INFORMATION SECURITY POLICY

The Green Crescent’s Information Security Policy sets out the principles and measures for minimizing information security risks and their potential impacts. To this end, the policy aims to:

• Ensure the confidentiality, integrity, availability, continuity, and control of information assets;
• Reduce risks arising from the loss, corruption, or misuse of information assets and ensure compliance with applicable laws and regulations;
• Protect information assets against internal and external threats, whether intentional or unintentional;
• Promote the continuous improvement of the Information Security Management System.

This Information Security Policy applies to all employees who use Green Crescent information or business systems, regardless of geographic location or business unit. Third-party service providers and their personnel who have access to Green Crescent information, even if they do not fall within these classifications, are also required to comply with the general principles of this policy.

1. Compliance with Legislation
The Green Crescent conducts its activities in accordance with applicable laws, regulations, and regulatory requirements relating to information technologies and communication infrastructure services. The procedures and principles governing the obligations and responsibilities of content providers, hosting providers, access providers, and public-use providers, as well as measures relating to combating certain offences committed online through such providers, are regulated under Law No. 5651 dated 4 May 2007. The Green Crescent also operates in compliance with the Personal Data Protection Law No. 6698 dated 24 March 2016.

2. Information Classification
The Green Crescent addresses matters related to the ownership, classification, and management of data processed and generated within the organization. Information is evaluated and categorized based on confidentiality, integrity, and availability requirements, taking into account factors such as criticality, legal obligations, and the potential impact of unauthorized access. Information owners and custodians are assigned to ensure that appropriate security controls are defined and implemented. Mandatory minimum-security requirements are established for classified information assets, and full compliance with these requirements is ensured, except for cases formally approved by senior management.

3. User Access and Authorization
All Green Crescent users, including privileged and standard authorized users, are monitored in accordance with the principles of segregation of duties and least privilege. Access rights are granted based on the approval of the relevant system owner and are reviewed by the Internal Audit Directorate. Requests are not required for the revocation of access rights. User account and authorization reviews are conducted at least once annually. System owners hold primary responsibility for these reviews. User access methods are designed using techniques that support accountability and non-repudiation. User accounts are assigned individually, and shared accounts are not permitted.

4. Password Management
The purpose of the Password Management Standard is to establish password rules and standards for applications, operating systems, and databases used by the Green Crescent.

This standard applies to all departments and employees, as well as internal and external stakeholders accessing information systems as third parties, including service, software, and hardware providers delivering technical support and all other relevant external users.

5. Audit Trail Management
Log records relating to operating systems, databases, and all other critical systems and applications are regularly monitored and reviewed in order to monitor activities, conduct analysis, and take timely action where necessary. Unnecessary sensitive or critical data is prevented from being included in audit trails. Activities performed on audit logs are also recorded.

6. Information Security Incident Management
Security incidents and vulnerabilities are reported immediately to the responsible personnel. Reported incidents are prioritized and resolved accordingly. Issues arising from software vulnerabilities are addressed in the same manner.

Lessons learned from previously reported incidents are used to prevent recurrence. All employees are responsible for reporting information security incidents appropriately.

7. Acceptable Use
The Green Crescent’s information and communication systems and equipment, including internet services, email, telephones, paging systems, fax machines, computers, and mobile devices, are to be used solely for official organizational purposes.

Any unlawful, disruptive, harmful, or unauthorized use of these systems, or any use that violates the Green Crescent’s policies, standards, or guidelines, constitutes a violation of this policy. The Green Crescent reserves the right to monitor, record, and periodically audit the use of these systems and related activities.

Users acknowledge that any opinions, statements, expressions, or written content communicated through systems provided by the Green Crescent are their own responsibility and do not represent the views of the organization.

Users may not use organizational communication systems to transmit insulting, pornographic, unlawful, or otherwise inappropriate content, including unauthorized mass communications, promotional messages, unauthorized mailings, or activities contrary to applicable laws and public morality.

8. Protection Against Malicious and Unlicensed Software
The Green Crescent implements measures to protect its systems against malicious software, including antivirus protection across operating systems. User devices and information systems are protected against malware and related cybersecurity threats.

