Objective The objective of the policies regarding Information Security Management System is to achieve confidentiality, integrity and accessibility of the personnel, systems, information and assets of KTO Karatay University, to identify the business ethics to be followed and to ensure the continuity of the business within the scope of these objectives. The objective of the organization is not to impose restrictive policies on anyone, but rather to promote a culture of openness, trust and integrity. The organization protects its own and personnel rights from illegal or harmful acts, whether intentional or unintentional. All personnel must know the information security policies well and be responsible from their actions to ensure the information security. Scope Information Security Management System Policies apply to all employees of the KTO Karatay University. Responsibility Information Security Management Representative shall be responsible for implementing this procedure. Sanction Sanctions shall be imposed on all personnel who fails to act in accordance with these policies, taking into account the legal procedures set out in the Disciplinary Code and Procedure. Policies P.01 INTERNET ACCESS POLICY P.02 E-MAIL POLICY P.03 ANTI-VIRUS POLICY P.04 PASSWORD POLICY P.05 PHYSICAL SECURITY POLICY P.06 SERVER SECURITY POLICY P.07 NETWORK MANAGEMENT POLICY REMOTE ACCESS AND VPN POLICY P.09 SUPPLIER AND THIRD-PARTY SECURITY POLICY P.10 ACCEPTABLE USE POLICY P.11 CLEAR DESK, CLEAR SCREEN POLICY P.12 MOBILE DEVICE POLICY P.13 INFORMATION SECURITY INCIDENT MANAGEMENT POLICY P.14 IDENTIFICATION AND AUTHENTICATION POLICY P.15 CRYPTOGRAPHIC CONTROL POLICY P.16 DATABASE SECURITY POLICY P.17 CHANGE MANAGEMENT POLICY P.18 SECURE SOFTWARE DEVELOPMENT POLICY P.19 DATA BACKUP AND BUSINESS CONTINUITY POLICY P.20 EBYS INFORMATION SECURITY POLICY P.01 INTERNET ACCESS POLICY Objective The objective of this policy is to set the standards that the organization should have for secure internet access within the organization. Improper use of the Internet can have unintended consequences for an organization's legal obligations, capacity utilization, and corporate image. The objective of the Internet Access Policy is to prevent, knowingly or unknowingly, such negative effects and to ensure that the Internet is used in accordance with the rules, ethics and laws. Scope This policy applies to all employees who use the internet of the organization. Policy The computer network of KTO Karatay University must be connected to the internet via network firewall(s) that control/s access and content. The network firewall is designed to act as a gateway between the organization's network and external networks, preventing problems that may occur with the organization's Internet connection. Content filtering systems must be used in accordance the university policies. Undesirable sites (pornography, gaming, gambling, violent, etc.) must be banned. Attack Detection and Prevention Systems must be used based on the need of the university. Anti-virus servers must be used in line with the needs and opportunities of the university. All Internet traffic must be scanned for viruses. Security criteria such as firewall, antivirus, content control, etc. must be implemented for users' Internet access. Only authorized persons have the right to use all services, provided that they are on a different network from the network on which normal users access the internet. Access to non-work-related websites must be avoided during working hours. Files that are not related to the work (music, video files) must not be send or downloaded. Necessary precautions must be taken in line with this matter. A guest Wi-Fi network must be enabled for the third parties to access the Internet. As per Law No. 5651 (Law on the Regulation of Internet Publications and Combating Crimes Committed through these Publications), the Internet access records of the institution are archived for at least two years. It is against the law to access illegal websites and download files (films, music, programs, etc.) via computers or mobile devices. The use of Tunnel platforms, VPN (Private, personal use of a VPN), PROXY and DNS changes to connect to the Internet is strictly prohibited. To distribute such materials (letter, article, book, movie, music, etc.) that violate the intellectual property rights (copyright) of others is forbidden. System and network security violations are illegal. In case of violation, you will be held legally responsible (criminally liable) for breaking the law. The relevant institution shall investigate these violation cases. If there is any suspicion of an illegal act, the decision shall be taken according to the Disciplinary Procedure or may involve cooperation with law enforcement. It is illegal to publish and share obscene, disturbing materials that are inappropriate, explicit and disturbing materials for the purposes of use on the Internet, as well as messages of slander and defamation against the institution and its employees, family members of employees or the state, nation, legislative, executive and judicial organs, military and law enforcement agencies, citizens of the Republic of Türkiye. It is illegal to share user names and passwords belonging to the institution via Internet. It is forbidden to share the same user names and passwords used within the institution as those used in social life. The institution shall not be legally responsible for any potential harmful or undesirable consequences that might arise from the transactions (online banking, online shopping, using e-mail services, etc.) you