Information Security Policy
INFORMATION SECURITY POLICY
1. PURPOSE
The purpose of this Policy is to define the purpose, objectives and principles of the Main Car Rental Company Information Security Management System.
2. SCOPE
The provisions of this policy apply to the personnel of the Main Car Rental Company and the company and its personnel that provide services to the Company with special contracts or provide external support.
3. POLICY
MAIN regards corporate information as an extremely valuable asset. Information; is critical to the sustainability of our business operations and must be appropriately protected. MAIN aims to minimize the risks that may arise regarding the Confidentiality, Integrity, Usability of corporate information and the effects of these risks by applying the Information Security Management System (ISMS) ISO 27001 standard.
MAIN has adopted the fulfillment of the following issues in particular:
Ensuring the confidentiality, integrity and availability of information and information systems,
To identify risks to information assets and to manage risks in a systematic way,
To fulfill the requirements of Information Security Standards,
To comply with the relevant legislation regarding Information Security,
Evaluating continuous improvement opportunities and carrying out studies in order to keep the Information Security Management System alive,
To provide trainings to develop technical and behavioral competencies in order to increase information security awareness,
Preparation and publication of other sub-procedures related to this policy by the Information Technologies and Information Security Unit.
MAIN's Information Security Policies are valid and mandatory for all MAIN personnel, regardless of geographic location or business unit, who use MAIN information or business systems, whether full-time, part-time, permanent or contracted. All persons, such as third party service providers and their affiliated support personnel, who do not fall into these classifications and need access to MAIN information, must adhere to the general principles of this policy and other security responsibilities and obligations that they must comply with.
3.1 RESPONSIBILITIES OF ALL EMPLOYEES
The purpose of Information Security and this policy is to protect, maintain and manage the confidentiality, integrity and availability of information and all support business systems, processes and applications. This means; Keeping the information of MAIN in authorized hands; Ensuring that the information is complete, accurate and usable is ensuring that the information and systems are ready for use when necessary. For this reason, all MAIN and outsourced personnel and interns, regardless of their positions or duties, are responsible for doing their jobs in a way that protects the information within MAIN.
In addition to ensuring that the information belonging to MAIN is complete, accurate and usable, all MAIN personnel must also comply with the principles of MAIN business ethics and the protection of confidential information specified in the Rules of MAIN Personnel Discipline Regulation.
MAIN; It undertakes to take the measures specified in the Personal Data Protection Law.
3.2 POLICY OWNERSHIP
The functional ownership of this policy and all standards and other supporting documents and training activities will be carried out by the Information Technologies and Information Security Unit, and this management will also be a source of advice and guidance regarding the implementation of the policy within the entire MAIN.
The Information Technologies and Information Security Unit will ensure that all employees receive appropriate training that will create the appropriate level of awareness on Information Security issues and will guide in the handling of information security incidents in general. It will ensure that this policy is supported by detailed standards, procedures and processes where necessary, and that they are available as needed. He will also be responsible for ensuring that these policy requirements are communicated to all employees (permanent or periodic) and to all contractor personnel.
The Information Technologies and Information Security Manager is constantly responsible for ensuring that this policy is kept up to date, from the establishment of the general management framework regarding Information Security to its continuity, and that it continues to reflect the business requirements of MAIN and its subsidiaries, or the changes in the risk environment or threats faced by MAIN and its affiliates. will be responsible for the review.
Information Security policies are reviewed at least once a year in parallel with the asset and risk updates made in order to reflect the current risks faced by MAIN information assets. In order to keep new risks and changes in risks under control, Information Security Policies are updated by making new necessary additions. In addition, any MAIN employee Information Security
It may request the Information Technologies and Information Security Unit to change the policies in order to improve the policies and better reflect the controls required by MAIN. Requests made are handled and evaluated by the Information Technologies and Information Security Unit.
Information Security Policy principles should be applied in parallel with the Personnel Regulation Rules of MAIN Human Resources. Employees are also responsible for being aware of the Information Security Policy and complying with these principles.
3.3 AUDIT
Each unit manager is primarily responsible for taking the necessary measures to ensure compliance with the Information Security Policy and monitoring the system.
The Information Technologies and Information Security Unit is responsible for periodically auditing and reporting to the relevant parties the compliance with all published policies and procedures, especially the Information Security Main Policy.
Violations of the Information Security Policy may cause damage to MAIN as a result of not implementing the controls needed against the risks, as well as criminal liability and compensation for material damages according to the new Turkish Penal Code. Therefore, the said violation is also a violation of the MAIN Personnel Regulation and may result in a disciplinary penalty. Violations of the Information Security Policy, which are detected as a result of surveillance, auditing and reporting, may result in internal disciplinary penalties, which can go up to termination of employment and even initiation of Judicial and Criminal legal proceedings.
Working together on the implementation of this policy will help to continually protect our knowledge and reputation and ensure the continued success of our business.
3.4 OBJECTIVES
MAIN Information Security, in order to protect the reputation, reliability, information assets of MAIN, and to continue its basic and supporting business activities with the least possible interruption,
To fully ensure the continuity of information systems,
To maximize the level of compliance with the awareness, awareness and safety requirements of the employees,
To ensure full compliance with the contracts made with third parties,
Minimizing information security breach incidents and turning them into learning opportunities,
Production, access and storage of information in full compliance with the law,
It aims to implement the most up-to-date and effective technical security controls.
Each Main Rent a Car employee is responsible for contributing to these goals.
