Information Security Policy

INFORMATION SECURITY POLICY

1. Purpose, Scope and Adoption of Information Security by Management

İstanbul Akvaryum Turizm Ticaret Anonim Şirketi considers corporate information as an extremely valuable asset. Information; It is critically important for the sustainability of our business activities and must be properly protected. İstanbul Akvaryum Turizm Ticaret Anonim Şirketi. aims to minimize the risks and their effects that may arise regarding the confidentiality, integrity, and availability of corporate information by implementing the Information Security Management System (ISMS) ISO 27001 standard.This policy has been approved by the Management of İstanbul Akvaryum Turizm Ticaret Anonim Şirketi The management of İstanbul Akvaryum Turizm Ticaret Anonim Şirketi has adopted the fulfillment of the following issues in particular:Ensuring the confidentiality, integrity, and availability of the information and information systems of İstanbul Akvaryum Turizm Ticaret Anonim Şirketi Identifying and systematically addressing risks to information assets. Managing risks in this way, fulfilling the requirements of Information Security Standards, complying with all legal regulations related to information security, evaluating and carrying out continuous improvement opportunities for the maintenance of the Information Security Management System, conducting trainings to improve technical and behavioral competencies to increase information security awareness, ensuring that other sub-procedures related to this policy are prepared and published by the Information and Communication Technologies managers. İstanbul Akvaryum Turizm Ticaret Anonim Şirketi Information Security Policies are valid and mandatory for all personnel using the company's information or business systems, whether full-time, part-time, permanent or contractual, regardless of geographic location or business unit. All individuals, including third-party service providers and their affiliated support personnel, who do not fall into these classifications but require access to organizational information, are subject to this policy.It is essential that they adhere to the general principles of the company, as well as other security responsibilities and obligations they are required to comply with.

2. Responsibilities of All Employees

The purpose of Information Security and this policy is to protect, maintain, and manage the confidentiality, integrity, and availability of information and all supporting business systems, processes, and applications. This means ensuring that information belonging to İstanbul Akvaryum Turizm Ticaret Anonim Şirketi remains in authorized hands; and that information and systems are complete, accurate, and readily available when needed. Therefore, all institutional staff, external personnel, and interns, regardless of their position or duties, are responsible for conducting their work in a manner that ensures the protection of information within the institution. In addition to ensuring that the information belonging to İstanbul Akvaryum Turizm Ticaret Anonim Şirketi is complete, accurate, and readily available, all personnel are also obliged to comply with the confidentiality provisions in their personnel contracts and the principles of institutional business ethics. It undertakes to take the measures specified in the Personal Data Protection Law and to operate in full compliance with the Personal Data Protection Policy.

3. Policy Ownership and Guidance in Information Security

The functional ownership of this policy, all standards, other supporting documents and training activities will be carried out by the Information Security Management Representative and will be a source of advice and guidance regarding the implementation of the policy throughout the organization.

The Information Security Manager will ensure that all employees receive training that will create an appropriate level of awareness regarding information security issues and will provide guidance in the general handling of information security incidents. Where necessary, they will ensure that this policy is supported by detailed standards, procedures and processes and that these are readily available as needed. Furthermore, the Information Security Management Representative will be responsible for ensuring that the requirements of this policy are communicated to all permanent or temporary employees and all contractor personnel.

The Information Security Management Representative will be responsible for establishing and maintaining the overall management framework related to information security and for ensuring that this policy remains current and continues to reflect the operational requirements of the company units or changes in the risk environment or threats faced by their information and information systems.

Information Security policies are reviewed at least once a year in parallel with asset and risk updates made to reflect the current risks faced by the information assets of İstanbul Akvaryum Turizm Ticaret Anonim Şirketi Information Security Policies are updated with additions as necessary to keep track of new risks and changes in risks. In addition, any employee of the company may request the Information Security Management Representative to change the Information Security Policies in order to improve them and better reflect the controls needed by the company. Requests are handled and evaluated by the Information Security Management Representative.

The principles of the Information Security Policy should be implemented in parallel with the İstanbul Akvaryum Turizm Ticaret Anonim Şirketi Human Resources Personnel Rules.

Each unit manager is primarily responsible for taking the necessary measures to ensure compliance with the Information Security Policy and monitoring the system.

The Information Security Management Representative is responsible for periodically auditing compliance with all published policies and procedures, including the Master Information Security Policy, and related standards, and reporting to the relevant parties.

Violations of the Information Security Policy may cause damage to İstanbul Akvaryum Turizm Ticaret Anonim Şirketi  due to the failure to implement the necessary controls against risks, as well as resulting in criminal liability under the Turkish Penal Code and liability for compensation of material damages. Therefore, such a violation is also a violation of the institution's Personnel Regulations and may result in disciplinary action. Information Security Policy violations detected through monitoring, auditing, or reporting will result in termination of employment.This could result in internal disciplinary actions, including the initiation of legal and criminal proceedings.

Working together to implement this policy will help to continuously protect our information and reputation and ensure the continued success of our business.

5. Information Security Policy

İstanbul Akvaryum Turizm Ticaret Anonim Şirketi Information Security aims to protect the reputation and reliability of the institution, to safeguard information assets, and to ensure that core and supporting business activities continue with the least possible disruption,

• To protect the information assets that the institution processes, maintains, and shares with other organizations according to the principles of confidentiality, integrity, and accessibility,
• To develop and continuously improve the management system established to manage information assets, determine the security values, needs, and risks of assets, and implement controls for security risks.
  To ensure,
• To assess the risks arising from activities in accordance with the institution's vision and mission and to identify continuous improvement needs and opportunities,
• To keep pace with and follow technological developments and changes within the scope of the services provided,
• To ensure business continuity by reducing the impact of information security risks,
• To comply with mandatory national and international regulations, legal and relevant legislation requirements, obligations arising from agreements, and corporate responsibilities towards internal and external stakeholders,
• To have the competence to quickly respond to potential information security incidents and minimize their impact,
• To maintain and improve the information security level over time,
• To improve the institution's reputation and mitigate negative impacts based on information security. To protect,
• to safeguard personal information within the scope of the Personal Data Protection Law,
• to conduct trainings that will improve the information security awareness and competencies of employees, to be an exemplary organization in the sector by integrating with other management systems by providing the necessary support,

Each employee of İstanbul Akvaryum Turizm Ticaret Anonim Şirketi is responsible for contributing to the goals stated in the Information Security Policy.