In line with its strategic targets and purposes; the purpose of Durmazlar Makina Sanayi ve Ticaret A.Ş. in managing the information security is to ensure that the company evaluates the risks of the information assets which may come from inside and/or outside, which may occur intentionally or accidentally; from the aspects of confidentiality, integrity and accessibility, and that the risk reduction activities are performed effectively, properly, fast and safely.

The Information Security Management System (ISMS) established under Durmazlar Makina Sanayi ve Ticaret A.Ş. has been established in order to ensure information security in all activities conducted, including the company assets and services received from suppliers.

Durmazlar Makina Sanayi ve Ticaret A.Ş. management expresses the support it gives to the information security management system with the “Information Security Policy” and sub-policies that support this policy.
It is the responsibility of the senior management to create the ISMS policies in such a way to meet the information security requirements of all stakeholders, sustaining it by always improving and providing the necessary resources for this purpose.

2. SCOPE AND RESPONSIBLE PERSONS

The following departments and activities are within the scope of the Information Security Management system, which has been established and is operated under Durmazlar Makina Sanayi ve Ticaret A.Ş.

1. Information Technologies Department
   2. Human Resources Department
   3. Accounting and Finance Department
   4. Sales Department
   5. Purchasing Department
   6. Logistics / Foreign Trade Department
   7. R&D Department

Durmazlar Makina Sanayi ve Ticaret A.Ş. The Information Security Management System covers the following categories of assets and technologies:

▪ Information assets consisting of data files, contracts, personnel files, company image, website, etc.
▪ Software assets consisting of application software, system software and services,
▪ Physical assets including the router devices, security devices, servers, electronic signature device used, computers, communication equipment and data storage environments,
▪ Service assets consisting of the elements such as lighting, air conditioning, wiring related to the fulfillment of all functions,
▪ Human resources assets that enable the execution of the activities within the scope,
▪ Contracted or non-contracted suppliers from which service is received,
▪ Customers and dealers.
▪ ISMS documents and records.

3. RELATED DOCUMENTS:

All ISMS Documentation

4. APPLICATION:

4.1. Definitions

1. 4.1.1. Information: Information is an asset, which has a value for the organization and therefore needs to be appropriately protected.
2. 4.1.2. Information Security: Protecting the confidentiality, integrity and accessibility characteristics of the information assets of the company. Information security protects the assets from hazard and threat areas in order to ensure business continuity and minimize the losses. Information security aims to protect the following information qualifications: Confidentiality: Ensuring that the information is accessible only to those who have been granted access authorization. Integrity: Ensuring the accuracy of the information and processing methods, and that it is protected from unauthorized modifications and noticed when modified. Accessibility: Ensuring that the authorized users are able to access the information and relevant resources in the fastest way when needed.

4.1.3. Information Security Policy:
IN CARRYING OUT ALL KINDS OF IMPORT, EXPORT, TRANSIT, CUSTOMS CLEARANCE, FOREIGN TRADE OPERATIONS PERFORMED FOR MACHINE AND RAIL SYSTEMS MANUFACTURING, SALES AND MARKETING AS WELL AS THE LOGISTICS, STORAGE, FINANCE, R&D, ACCOUNTING AND DATA PROCESSING ACTIVITIES RELATED TO THOSE OPERATIONS;

SHOWING THAT INFORMATION SECURITY MANAGEMENT IS PROVIDED WITHIN HUMAN, INFRASTRUCTURE, SOFTWARE, HARDWARE, CUSTOMER INFORMATION, ORGANIZATIONAL INFORMATION, THIRD PARTY INFORMATION AND FINANCIAL RESOURCES; SECURING RISK MANAGEMENT, MEASURING THE PERFORMANCE OF THE INFORMATION SECURITY MANAGEMENT PROCESS AND ORGANIZING THE RELATIONS WITH THIRD PARTIES REGARDING INFORMATION SECURITY.
IN THIS DIRECTION;

