natural member and owner is provided.The system support unit does not eneable third parties to have acces to all sources other than those withot authorisation by the owner of the source,nor it cancel or change the existing authorisation.All acsess codes and accounts of any user who will not work for seven days and more for any reason are inactivated.It is ensured that the user codes and passswords handled to user in writing.If no operation is performed on computers the encrypted screen saver is automatically activated within 10 minutes.The lenght of passwords created by the users is automatically checked by the system.Insufficient passwords and/or not in comformity to the rules are automatically rejected.Ideal password is at least 8 characters in length which consists of at least 1 capital,1 minuscule and a figure.The system automatically requires the users to change their passwords once a period of 60 days.The system does not allow the users to reuse retrospective 10 password used previously.After 3 unsuccesful attemps to enter password ,user ‘s account is inactiveted and locked until it is reactivated by the system support unit.Readable passwords are not kept in in bussiness files,automated logon scripts,software macros ,terminal functions or other accessible environments where unauthorized individuals can find and use them.
Log records of accesses to all sources are keptb in common database for 90 days.Log records are not deleted from systems in which they are monitored unless they are stored on reliable media.
Irrespective of discrimination between then operating system and the client/server ,an anti virus software is in place in all Kobirate systems and the virus descriptions are updated.The installed anti-virus software may only be removed by the system support unit enteringb the relevant ‘uninstall’ password.All employees of Kobirate take and properly implement all measures required to protect against virus.The most updated and the most campetitive releases of software designated as company’s official anti-virus software are used in Kobirate information systems.After conduct of tests ,latest updates are installed immediately into the anti-virus software in all computers of in Kobirate systems.It is ensured that the firm’s official anti virus software are operated and activated in all computers.The anti-virus and antispam software on the e-mail servers and gateways automatically achive their updating on the Internet.Certain descriptions of such parameters as scanning filters ,automatic updating are specified on the antivirus software for all client/server systems and such parameters may not be modified by individuals other than Kobirate system support unit.All messages,software,website and documents downloaded from internet are automatically undergone a virus control.
ELECTRONIC MAIL SYSTEMS
The e-mail account and the user code are created simultaneously.up un commencement of employment of individual,it is delivered by the system suppot unit to the employee.
All e-mail messages sent on the Internet are undergone spam and anti-virus controls.Messages confirmed to be Spam are blocked prior to delivery to the internal systems and user. Techniques for Exchange of messages through the serverof ftp or httpare preferred instead of e-mail if it is necessary tos hare data the e-mail system authorisation with individuals other than company employees(information out of large scale correspondence ,graphs,video,or ones that can be activated etc.)
SYSTEM MANAGEMENT AND SECURITY
All web servers accessible on the Internet are protected with fire-walls .Also the database servers and e-mail servers are protected in a DMZ zone and with security walls.In the event that the system support unit suspects than the entire system is at risk,he/she disconnects immediatelly all linkages with the system .In such a case a file comparison tool must beactivated in order that all updates made on systems software can be observed and the system oftware enviroment must be reloaded from a secur backup copy.
It is not allowed to use such real time messaging software ass Messenger,ICQ,Google talk etc.
An IP-based Access authorisation is identified on the ISA server if no user identification is provided on the Active directory for consultant,auditor ,technical specialist who are not an employee of Kobirate and will stay for a temporary period.To this end the appropriate department of Kobirate and provide it with such information as the name,IP address of the individual for whom access is allowed and the termination date of their job.
INSTALLATION AND MANAGEMENT OF OPERATING SYSTEMS
Strong passwords difficult to quess are assigned to local system administrator accounts in servers,
PCs and notebooks all of which are the domain member and operate independently except for Domain Controllers.The administrator group is added only the authorized managers in Kobirate.Specifications are automaticfally entered into all systems with a group policy.The Microsoft remote desktop service is used and help on all kobirate computers using the Microsoft operating system.Security event logs,the log-on,log-off ,modifications in securty rules and modifications,deletion of user accounts and changes in user authorisation and domain related operations are logged.In all the servers the security event logs can only be deleted manually.Precreated image files are used to install software on new computers and the loading procedures are made for minimal manual interventions.Installlation images are regularly updated. Restrictions and authorisations specified in Kobirate group policy apply to all users .
DATA SECURITY POLICIES
It is prohibited to bring the files prepeared in electronic media containing Kobirate information out of Kobirate except for applications directed to the use of notebook ,remote data transfers with other organisations and any other procedure officially recognizedThe backup media of Kobirate information systems are kept in in safety where the backup has been produced.The backup media are classified in terms of daily rotation,month and year and the data kept according to such rotation principles.
Locations where the Kobirate system room is seated and operated are physically protected against unpermitted and unathorized visits.Convinient climate and cleaning conditions are provided for information systems and other equipment kept in Kobirate system room and necessary measures are taken for continuity of such conditions.
GENERAL MANAGEMENT POLICIES
Without written permission from Kobirate management any information systems equipment and software may not taken out of Kobirate locations.As employess of Kobirate ,all independent consultants, conracted individuals and temporary staff are subject to the same data security rules and responsibilities.
In case of non complience to data security policies ,standards or procedures various disciplinary measures includin dismissal are applied.In any case employess providing information technolgy support have been dismissed compulsorily,such individuals must immediately dismissed from their posts and required to return the equipment and data belonging to Kobirate.In order to ersolve employee relationship problems in fast way,the management must form and retain ateam fit for proceduresfor immediate solutions to complaints of all employees in writing.All employees of information systems mustv receive regular training on such a critical areas occupational safety,quality assurance and customer relations in addition to sufficient orientation training.
Software supporting live applications (including operating system,web browsers and utility programs) must be purchase from a welknown And reliable supplier.Unless it is evaluated specifically and approved by System support unit any free software can not be used.Kobirate’s alol multi-user live systems must regularly be revised by technical experts appointed bu executives.This process aims to discover whether or not ther are problems requiring urgent response.The log-on,log-off operations,changes in authorisation and groups,accesses to sources(reading,writing,deletion) accoplisged by employess on their own computers annd all the joint systems are automatically logged.