personally made via Internet. Additionally, person(s) who hacked your personal or business account may commit a fraud pretending to be you and you may be held legally responsible for this reason. Whilst browsing the Internet, you must be very careful about deceptive pictures and texts (congratulations, you have won a prize, click to get your prize, etc.) and must not click on any of these pictures and/or texts. Third parties can access the Internet using the guest Wi-Fi network. To install any device to connect to the network within the institution is prohibited. It is forbidden for employees to share inappropriate, obscene, explicit, disturbing materials as well as visual and confidential information belonging to the institution via Whatsapp etc. applications using the institution's Internet. P.02 E-MAIL POLICY Objective This policy hereby introduces general rules for the e-mail infrastructure of KTO Karatay University. Scope This policy applies to all Employees using the institution’s e-mail. Policy All e-mails sent, received or archived by KTO Karatay University employees using the institution’s e-mail are classified as the Information Assets of KTO Karatay University. Therefore, when necessary, authorized persons are entitled to inspect e-mails without any notice and share these e-mails with the legal authorities. An institution email address is provided to all employees and other personnels who work in the campuses by KTO Karatay University. All professional e-mails must be sent or received via the institutional e-mail account. E-mail addresses legally provided to the user by the university shall not be utilized for misuse or any personal benefit. Non-work-related newsgroup must not be added to the address book. The e-mail server of the institution must not be used to send Spam (unsolicited e-mail messages), Phishing (identity theft) messages to other users inside and outside the institution. E-mail messages that are humiliating, insulting and harmful must not be sent to any user or group within or outside the institution. The institutional e-mail account provided by the university must not be used if the message is to be posted on internet newsgroups. Employees must not write the e-mail address of another user in the "From" line in the e-mail to be delivered, unless they are authorized to do so. Employees must not leave the “subject” section blank while sending an e-mail message. Employees must not open or delete emails where the Subject line is blank or received from an unidentified sender. Any file to be attached to the e-mail must not have extensions such as ".exe", ".vbs" or other prohibited file formats. In cases where such files must be forwarded, they must be zipped (zip and/or rar format) and attached to the e-mail. Abusive, harassing, or any other type of messages that may violate the rights of the recipient must not be delivered via the institution's e-mail system. Should a message with such nature be received, the IT Directorate must be notified. User accounts must not be used, directly or indirectly, for commercial or profit oriented purposes. It is prohibited to send e-mail messages to the other users for such purposes. If chain messages and e-mails containing any kind of run files attached to the messages are to be received, the IT Directorate must be notified before the e-mail is forwarded to other users. The user must prevent incoming and/or outgoing messages from being read by unauthorized persons inside or outside the institution. In case the user receives and e-mail that asks for the user code/password, IT Directorate must be notified before taking any action. The user must reply the institutional messages in a timely manner to avoid interrupting the work-flow. Files attached to the e-mails from unknown sources must not be opened and IT Directorate must be notified If there are any e-mail-based threats. Institutional e-mail accounts must not be linked and managed with personal e-mail accounts. The user is responsible for the security of her/his institutional e-mail account. The user is also liable for the judicial proceedings that may arise from e-mails she/he sent and must notify IT Directorate immediately in case her/his password is stolen. Should this policy be violated, with the approval of the Management Representative, necessary actions must be followed based on the terms and conditions specified in the ISMS Disciplinary Procedure document and its relevant articles. P.03 ANTI-VIRUS POLICY Objective The objective of this policy is to protect computers and servers belonging to KTO Karatay University against any malicious software (malware). Scope This policy includes computers and servers. Policy All the client and servers belonging to the Institution must be protected with anti-virus software. However, as an exception, antivirus software may not be installed on servers that system administrators deem necessary. When a virus is detected in clients and servers, they should be immediately removed from the domain. System administrators are in charge of the constant and regular operation of the antivirus software and the necessary procedures for the virus-free operation of clients and servers. Under no circumstances must the user uninstall the anti-virus software. Antivirus updates must be configured with the antivirus server. The servers must be connected to Internet at all times and the server’s data base must be automatically updated. Clients connected to the domain must be automatically updated by the antivirus server. Users who are not a part of the domain are solely responsible for updating their