Sürdürülebilir Gelecekler,
Yenilikçi Çözümler.
Politikalar

Information Security Policy

  1. SCOPE AND LEGA BASIS

Information Security Policy (“Policy” or “BGP”) covers the information assets of Egeyapı Avrupa Gayrimenkul Yatırım Ortaklığı Anonim Şirketi (“Egeyapı GYO” or the “Company”).It applies to all employees across all locations, as well as suppliers and contractors operating both on-site and off-site.

The Information Security Policy has been prepared in consideration of the Communiqué on Information Systems Management No. VII-128.9 issued by the Capital Markets Board for publicly traded companies (“Communiqué”), the Personal Data Protection Law, and other relevant regulations.

  1. PURPOSE

Egeyapı Avrupa Gayrimenkul Yatırım Ortaklığı Anonim Şirketi considers corporate information to be a highly valuable asset. The purpose of the Egeyapı GYO Information Security Policy is to ensure business continuity for the Company and its subsidiaries and to prevent information security incidents or minimize potential damage by ensuring the confidentiality, integrity, and availability of information assets.

The Company particularly adopts the following principles:

  • Identifying risks related to information assets and managing these risks in a systematic manner,
  • Complying with Information Security Standards requirements,
  • Ensuring compliance with all relevant legal regulations regarding Information Security,
  • To ensure the Information Security Management System is maintained, the Company provides the necessary resources, establishes controls, evaluates continuous improvement opportunities, and carries out required oversight activities,
  • It conducts trainings designed to enhance technical and behavioral competencies in order to increase information security awareness,
  1. INFORMATION SECURITY

Information, like other important commercial and corporate assets, is a valuable asset for a company and must therefore be appropriately protected. Information security protects information from risks and threats in order to ensure business continuity and minimize losses. Information security is defined in this Policy as the protection of the following information attributes:

Asset: Şirket için değeri olan her şey (Şirkete ait her türlü bilgi, yazılım, donanım, insan, süreç)

Information: The product of thought acquired through study, experience, or learning

Confidentiality: Ensuring that information is accessible only to authorized individuals

Integrity: Ensuring the accuracy of information and processing methods and preventing unauthorized modification

Availability: Ensuring that authorized users can access information and related resources whenever needed in the fastest possible way

Company Information: Information obtained during Company operations that qualifies as a trade secret shall be referred to as “Company Information.

Company Information includes, but is not limited to:

  • All information belonging to Company customers
  • Any intellectual, financial, commercial, or technical information that the Company is obliged to keep confidential due to legal relationships with third parties
  • Marketing and sales plans, product development plans, competitive analyses, benchmarking test results, business and financial plans or forecasts, trade secrets, non-public financial information, contracts, employee data
  • All information related to the Company and its systems
  • Inventions, developments, R&D activities, works in progress, and any information, documents, or materials related to procurement, accounting, and licensing
  • All software developed by or for the Company by external firms or under license. The term “software” includes all stages of software development and outputs, all components (source code, machine code, etc.), multimedia elements (menus, screens, structure, organization, etc.), any human- or machine-readable forms, storage formats, diagrams, flowcharts, designs, drawings, specifications, models, data, error reports, procedures, documents, and printed or digital materials containing customer or supplier information
  • Information belonging to other companies in which the Company or its shareholders have an interest
  • Any information not defined above that is legally required to be kept confidential or is designated as confidential by the Company
  1. AUTHORITY AND RESPONSIBILITY

The Board of Directors approves the Information Security Policy, which defines the information security strategy and roadmap, in order to establish an effective information security management structure and mandates its implementation.

The preparation, updating, and implementation of the Information Security Policy are overseen by the Company’s senior management, while approval is granted by the Board of Directors. The responsible senior management body is determined by the Board of Directors. Ensuring effective and adequate controls over information systems under this Policy is the responsibility of the Board of Directors.

The Information Security Management function is appointed by the Board of Directors from among the Company’s senior executives, consisting of the Senior Management of Information Systems, the Deputy General Manager of Information Technologies, Finance & Financial Affairs, and the Head of the Legal and Compliance Unit.

