Main Objectives of Information Security Management System
To manage information assets, determine security values, needs and risks of assets, and develop and implement controls for security risks
Meet the information security needs arising from regulations for the sector of operation and contractual liabilities for business partners
Minimizing the effect of information security threats to service sustainability and contribute to the sustainability
Be capable of intervening potential information security cases quickly and minimizing the effect of these cases
Main Principles of Information Security Management System
Risk Analysis and Treatment
Information asset values, security needs and weaknesses, and threats to the values are determined periodically, then risk treatment plan is prepared and implemented.
Security Policy Management
Maintenance of information security policy and policies and procedures that constitute the framework of ISMS are performed periodically and if needed. Information security policy is revised by ISM at least once a year.
Information Security Organization
ISMS is supported and supervised by ISMS Committee.
ISM and Internal Auditor sources are provided in order to execute ISMS efficiently.
In-house roles and responsibilities are defined regarding information security. Access to information systems is provided depending on needs provided that there is no contrariness to the internal control needs.
Relationships within RDC PARTNER and with other parties (business partners, regulators, certification bodies, public institutions, security occupational groups) are coordinated and developed by ISM.
Information security risks arising from third parties are analyzed and risk-reducing controls are implemented and inclusion of protective provisions of RDC PARTNER in the contracts is provided.
Information security risks for the customers are assessed and necessary information is provided. Necessary provisions are included in the customer contracts so that the corporate reputation of RDC PARTNER is protected and legal damages can be prevented.
Information Asset Management
Information asset inventory is updated during the process of periodical risk analysis and information asset ownerships are appointed. Information asset owner determines or contributes to determining the security needs and values of the information.
Acceptable usage principles of information asset are determined and notified to the personnel.
Criteria for information classes are determined. It is ensured that information has proper controls for access, processing and storage according to the classes.
Human Resource Security
Task definition and competencies are prepared in order to guarantee that employed personnel fulfills the requirements of the related position.
CVs and references are controlled during personnel employments.
Acceptable usage policy in which discipline process to be implemented in case of information security violations is defined is submitted for the information of the personnel and signed as the annex of the service contract.
Personnel is given technical and awareness trainings according to the analyses of training needs.
In case of cease of employment, information assets of RDC PARTNER are returned immediately and access rights are abolished.
Physical and Environmental Security
Office area, system rooms and data centers of RDC PARTNER are protected with access control systems, accesses to those locations are recorded.
Fire alarm and extinguishing and air-conditioning controls are implemented for the areas where critical equipment are kept in such as system room and data center Power backups of the related equipment is provided in order to ensure the sustainability of the critical services.
Shipments to and from the office is received and dispatched at the lobby of the office.
For equipment maintenance service, information contained in the equipment is deleted securely before taken out of the company or a confidentiality agreement is executed with the maintenance company.
Information contained in all equipment to be sold out are deleted securely and irrevocably.
Critical information to be taken out of the company are protected with encryption controls.
Personnel implements clean screen and clean table policy. Portable computers and media are not left unsupervised in dangerous areas out of the company.
Operation Management
In access to information systems and creation of information systems environments, segregation of duties is implemented. If this principle cannot be implemented fur to organizational, material or technical restrictions, “Information Security Risk Acceptance Form” is filled by the management.
Routine technical operational procedures are documented and kept in rooms where only technical personnel can access to.
Capacity monitoring controls are implemented consistently and periodically for critical systems.
In system acceptance, it is ensured if security requirements are met.
Necessary controls and anti-virus solutions are performed on operating systems and browsers against malicious software.
Information are backed up on-line and off-line according to the requirements for sustainability and storage time.
Network access is managed with access controls. Third party access is confirmed by the management.
Physical and logical security of portable media is provided according to the conditions of the media where they are kept in.
Confidentiality of sensitive information provided by unsecured networks is protected with encryption.
Information that is open to public on the Internet is published only after the confirmation of the related unit manager and responsible personnel. Information to be published cannot contain sensitive information.
Track record adjustments are made depending on criticality levels of the systems and transactions performed on them, access to track records is controlled and track records are backed up for necessary times.
Clocks of the related systems are synchronized from a common source in terms of their subject of service so that track records can be monitored significantly together.
Access Management
User access is provided with the confirmation of manager.
For passwords, password policy is necessarily implemented in the systems with technical facilities. For systems in which password policy cannot be implemented technically, password policy is implemented procedurally.
Personnel implements clean screen and clean table policy. Portable computers and media are not left unsupervised in dangerous areas out of the company.
Network divisions are divided according to the sensitivity of systems where they are kept in.
Network access is controlled with access control tools.
User identification and authorization controls are implemented in operating system access.
Session timeout control is implemented in access to systems in which it is possible technically and practically.
Remote access is provided controlledly. It is preferred that systems used for remote access are computers provided by the company.
Supply, Development and Maintenance of Information Systems
Security requirements are determined for the system before supplying the system. These requirements include input, processing and output controls.
When cryptographic controls are implemented, key security is provided by restricting the access to private / confidential keys.
Real media access is restricted except organizational and technical restrictions. Real media is changed by operation personnel of RDC PARTNER. If application development teams must access to operational (real media) systems, “Information Security Acceptance Form” is issued.
Test data transferred to test media is blanked out if it contains sensitive information.
Infrastructure of information systems are scanned periodically in terms of weakness, determined deficiencies are met immediately.
Information Security Incident Management
All personnel reports information security weaknesses and incident they observe or determine to ISM or IT Support personnel whether it is related to their fields or not.
IMS is responsible for coordination and execution of information security incident intervention.
Information security incidents are investigated at management review meetings, corrective activities are planned and implemented in order to minimize the repetition possibilities of the incidents and information security weaknesses.
Business Continuity Management
Backup systems and recovery procedures are prepared for critical systems and services. In any extraordinary case, business maintenance, urgency and technology sustainability plans that are specifically prepared for the company are implemented.
Efficiency of the procedures are tested periodically and recovery procedures are improved according to the test results.
Compliance
Liabilities arising from laws, regulations and contracts are followed, controls required by those liabilities are implemented.
Compliance with procedural and technical policies and procedures is audited periodically by internal auditor.