TÜBİTAK BİLGEM YTE attaches importance to information security in line with its aims and strategic objectives. In this respect, it aims to protect the information assets against all threats, whether intentional or unintentional, from inside or outside, to ensure the continuity of the business, to prevent the occurrence of violations related to security, to minimize the loss of work. In this context, it takes the necessary measures to ensure the confidentiality, integrity and availability of the information assets and carries out certification audits every year to ensure the continuity of the Information Security Management System.
TÜBİTAK BİLGEM YTE Senior Management aims;
- To ensure the security of the customer data produced and processed in the activities of the projects submitted to the public in our area of responsibility,
- To meet and manage the information security requirements of the projects carried out by our Institute,
- To ensure the continuity of the Institute Information Systems infrastructure,
- To increase the awareness level of Institute’s employees about information security,
- To comply with the requirements arising from the relevant laws and contracts,
- To protect the organization's credibility and image.
TÜBİTAK BİLGEM YTE started its preparations for the establishment of Information Security Management System (ISMS) in 2013 and it has firstly obtained ISO / IEC 27001 2005 Information Security Management System certificate in 2014. In November 2015, the existing certificate has been upgraded to ISO / IEC 27001 2013 and has successfully passed the certification renewal check.
The principles of Information Security Policy:
- The details of the information security requirements and rules, which are framed by this policy, are regulated by ISMS procedures. The employees and external parties are obliged to know these procedures and to carry out their work in accordance with these rules.
- It is essential that these principles are taken into account for the use of information systems assets with all information stored and processed in printed or electronic media.
- When determining information security requirements, customer expectations, internal and external factors, information security issues arising from laws and contracts are taken into consideration.
- Information systems assets offered to the employees or external parties by the Institute and all kinds of information, documents and products that require, otherwise contrary to the provisions of the law or contract, belongs to the Institute.
- In information security, a risk management approach conforming to ISO 27001 2013 standard is applied. For this purpose, information security risks are identified, risk holders are appointed, evaluated and managed.
- Information asset inventory is created according to the requirements of the Information Security Management System and kept up to date.
- Information assets are classified and the security requirements and usage rules of data in each class are determined.
- Activities such as system management, network management and information security are treated in accordance with the principle of “the segregation of duties”.
- Access rights are assigned at the rate of need. The safest possible technologies and techniques are used for access control.
- Trainings are organized to increase employees' awareness of information security and to enable them to contribute to the functioning of the management system.
- Information security incidents, violations and weaknesses are recorded and internal memory is created. Necessary measures are taken and sanctions are imposed on the identified violations and weaknesses.
- Information security is considered at all stages of the project management activities.
- Critical information technology services and systems are identified and necessary measures are taken to ensure uninterrupted service of these services and systems. Business Continuity Plans are developed, practices and tests are carried out.
- Developments in the world about information security threats and technological applications are followed.
- Where necessary, confidentiality agreements that aimed to secure the confidentiality needs of the organization with the relevant employees and external parties, are made.
- Security requirements are analyzed in the joint works with external parties and security conditions and controls are expressed in terms of specifications and contracts,
- information security controls are determined and applied in the process of resignation, change of office, recruitment.
- Physical security controls are applied in parallel with the needs of the assets stored in secure areas.
- Necessary control and policies are developed and implemented against the physical threats that the information of the Institute may be exposed from inside or outside of institution.
- Information security management system; continuous improvement through performance monitoring, internal audit and management review activities.
- In order to ensure the establishment, operation and maintenance of the Information Security Management System, an organizational structure is established and responsibilities are assigned.