OUR INFORMATION SECURITY POLICY
Aim
This Document contains the policy explaining what Information Security is and the approach of Arnavutköy Municipality towards information security. Arnavutköy Municipality will announce this policy to all users benefiting from its information resources, third parties it has business relations with as well as suppliers. At the same time, Arnavutköy Municipality explains in this policy its purpose in establishing an Information Security Management System (ISMS), its goals, and how to install, implement, monitor and report on the system.
Scope
This policy determines the information security requirements to be fulfilled during the activities in all systems and locations within the scope of ISMS.
Information Se
Information security is defined as preventing unpermitted or unauthorized access, use, modification, disclosure, elimination, hand-over and damage of all tools that record, access and store information, and consists of three basic elements: "privacy", "integrity" and "accessibility". Damage to any of these three basic security elements will lead to security vulnerability.
Confidentiality: It is the protection of information against unauthorized use and access.
Integrity: : It is the prevent unauthorized person changing the information.
Accessibility (usability): It is defined as making information accessible and available to authorized persons in case of need. ISMS (Information Security Management System) is a system that ensures the security and integrity of all types of information produced, collected, processed, stored or forwarded by institutions, organizations and companies as part of their activities and it allows authorized persons to access information easily, quickly and accurately when necessary. The rules have been integrated with the international ISO/IEC 27001 standard. Although there is no legal regulation directly obligating Arnavutköy Municipality to establish an ISMS, the ISMS Management Committee systematically established its ISMS to abide by certain applicable laws, regulations, strategies, action plans, etc.
The international standard followed for information security management is TS ISO/IEC 27001:2013.
Yönetimin Taahhüdü
To implement the ISMS, manage all kinds of risks related to information security and information assets, Arnavutköy Municipality commits to:
- Accept corporate information, employees' personal information, citizen/taxpayer and supplier information (financial data, personal information) as valuable and critical and fulfill the obligations imposed by the laws on information security,
- Provide the necessary infrastructure and take the necessary security measures in order for the information services used in corporate activities to continue uninterruptedly, personal and private data to be accessible only by authorized persons,
- Document and continuously improve the applications of the Information Security Management System and meet the requirements of the ISO/IEC 27001 standard,
- Support guiding people to ensure the effectiveness of information security management activities,
- Comply with all legal regulations and contracts related to information security,
- Systematically manage risks to information assets,
- Develop trainings for technical and behavioral competencies to enhance information security awareness; apply ISMS and other management systems in an integrated manner; and commit to work hard to become the leading organization with full-fledged information security practices in the field of local administration.
Goals and Objectives of the ISMS
With the establishment of an ISMS under the body of Arnavutköy Municipality, it is aimed to ensure the security and proper management of all information assets that corporate units have in the physical and digital environment. In addition, the availability of an approved ISMS system will help fulfill many obligations arising from the laws.
In this regard, the objectives of the Information Security Management System are determined as follows:
- To improve the quality of the Management System in accordance with the ISO27001 standard, and to ensure its continuity,
- To increase the awareness of employees about the ISMS,
- To increase the proficiency and competence related to ISMS processes,
- To determine the costs of ISMS and create the necessary budget items and provide investments,
- To reduce the risks of ISMS to acceptable levels.
Risk Management
Arnavutköy Municipality determines and analyzes the information security risks related to its assets in order to ensure the intended outputs of the Information Security Management System, and to prevent or reduce unwanted effects. It defines the activities necessary to correctly assess the nonconformities arising from risk management and turn them into an improvement opportunity, and plans and ensures the implementation of these activities by integrating them with ISMS processes.
The Framework of Information Security
To be implemented in Arnavutköy Municipality, the ISMS protects the confidentiality of corporate information provided in personal and electronic communications and information exchanges with third parties for everyone using the information processing infrastructure of the institution and accessing its information resources.
- Information is backed up according to its level of criticality.
- Security measures are taken according to the risk levels.
- Information security violations are reported and all necessary actions are taken.
- In-house information resources cannot be shared with third parties in any way except in cases clearly defined in the binding legislation or the contracts of the institution.
- Corporate information resources cannot be used for any purpose or activity contrary to the laws, affiliated legislations and directives.