own computers, and in case of any inconvenience, system administrators are allowed to remove these computers from the network. Files should not be downloaded from unknown or suspicious sources. Unless required by the institution, it must be avoided to grant Read and write permissions or disc access permissions. These permissions granted in case of need must be revoked once it becomes no longer necessary. Optic media or external storage devices must be scanned for viruses. Critical data and system configurations must be periodically backed up and securely stored in a different electronic environment. If the backed-up data contains critical information, the archived data must be password protected. P.04 PASSWORD POLICY Objective The objective of this policy is to create a strong password and to ensure the security of these passwords. Scope This policy is aimed to include all user accounts connected to the computers and servers at KTO Karatay University. Policy User account passwords (i.e. E-mail, web, desktop computer, etc.) must be changed every 6 (six) months at the latest. System administrators must use different passwords for the system and personal accounts under their management. It is forbidden to attach passwords to e-mail messages or any electronic form. The user is frequently advised by the Cyber Security Office of not sharing his/her password with anyone else and not to write it down on paper or electronic media by means of awareness trainings and e-mails. Temporary user accounts set up for non-employees of the institution must also respect the password creation rules specified in the relevant articles of this directive. All passwords are classified as confidential information belonging to KTO Karatay University. It must not be shared or written on paper or any type of electronic media. Using the "password reminder" option in web browsers and other applications with password reminder is inappropriate in terms of information security, and users must be informed about the sensitivity of this issue as part of their awareness training. Password cracking and guessing exercises are routinely performed as part of security trainings. In case passwords are guessed or cracked as a result of the security scan, the user is requested to change their password. The user must avoid repeating the last 3 passwords and not to use the same password with a regular basis. Password must be at least 8 (eight) characters. It must include at least 1 (one) uppercase letter and at least 1 (one) lower case letter. It must include at least 1 (one) number. It must include at least 1 (one) symbol. (@, !,?,A,+,$,#,&,/,{,*,-,],=,...) It must be avoided repeating the same characters. (aaa, 111, XXX, ababab...) It must be avoided using consecutive characters. (abcd, qwert, asdf,1234,zxcvb...) One specific user name and password must not be used on more than one computer at a time. Information easy to guess such as personal details must not be used as password. (E.g., 12345678, qwerty, your date of birth, your child’s name, your surname) Words that can be found in the dictionary must not be used as passwords. Passwords generated by the same or very similar method that most people already use must not be preferred. P.05 PHYSICAL SECURITY POLICY Objective The objective of this policy is to prevent unauthorized access to the server rack cabinet, all work areas where systems containing organizational information are located, and organization buildings in order to protect organization personnel and critical organizational information. Scope It includes all physical security issues that allow to access to information assets located in the organization's buildings. Policy Different security zones must be defined in the building and work areas according to the distribution of organizational information assets and the criticality levels of the information available, and the necessary control infrastructures must be established by determining access permissions accordingly. Access authorizations to the various defined security zones must be reviewed at regular intervals. Entrances to the website are recorded and monitored for security purposes. Critical systems must be kept in the server rack cabinet. Critical systems must be protected against power outages and voltage fluctuations. Cabinets and drawers containing confidential information must be kept locked and under control in open-plan offices. The use of the equipment is under the responsibility of the person to whom it has been entrusted and s/he shall be responsible for ensuring the safety of the equipment. Any damage to the delivered equipment shall be collected from the entrusted person. Packages arriving at the institution for cargo and food purposes shall be picked up at the door, they should not be allowed inside the organization. All information technology tools that are determined to support critical or sensitive business activities must be kept in areas that require physical access control, protected by card access control, fingerprint access control or similar access. Visitors to the Security Zones should always be accompanied by designated institutional personnel and should not be left alone during their visit. Unless permitted, taking photographs, taking video and recording audio is prohibited in Security Zones. Personnel must not smoke in secure areas where important assets are kept and must not enter the Security Zone with food or beverages. Power supplies such as UPS and generators used to keep Information Technology tools running in the event of a power outage must be checked periodically once