The use of unlicensed software is strictly prohibited. Employees are not permitted to disable or remove antivirus software installed on organizational systems. Antivirus protection is deployed across all user computers and servers, and regular scans and updates are performed.

The installation and use of unauthorized or unlicensed software in any form is prohibited. User authorizations are restricted to prevent the installation of unlicensed software. Users are required to obtain approval from the relevant departments for the software they need.

Regular scans are conducted and necessary patches are applied to identify weaknesses and security vulnerabilities in information systems and application software in advance and to mitigate potential threats and misuse.

9. Network Security
Unauthorized devices are prohibited from connecting to the organizational network. The Green Crescent utilizes firewall technologies together with IPS and IDS capabilities to protect its systems against network threats and unauthorized access.

Changes made to network security devices are documented and subject to approval procedures. Requests for new external network connections are implemented only with the approval of the Information Technologies Directorate.

10. External Data Transfer
Data transfers outside the Green Crescent are conducted securely and in accordance with the nature and classification of the data being transferred. Appropriate measures are implemented to ensure non-repudiation.

11. Physical and Environmental Security
Risk assessments are conducted for facilities and physical environments used by the Green Crescent to protect information assets against physical and environmental threats, and security controls are implemented based on the results of these assessments.

Employees and visitors are required to wear identification badges visibly at all times within Green Crescent premises. The identification badge system is designed to minimize security vulnerabilities in the event of loss.

Computing devices such as computers and USB storage media are protected against unauthorized access. Visitors are not permitted to access the premises without supervision. Access to system rooms is logged.

Physical cabling infrastructure used for sensitive data transmission is protected against unauthorized access and interference through physical and logical controls. Appropriate safeguards are also implemented against environmental risks.

12. Clean Desk Policy
Documents and storage media containing sensitive or critical information are securely stored to prevent unauthorized access. Sensitive data is not stored on portable devices except where required for transfer purposes.

Data stored on portable devices is encrypted to prevent unauthorized access. Documents containing sensitive information are securely and irreversibly destroyed when no longer required.

The use of portable storage devices is restricted unless required for business purposes. Documents containing critical organizational information must be stored in a manner that prevents visibility by unauthorized individuals.

To reduce unnecessary printing, electronic documents should not be printed unless required for business purposes.

13. Information Security Risk Management
To ensure effective information security across the organization, risks associated with information assets and critical data are assessed to identify, implement, and maintain appropriate controls.

This process includes the classification of IT assets, identification of threats, evaluation of risks, and implementation of risk mitigation controls.

In addition, the Internal Audit Director monitors risk assessments and related risk treatment plans.

14. Business Continuity Management
The Green Crescent implements necessary measures to ensure preparedness for incidents that may disrupt operations, cause financial loss, or damage institutional reputation, and to restore operations to an acceptable level within a reasonable timeframe.

Critical business processes are identified, and continuity strategies are defined accordingly. Business continuity planning is conducted for critical information assets and the IT services supporting them.

In addition, remote working infrastructure and information-sharing protocols are established for emergency situations, enabling users to continue operations via secure remote access.

15. System Development and Maintenance
Analysis, design, development, installation, and post-implementation review activities related to information systems are managed according to defined processes.

The principles of segregation of duties and least privilege are applied throughout system design and implementation. All Green Crescent personnel involved in these activities share responsibility for ensuring information security.

These principles are also applied in production environment access and deployment activities.

16. Information Security Training
To enhance employee awareness of the Information Security Policy and related strategies, information security training is provided upon onboarding and at regular intervals thereafter.

Participation in these trainings is mandatory for all relevant personnel and is monitored accordingly. Through these trainings, employees are informed about the Information Security Policy, related procedures, and standards, and are made aware of their roles and responsibilities in maintaining information security.

17. Intellectual Property Rights
Products, software, services, or systems protected by intellectual property rights may not be used without the authorization of the rights holder or without a valid license.

The use of unlicensed software within the Green Crescent is prohibited.

Necessary patents and protections are obtained to safeguard the intellectual property rights of Green Crescent products and services.