Supply of Resources
Depending on its purpose and goals, Arnavutköy Municipality will supply the necessary human resources, financial assets, time, and infrastructure to fulfill the information security requirements and achieve its planned goals as per the binding legislations. The ISMS Management Committee will run and supervise the provision of the resources necessary for the ISMS.
Roles and Responsibilities
Roles and responsibilities are determined, and ISMS Management and Executive Committees are formed with the aim of building, implementing, sustaining, monitoring and continuously improving the system under the body of Arnavutköy Municipality.
In this context, the Management Committee will be responsible for the decision and approval stages of ISMS, and providing the necessary workforce and budget. It was decided that the Committee will consist of Committee President, Vice Presidents, Management Representative and Institution Managers in case of need. The Executive Committee is responsible for executing, maintaining and monitoring the decisions taken by the Management Committee and managing possible risks of information security. It was decided that the Executive Committee will consist of a Management Representative, ISMS Officer and teams designated in the directorates.
Execution of the Information Security Management System and User Responsibility
Arnavutköy Municipality has turned the requirements to be followed when setting up and managing the ISMS into written procedures in accordance with its business goals.
The relevant policies and procedures will rule access to information systems by mobile devices determined in the standards, as well as the use of the Internet to access the system and network safely, remote access, passwords, in addition to the use and checks of clean table and clean screen applications.
This policy will be supported by business continuity and emergency plans, data backup, and protection from viruses and malware, physical and environmental security, system supply and fulfilling maintenance requirements, communication and network security and access control procedures. The functioning of these areas is defined by specific documented policies and procedures.
The Target Tracking List is used to monitor, measure and evaluate the planned targets in the ISMS. Qualified internal auditors will conduct internal controls at least once a year. The Senior Management will review the Information Security Management System at scheduled intervals to ensure its continuous suitability, accuracy and effectiveness.
Arnavutköy Belediyesi; tedarikçiler vasıtası ile aldığı hizmetin kesintisiz ve kaliteli olarak sağlanmasını güvence altına almak ve isteklilerine iş yaptırma/ihalelere girme bariyeri koyma hususunda Bilgi Güvenliği/İdare Memnuniyetini bir tercih unsuru olarak görmektedir. Bu hususu kendi çalışanlarına, isteklilerine ve yüklenici/ tedarikçilerine açıkça deklare etmektedir. Bu bağlamda Kurum, tedarikçiler/yüklenicileri ile bu politika çerçevesinde çalışacaktır.
Arnavutköy Municipality considers Information Security/Management Satisfaction as a preferred element in order to ensure uninterrupted and high-quality service provision by its suppliers and to put a barrier for its bidders to do business/enter into tenders. It clearly declares this issue to its employees, bidders and contractors/suppliers. In this context, the institution will work with its suppliers/contractors within the framework of this policy.
The participation and awareness of all employees are important in ensuring the sustainability of the ISMS. To raise the personnel's awareness of information security, the Municipality will regularly send e-mails and SMS texts, place banners, posters and distribute brochures to ensure information security in the municipality campuses as much as possible and to encourage notification of violations.
All the personnel who have access to Arnavutköy Municipality's information and information processing systems are obliged to be aware of the Institution's Information Security Policy and the policies, procedures and instructions referred to in this policy. They are also responsible for abiding by the rules when using the municipality's assets. This obligation will be guaranteed by a commitment letter by all users (all personnel, including the management level, civil servants, employees, contractors, service procurement personnel, supplier companies' employees and third parties). The Acceptable Use of Assets Policy describes the rules to be followed in the use of assets in detail.
In cases where Information Security requirements are not met and policies and procedures are violated, a disciplinary process will be initiated. As per the binding legislation, the following sanctions will be imposed on the personnel, who are found to have committed a security violation:
- notification,,
- warning,
- penalty fine,
- temporary suspension,
- definite suspension,
- filing a compensation claim,
- recourse of the results of the compensation lawsuit.
One or more of these penalties may be imposed on the personnel committing the security violation. To ensure sustainability, information security violations will be recorded and corrective-remedial activities will be planned and followed up for the recorded Information Security violations. These activities are aimed at continuous improvement in the ISMS.