a year. All equipment must be serviced at regular intervals. The person registered as the asset owner shall be responsible for taking the necessary measures in order to protect the assets such as laptops, documents, CDs and flash memories. System documents of the software and hardware used in the university must be prepared. Written procedures shall be prepared as needed by the System Administrator and approved and updated by the Management Representative. Procedures for all work throughout the university are available in writing and can be accessed as needed via the web address kalite.karatay.edu.tr. P.06 SERVER SECURITY POLICY Objective The objective of this policy is to establish the basic security rules of the servers owned by the institution. Scope This policy includes all servers owned by the institution. Policy Only the authorized system administrators shall be responsible for the management of the all servers under the institution. All servers (owned by the institution) must be registered to the related inventory management system. Non-utilized services and applications on the server operating systems must be closed. Non-utilized servers must be kept off for security and to save electricity. Log records of the operations performed on the servers must be configured to be retained for at least 10 days. Logs of authorized access must be kept for operation systems, applications, databases, and network hardware. Each authorized person must perform operations by connecting with their own account for the management of the servers. Access to servers from outside must be provide according to the rules specified in the remote access policy. Servers must be kept in physically secured cabinets. Server rack cabinet equipment must be serviced regularly and maintenance logs must be kept, the maintenance of the devices must be performed under the supervision of authorized persons. Electricity and data cables must be installed in conduits within the institution. To prevent the server and other equipment from being affected by power failures, they must be connected to the UPS system and supported by a generator. All system and network equipment must undergo scan tests at least once a year and must be secured. P.07 NETWORK MANAGEMENT POLICY Objective The objective of this policy is to ensure the security and continuity of the information, network infrastructure and equipment located in the computer network of the institution. Scope It includes the network infrastructure, equipment and users under the KTO Karatay University. Policy To ensure continuity of computer networks and connected systems, stand-by equipment must be available. Network equipment must only be accessible and manageable by authorized persons. It must be protected against the unauthorized access. Only institution computers must be connected to the network of the institution. If a computer is to be connected outside the institution, it must be done with permission and under supervision of the authorized person. Guests must not be allowed on the institution internet network, and the guest network must be designed independently from the institution network. Wired, Wireless network, Network Devices and User Computers must be configured so that their networks are separate from each other. The security of the ports to be used for remote access must be done. The logs of each operation performed via network devices must be kept. Configurations of network devices must be backed up and stored after each change. Vulnerability tests of system and network equipment must be performed at least once a year. According to the vulnerability test results, if any, the vulnerability shall be monitored and eliminated REMOTE ACCESS AND VPN POLICY Objective The objective of this policy is to ensure the security of the remote access to the institution from outside. Scope This policy includes all institution employees and their suppliers who will access from outside Policy Remote access is only possible with SSL VPN or IP SEC SSL VPN. Authorized institution employees for remote access or other users connecting to the institution's computer network have the same responsibility as users connecting from the local network. Persons who have been granted the right to use a VPN must be reviewed regularly, and if deemed necessary, the VPN permission must be revoked. Non-institutional computers providing remote access must have antivirus software installed and up to date on their computers in accordance with the Antivirus Policy. Remote access of employees and 3rd parties must not be provided with free software (Teamviewer, Anydesk, Ammyy, etc.), only VPN must be used. P.09 SUPPLIER AND THIRD-PARTY SECURITY POLICY Objective The objective of this policy is to ensure the security of KTO Karatay University's information systems and information assets in case they are accessed by third parties. Scope All departments shall be responsible for implementing of the this policy. Policy When the material and service suppliers enter the information systems or information assets for maintenance etc. purposes, Confidentiality Agreement must be concluded. As long as third parties are part of the institution, they are obliged to act in accordance with the policies of the institution. Material and service suppliers may access the information systems of the institution within the scope of the authorization granted to them. Access authorizations granted to material and service suppliers must be limited in accordance with the purpose of access, logs must be kept, and authorizations granted after the work is completed must be