    1. Information Systems Senior Management Duties and Responsibilities
      • Establishing, operating, and managing information systems,
      • In relation to the use of information systems; preparing the information security policy to ensure the confidentiality, integrity, and where necessary availability of information,
      • Submitting the information security policy to the Board of Directors
      • Communicating the information security policy to employees,
      • Implementing, supervising, and controlling the information security policy
      • Reviewing critical projects related to the adoption of new information systems and approving them by taking into account the manageability of associated risks,
      • Ensuring that information security measures are brought to an appropriate level and allocating sufficient resources for related activities,
          • Reviewing and approving information security policies and all responsibilities on an annual basis,
          • Performing risk management by identifying potential risks related to information systems and processes together with their impacts and defining activities to mitigate these risks,
          • Monitoring and annually evaluating information security incidents,
          • Carrying out initiatives and providing training to increase all employees’ information security awareness,
          • Ensuring that processes and procedures established for managing information system risks are effectively embedded within the Company’s organizational and managerial structure and monitoring their effectiveness,
          • Preparing a business continuity plan to ensure the continuity of all critical business processes based on risk priorities,
          • Ensuring that controls related to the confidentiality, integrity, and availability of information systems and the data processed, transmitted, or stored on them are developed, operated, and kept up to date, and defining necessary managerial responsibilities,
          • Identifying the Company’s information assets and their owners, creating and maintaining an up-to-date inventory of these assets, and classifying them according to their importance level,
          • Ensuring that physical access is restricted to authorized persons only by securing controlled areas with appropriate entry controls,
          • Designing and implementing physical protection against damage caused by fire, flood, earthquake, explosion, theft, and other natural or human-induced disasters,
          • Establishing and effectively managing controls to protect networks against threats and to ensure the security of systems, databases, and applications using these networks,
          • Taking necessary measures to ensure the integrity of transactions, records, and data processed through information systems,
          • Taking measures to ensure the confidentiality of all data transmitted, processed, and stored within information system activities,
          • Establishing an effective audit trail mechanism for the use of information systems, taking into account the complexity and scope of risks, systems, and operations,
          • Conducting outsourcing processes related to these services with the approval of the Board of Directors.
        1. Employee and Third-Party Responsibility

      • Compliance with the Information Security Policy is mandatory for all personnel using Egeyapı A.Ş and/or its subsidiaries’ information or business systems, regardless of whether they are full-time, part-time, permanent, or contracted, and regardless of geographical location or business unit. Third-party service providers not included in these categories, as well as their supporting personnel who have access to Egeyapı A.Ş information due to the services they provide, must comply with the Policy’s rules and obligations.

    • Those who use the Company’s IT infrastructure and access information resources:

        • Ensure the confidentiality, integrity, and availability of the Company’s information in personal and electronic communications.
        • Take security measures determined according to risk levels
        • Report information security incidents to Information Systems Senior Management and take measures to prevent such violations.
        • Do not transmit internal company information resources (announcements, documents, etc.) to unauthorized third parties.
        • Do not use company IT resources for activities that violate legislation.
        • Protect the confidentiality, integrity, and availability of information belonging to investors, business partners, suppliers, or other third parties.

    • The Company Management (or Information Systems Senior Management) ensures that all employees receive awareness training on information security issues and comply with the Policy.


      CONTROL and SUPERVISION

    • Violations of the Information Security Policy may cause damage to the Company due to the failure to implement necessary controls against risks and may also lead to legal, administrative, and/or criminal liabilities. Therefore, in addition to the control and supervision responsibilities explicitly stated in the Policy, each unit manager of the Company is primarily responsible for taking the necessary measures and supervising the system to ensure compliance with the Information Security Policy.

       

      It is the individual responsibility of all our employees to report any suspicious situation in order to protect the Company’s reputation and reliability.

      If the Company suffers reputational or financial damage due to non-compliance with the Information Security Policy and sub-policies, information security standards, and guidelines, the Company’s disciplinary provisions shall apply.

      Failure to report information security violations and weaknesses despite being aware of them, ignoring them, or violating the ISP will be considered within the scope of a violation and may be subject to disciplinary investigation.

      EFFECTIVE DATE

    • This policy shall enter into force on the date it is signed by the Board of Directors or the members of the Board authorized by the Board.