INFORMATION SECURITY POLICY

Purpose and Scope

The Information Security Policy (“Policy”) has been prepared to define the scope and framework of Istanbul Pazarlama A.Ş.’s Information Security Management System.
Its purpose is to ensure that the importance of Information Security rules and policies is communicated across the organization and to all relevant stakeholders.

The Policy has been prepared in consideration of Istanbul Pazarlama A.Ş.’s Ethical Principles as well as the Personal Data Protection Law No. 6698 and other applicable information security legislation.

Definitions

IT (Information Technologies): The abbreviation for Information Technologies.

Information Asset: All processes, people, devices, and environments where information is produced, processed, stored, or transferred. This includes physical media such as printed documents, digital media such as computers, and visual or audio forms.

Integrity: Ensuring that any unauthorized or accidental changes, deletions, additions, or removals of information are detected and that detectability is guaranteed.

Availability: The ability of an information asset to be accessible and usable by an authorized user upon request. It means the asset is ready for use whenever needed. In other words, systems are continuously operational, information in the systems is not lost, and it remains accessible at all times.

Confidentiality: Restricting the viewing of information content to only those individuals authorized to access and view such information/data.

Confidential Information: According to agreements with employees, suppliers/contractors, and third parties, “Confidential Information” refers to all information disclosed by the employer/disclosing party or its affiliates, subsidiaries, customers, suppliers, and other business partners relating to their business, operations, programs, plans, products, business strategies, strategic alliances and partnerships, equipment, customers, suppliers, assets, intellectual property rights, trademarks, trade secrets, capabilities, expertise, cost structures, technologies, financial information, and financial analyses, without limitation, whether disclosed orally, in presentations, via devices, apparatus, models, samples, computer software, databases, magnetic media, or documents.

For Istanbul Pazarlama A.Ş. employees, “Confidential Information” can be understood through the following examples: Any information attractive to competitors, the disclosure of which would cause Istanbul Pazarlama A.Ş. to lose its competitive advantage or face legal sanctions, is deemed CONFIDENTIAL. Examples include know-how, methods of conducting business, offers, purchasing and sales information, invoices, supplier and customer data, tenders we participate in or conduct, bid formulas, strategic information, goals and tactics, business continuity plans, technology and infrastructure information, ongoing projects, and other valuable information assets in printed or digital form. Personal data of employees, consultants, suppliers, and customers are also protected by law and must remain confidential.

Vulnerability: A weakness or gap in a system, process, or asset that allows threats to have an adverse effect on that asset.

Business Partner: Any natural or legal person that has a direct or indirect business relationship with Istanbul Pazarlama A.Ş., providing products or services, offering consultancy, or contributing to a particular business process.

General Principles

In line with our approach, which sees information security as a fundamental element of corporate sustainability, and our commitment to international standards, this Policy is based on the following principles:

Continuous Improvement of Information Security Systems

Istanbul Pazarlama A.Ş. continually develops its information security infrastructure, processes, and technologies to adapt to the changing threat landscape, legal requirements, and business needs.

Ensuring Data Integrity and Protection

All corporate data in physical and digital media is protected against unauthorized access, modification, and destruction. Confidentiality, integrity, and availability principles form the basis of this protection.

Monitoring and Responding to Information Security Threats

Potential information security threats are actively monitored, and identified risks are addressed promptly and effectively.

Defining Information Security Responsibilities

Information security responsibilities are clearly defined for all employees across the organization. Awareness and a sense of duty are instilled through this framework.

Establishing Information Security Requirements for Business Partners

Information security requirements are defined for all third parties, including business partners, and their compliance is monitored.

Information Security Management Program

Our organization implements a comprehensive Information Security Management Program, which includes the following core elements:

Risk Assessment Process

Risks related to cybersecurity, information technologies, and IT suppliers under the umbrella of Technology Risks are periodically assessed. Necessary controls are defined, risks are managed, and assessment results are reported to management.

Business Continuity Plans Related to Information Security

Business continuity plans with a focus on information security exist for critical business processes and information systems.

Information Security Vulnerability Analyses

Systematic vulnerability scans and assessments are performed regularly.

Audits of IT Infrastructure and Information Security Management Systems

Periodic internal audit activities are conducted at the corporate level. IT infrastructure and information security systems are also audited by independent organizations.

Incident Reporting Process

Employees and business partners must report suspicious activities, vulnerabilities, or security breaches to bilgiihlal@istpaz.com.tr.

Information Security Awareness Training

All employees receive regular training on information security topics.

Authority and Responsibilities

All Istanbul Pazarlama A.Ş. employees are obliged to comply with this Policy. Istanbul Pazarlama A.Ş. also expects its Business Partners to act in compliance with this Policy to the extent applicable to them and takes necessary steps to ensure this compliance.