revoked. Material and service suppliers must not be left unaccompanied while accessing information systems and information assets. Remote Access VPN Policy shall be applicable for material and service suppliers to access KTO Karatay University Network. KTO Karatay University may block access to the network without any warning to suppliers, maintenance companies or third parties. P.10 ACCEPTABLE USE POLICY Objective The objective of this policy is to inform the personnel about the business conducts and rules to be performed and followed in terms of confidentiality, integrity and accessibility classes of systems, information and assets. Scope This policy includes all employees under KTO Karatay University. Policy The confidentiality of all information classified as confidential by KTO Karatay University shall be strictly maintained. Reproduction and disclosure of this information is prohibited except as necessary for the business needs of the institution. The employees of KTO Karatay University shall be responsible for ensuring the security of all computer access information and devices entrusted to them. The access data must not be disclosed to anyone, and this information must not be passed on to others. No employee is allowed to disable the anti-virus protection software on their computer. It is prohibited to copy and run computer software (games, entertainment programs, torrents, software, etc.), the reproduction of which is prohibited by the manufacturer. It is prohibited to install license-free software, malware (Trojan, Keygen, Crack, etc.) on computers. If the employee considers information to be critical, this information must be encrypted or stored in areas to which only authorized individuals have access. Apart from the documents belonging to the institution (music, programs, movies, etc.), files must not be exchanged via computers. The employee who transcribes critical or confidential reports shall be responsible for ensuring that the information contained in the report is appropriately protected (locked cabinet, drawer, etc.). If any person finds a critical report that is not their own, this should be reported to the Information Security Management Representative. The clocks of the server and computers shall not be changed by the users, the clocks shall be managed automatically by system. Laptops must be more carefully protected against security vulnerabilities. Only the necessary information must be stored on these devices. In case the devices are stolen or lost, this must be reported immediately to Data Processing Unit. Trade secrets, patents or production information obtained within KTO Karatay University must never be disclosed to unauthorized persons. It is prohibited to keep personal data on the institution's computers. All information kept and transmitted on the KTO Karatay University equipment is the property of the institution and KTO Karatay University has the right to monitor and audit such information. No employee other than the Data Processing Unit employees shall have no right to scan, monitor or listen to the information network of KTO Karatay University using their own computer or any other source. No employee shall act beyond his/her assigned computer authorizations within the institution or exceed his/her authority. Insulting and defamatory posts must not be shared on social media. The sensitive information of the institution must not be shared on social media. The institution's computer, telephone, printer, telecopier, photocopy machine, scanner, etc. must not be used for personal purposes. P.11 CLEAR DESK, CLEAR SCREEN POLICY Objective The objective of this policy is to minimize the risks which the employees may be exposed to as a result of the appropriate use of information or unauthorized access to information shared with them during or outside of working hours due to their duties. Scope Desks, screens, printed documents, certificates and records. Policy The passwords used in the systems are not left on the desktop, on the edges of the screen or in places that are visible to everyone. Outside of working hours, computers must be turned off or locked. The computer must be locked whenever it is left unattended during working hours. (The screen saver must be activated every 20 minutes and must be password protected.) The user cannot share documents with confidential information over the network, waste documents with confidential information are destroyed in a shredder or shredded manually. Personnel shall be responsible for the security of all confidential documents on media where data may be stored, such as computers, USB flash drive, external hard drives, etc. If confidential/important data needs to be stored on a USB flash drive or external hard drive, it shall be encrypted. Outside of working hours, computers shall be turned off or locked. Documented confidential information of the institution is kept in a locked media. The institution's letterheads are stored in cabinets. Sensitive and classified information is immediately deleted from the printer when printed. Documents containing private information of the institution are not kept on computer desktops. Business card baskets, personal agendas, documents with valuable information cannot be left on the desk and must be kept in locked drawers. P.12 MOBILE DEVICE POLICY Objective The objective of this policy is to set forth the rules for the use of mobile devices containing information of KTO Karatay University. Scope All employees using mobile devices shall be responsible for the implementation of this policy. Policy Portable equipment containing