• PROTECTING THE INFORMATION ASSETS OF OUR ORGANIZATION AGAINST ANY THREAT THAT MAY COME FROM INSIDE OR OUTSIDE, KNOWINGLY OR UNKNOWINGLY; ENSURING INFORMATION ACCESSIBILITY WITH BUSINESS PROCESSES AS REQUIRED, FULFILLING THE REQUIREMENTS OF THE LEGAL LEGISLATION,
  • ENSURING THE CONTINUITY OF THREE FUNDAMENTAL ELEMENTS OF THE INFORMATION SECURITY MANAGEMENT SYSTEM IN ALL ACTIVITIES CONDUCTED,
  • CONFIDENTIALITY: PREVENTION OF UNAUTHORIZED ACCESSES TO IMPORTANT INFORMATION,
  • INTEGRITY: SHOWING THAT THE ACCURACY AND INTEGRITY OF THE INFORMATION IS ENSURED,
  • ACCESSIBILITY: SHOWING THAT THOSE WITH THE AUTHORIZATION CAN ACCESS THE INFORMATION WHEN NECESSARY,
  • PROTECTING THE SECURITY OF ALL THE DATA IN WRITTEN, PRINTED, VERBAL AND SIMILAR FORMS; NOT ONLY OF THOSE KEPT IN THE ELECTRONIC ENVIRONMENT,
  • PROVIDING THE INFORMATION SECURITY MANAGEMENT TRAININGS TO ALL PERSONNEL AND ENSURING AWARENESS RAISING
  • REPORTING ALL THE ACTUAL OR SUSPECTED DEFICITS IN INFORMATION SECURITY TO THE ISMS TEAM AND ENSURING THAT THEY ARE INVESTIGATED BY THE ISMS TEAM,
  • PREPARING BUSINESS CONTINUITY PLANS, CONTINUOUSLY IMPROVING, SUSTAINING AND TESTING THEM,
  • PERFORMING ASSESSMENTS ON INFORMATION SECURITY PERIODICALLY AND IDENTIFYING THE EXISTING RISKS. • REVIEWING THE ACTION PLANS AS A RESULT OF THE ASSESSMENTS AND FOLLOWING THEM.
  • PREVENTING ANY DISAGREEMENT AND CONFLICT OF INTEREST THAT MAY ARISE FROM CONTRACTS.
  • MEETING THE BUSINESS REQUIREMENTS FOR INFORMATION ACCESSIBILITY AND INFORMATION SYSTEMS.

The information security policy document is the document that specifies principles at the highest level, which will be used during the implementation of the supervisions established to meet the above-mentioned requirements.

At the lower level, information security policy has been supported with subject-specific policies that make the information security checks obligatory. Subject-specific policies have been structured within the organization to satisfy the needs of specific target groups or to cover specific subjects:

4. 4.1.4. ISMS: Information Security Management System
5. 4.1.5. ISMS Committee: It is the committee that makes the strategic decisions in the information security management system in which also the participants from all relevant units within the organization are present and the senior management is represented, and carries out the activity of the Management Review.

4.2. Roles and Responsibilities in Information Security Management 4.2.1. Support and Responsibility of the Senior Management

Senior management is responsible for;

1. a) Creating the Information Security Policy and Information Security Management system and determining its targets in line with the strategic targets of the company,
   2. b) Participating in the Management Review activity,
   3. c) Supporting the needs of the ISMS infrastructure, maintenance of its operation and continuous improvement activities,
   4. d) Allocating the resources for sustaining and developing ISMS,
   5. e) Creating the ISMS committee, determining the roles and responsibilities of the committee, following its operation and development of the system.

4.2.2. Responsibility of the ISMS Management Representative and ISMS Committee: ISMS Management Representative and ISMS Committee are responsible for;

1. a) Managing the Information Security Policy and sub-policies,
   2. b) Planning and implementing Risk Assessment activities,
   3. c) Planning and implementing activities that will increase ISMS awareness,
   4. d) Requesting assistance from the senior management,
   5. e) Examining the violation affairs and finding out the root causes, reporting them to the senior management, carrying out the risk assessments
   6. f) Conducting the Management Review activity,
   7. g) Planning and implementing internal audits,
   8. h) Reporting the ISMS performance to the senior management,
   9. i) Supporting the ISMS infrastructure, maintaining its operations and continuously sustaining and developing the system with continuous improvement activities,
   10. j) Publishing the ISMS policy and procedures and notifying to all employees.

4.2.3. Responsibility of Unit Managers: Unit Managers are responsible for implementing the Information Security Policy and ensuring the commitment of employees to principles.

4.2.4. Responsibility of Employees

Each employee is responsible for,

1. a) Knowing the Information Security Policy and its sub-policies; acting in accordance with these rules and principles, fulfilling the requirements of these by using the information security procedures and forms,
   2. b) Using the information assets within the company in accordance with the “PL.BG.02 –Use of Assets Policy”,
   c) Reporting the security violations in accordance with “PL.BG.03 – Information Security Violation Case Management Policy”, including customer and supplier relations,
   4. d) Conveying the suggestions that s/he has deemed appropriate for the improvement of Information Security Management System to the ISMS committee members and processing the “FR.BG.06 – Corrective and Preventive Action Request Form”
   5. e) In accordance with “PL.BG.04 – Legal Requirements Compliance Policy”; working in compliance with the T.R. laws, regulations, circulars and contracts,
   6. f) Participating in trainings, drills related to information security and knowing with whom and how to contact in emergency cases.

4.2.5. Responsibility of Suppliers: Each supplier accessing to information assets is responsible for,

1. a) Reading the Information Security Policy of the organization,
   2. b) Signing the information security agreement,
   3. c) Accessing the necessary information assets, resources and fields within the scope of the rules of the Information Security Policy, Access Policy and Physical Security policy and demonstrating the necessary conformity,
   4. d) Providing the necessary information in case of violations and cooperating.

4.3. Review of the Information Security Policy: Information Security Policy and its sub-policies are evaluated in terms of compliance with today’s conditions due to reasons such as organizational changes, business conditions, legal, and technical regulations etc. These principles are regularly reviewed at the Management Review meeting (MRM) at least once a year.