information of the institution must be entrusted and handed over to the relevant person. Each employee shall be responsible for the security and proper use of the mobile device entrusted to him/her. Computers within the domain should only be delivered to the person concerned with the permission of the user, limiting the administration authority with exceptions. The personnel shall be responsible for computers that are independent of the domain. Passwords must be defined against unauthorized access to mobile devices. If the institution's email is installed on cell phones or tablet computers, password protection is mandatory to ensure the security of the device. The work performed and files created on the computers within the domain must be stored in the corresponding shared area of the units. Mobile devices (Laptops, Tablets, etc.) must not be used by anyone other than the persons to whom the devices are entrusted, including family members. Mobile devices should not be left unattended as they can easily be lost or stolen. Data must be backed up and a current copy kept in a different place. The functions for remote deactivation and deletion of mobile devices must be absolutely used. P.13 INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Objective The objective of this policy is to determine the information security event breach processes of KTO Karatay University. Scope All personnel shall be responsible for implementing of this policy. Policy Security breaches such as damage to the information in terms of confidentiality, integrity and accessibility; deterioration, alteration and seizure of the information by others until it reaches the end user, unauthorized access must be recorded. An e-mail must be sent to the Information Security Management Representative for breach notifications. Information security events and the process for responding to them are detailed in the Information Security Event Management Procedure. The experienced information security breaches must be evaluated together with the Information Security Management Representative. The user in breach must be identified and the question of whether the breach constitutes a criminal offense must be resolved in accordance with the Disciplinary Code. The following procedures must be followed when collecting evidence; Content indicating the quality and completeness of the evidence. Camera records, input and output records, server/program and computer logs, firewall logs and internet logs shall serve as evidence of the events leading to the breach. Evidence of events can be secured by blocking access except for authorized persons or by making backup copies. Any employee not acting in accordance with this policy shall be treated in accordance with the Disciplinary Policy. P.14 IDENTIFICATION AND AUTHENTICATION POLICY Objective The objective of this policy is to define authentication and authorization policies for access to the information systems of the institution. Scope This policy covers the institution personnel and external users who access the information systems of the KTO Karatay University. Policy The management representative determines which systems and authentication method employees accessing institution systems will use as part of their computer access accounts. The user account for the suppliers who need access to the institution systems is defined by the Data Processing Unit by granting the appropriate permissions. User access rights to application software, packages, databases and operating systems used within the institution and which can be accessed centrally must be kept under control. Access authorizations for employees and suppliers must be kept up to date. Operating system access logs must be kept regularly and reviewed as needed. Users must keep their assigned access passwords confidential and not share them with anyone. Each user is assigned a separate user account. User accounts that no longer need to be accessed are deactivated or removed by the Data Processing Unit. P.15 CRYPTOGRAPHIC CONTROL POLICY Objective This Policy covers the protection of confidentiality, accessibility or integrity of data. Scope This policy covers the secure access and sharing of critical data. Policy Confidential data assets defined within the institution shall be stored with cryptographic encryption methods. Each staff member is responsible for the security of the data assets she/he hosts. Data transfer should be made by using systems such as e-signature and financial seal in the exchange of data with the public. Strong passwords should be used to protect data on mobile devices. External penetration test reports must be delivered to KTO (Chamber of Commerce) Karatay University using the special encryption method determined. P.16 DATABASE SECURITY POLICY Objective This Policy covers the standards for the uninterrupted and secure operation of the database systems of the institution. Scope All database systems are within the scope of these policies. Policy All access operations (reading, modifying, deleting, adding) to critical data in the database must be recorded. No access to log records can be made in any way without the permission of the authorized person. Only users with admin rights can access the database server. Access authorizations to servers with databases should be recorded and necessary checks should be carried out concerning such authorizations. Based on their level of criticality, database systems should be backed up regularly. The systems in which the database information is stored are kept in server cabinets with physical security. Before the maintenance, repair, patching and updating works to be carried out in database systems, the relevant units should be notified beforehand. Under no condition should Media with database (USB Hard disk, Memory, CD etc.) be taken out of the institution. Such media containing the databases should be subject to regular checks in terms of occupancy rates. P.17 CHANGE MANAGEMENT POLICY Objective This policy has been developed and implemented to ensure that software and hardware changes that need to be made to the institution's information systems are done in a way that does not compromise security and continuity of systems. Scope All data systems and the personnel in charge of operating these systems are within the scope of this policy. Policy All requests for software and hardware changes must be recorded. Any change to the information systems must be made by authorized persons. All applications affected by a long-term or significant change to a system should be identified and the relevant bodies/suppliers informed before the change is made. Any changes to be made should first be developed in test environments and then transferred to the live system following testing. Backup copies of the codes/systems to be changed must be made before the changes are made. Critical and very critical servers are updated taking the current operating system image during the update. Changes to be made to the software used in the institution by third parties must be carried out within the framework of the regulations approved by the respective manufacturer. Should the change management service be sourced from outside the institution, it is necessary to enter into a confidentiality agreement with the supplier company. P.18 SECURE SOFTWARE DEVELOPMENT POLICY Objective The objective of this policy is to ensure that KTO Karatay University's information security and software development processes are conducted in a manner that does not compromise security and system continuity. Scope It is the responsibility of all personnel involved in the software development process to implement and comply with this policy. Policy For all types of software to be purchased, the purchasing process is to be decided by soliciting an opinion from the IT Directorate on software and hardware competence. All newly purchased or revised software must be checked in a test environment. In the event of a problem, the manufacturer must be contacted for assistance. Newly purchased software must be added in the information security asset inventory. In no way, within the institution, can personally developed software be used. The software developed in the institution constitutes one of the sole assets of the institution and the software developers cannot claim any rights to the software they have developed should they quit their job within the institution. Only the application producer retains the right to access the source codes of the applications used in the institution. P.19 DATA BACKUP AND BUSINESS CONTINUITY POLICY Objective The objective of this policy is to prevent the loss of all classified information used within KTO Karatay University and to establish the necessary procedures and policies for data security. Scope All academic and administrative staff of KTO Karatay University are within the scope of this policy. Policy In light of errors that can occur in information systems, the configuration, system information and company data in the systems must be backed up regularly to minimize system downtime and any potential loss of information. The data must be backed up in the operating environment online on the same disk system in different data carriers as well as offline on magnetic cassettes, DVDs or CDs. Portable data media (magnetic cassettes, DVDs or CDs) must be stored securely in rooms or buildings that are located physically separate from the data processing rooms. Data must be stored offline for at least 2 (two) years. An inventory of the systems on which mission-critical data is stored or where a system failure is of critical importance should be made and classified and documented regarding the need for backup. The inventory to be backed up regularly should document which systems and which type of applications are being run on which systems and specify who, amongst the personnel, is authorized to make changes to the inventory, the file information systems to be backed up and their authorization levels. When it comes to information security procedures, the issue of data backup holds a very important place. Responsibilities concerning the back-up should be defined and appointments made. The systems, files and data to be backed up must be carefully identified, and a backup list of the systems to be backed up should be drawn up. Surveillance files with low criticality or continuous growth should not be included in the backup list to avoid unnecessary storage space on the backup unit. Given that the information to be backed up may change, the backup list must be reviewed and updated regularly. The commissioning of new systems and applications should be followed by the update of the backup lists. It is necessary to select and provide spare equipment in sufficient number and capacity for the back-up. The need to increase backup capacity should be reviewed periodically. The backup media should be tested at regular intervals and ensured to be reliable in case of emergency. The restoration procedures must be subject to regular review and testing for verification in terms of their effectiveness, in addition to being completed within the timeframes specified in the operating procedures. The environments in which the backup units will be restored must be ensured to be physically suitable and secure. With the Backup Standard, against a possible outbreak of an act of nature, accurate and complete backup copies should be stored in an environment that will not be compromised. Backup standard, frequency of backup, scope, when it is done during the day, under which conditions and at which stages the backups are uploaded, and how to restore if any issues arise during the backup upload should be defined. The Backup Standard should be prepared in such a way as to clarify how to label backup media, how to perform backup tests and similar issues, and its operability should be reviewed periodically. Only licensed software can be used in the backup system. Backups must be made to suitable storage areas. Backups of confidential information that need to be taken out of the institution must be taken out of the institution after the encryption. The hardware containing the backed-up data must be kept in a secure environment and no one other than those authorized by the IT Director must have access to it. The backup table shall be reviewed annually and adjustments shall be made as necessary. The protection mechanism shall be reviewed every year in terms of its structure and requirements, with corrections applied accordingly, wherever necessary. The backups taken from the backup system shall be regularly tested in an environment separate from the main systems as part of the Business Continuity Exercise Plan. Under the Law No. 5651 on the Regulation of Publications on the Internet and Suppression of Crimes Committed by Means of Such Publications, internet logs shall be stored for at least 2 years. P.20 EBYS INFORMATION SECURITY POLICY Objective The objective of this policy is to prevent the administrative and academic personnel of KTO Karatay University from misusing Electronic Document Management System (EBYS) and to establish the procedures and policies regarding the necessary information and procedures for information security to ensure that they can be used safely. Scope The EBYS (Electronic Document Management System) Data Security Policy applies to all units and personnel of KTO Karatay University, to internal and external stakeholders who can access data systems as third parties, to service, software or hardware providers who provide technical support to EBYS, and to other external users. Policy Data must be protected against access by unauthorized persons. The confidentiality, integrity and availability of the data must be maintained. Legislative requirements shall be met. All personnel shall be provided with cybersecurity training in order to raise awareness and develop competencies in data security. Users shall be prevented from sharing their passwords with subordinates, supervisors or other persons, from keeping them in writing in such a space as a desk or computer screen, and from sharing password information, especially by phone, email or text message. All users must use the officially assigned e-mail address with the extension @karatay.edu.tr that includes the name of the institution in EBYS transactions. It is the responsibility of the personnel to ensure the security of corporate data in EBYS, into which they are to log in via the desktop and laptop computers assigned to them, which they are to use for the benefit of the institution and its works. EBYS administrators can access the personnel's computer on-site or remotely, on condition that the user is notified, and are able to carry out security, maintenance and repair work without needing to know the password. In such a case, authorized personnel providing remote maintenance and support services cannot view, copy or modify personal or company data on the connected computer. Should a problem occur on EBYS, unauthorized persons shall not intervene and the EBYS system administrator shall be notified of the problem immediately. The passwords used to log in to social media accounts must be different from those used to log in to EBYS. Under no condition shall internal and external normal and confidential information about the documents issued, approved and sent be shared on social media platforms. The transmission of confidential documents such as confidential and top secret as well as personally confidential documents to internal and external bodies shall be carried out within the framework of the applicable legal provisions. On movable documents; nothing concerning the content of the transmitted document shall not be written, general headings shall be used. Where the movable material containing data is moved to another location, it shall be handed over to an authorized person with a report. The responsibility of ensuring the security of all types of information and documents held in EBYS after the preparation and/or printing of a desktop copy rests with the user carrying out the transaction. Such transactions are recorded by the system. The user who breaches information security is identified and, upon the identification, it is determined whether the breach contains criminal elements. Changes or updates made to EBYS shall be communicated to users as an announcement when they first log on to the system or as a corporate announcement. Specific sorts of training shall be organized for EBYS users within the institution on the use of the system and information security, and participation forms for the training should be kept. Documents available in EBYS must be retained under the policies and procedures set out in the administrative and legal provisions and the document retention schedule.
