Investor
Entrepreneur
Discover

Giriş Yap

Our Evaluation Policy

Our Evaluation Policy

Our Evaluation Policy

Conflict of Interest Policy

Conflict of Interest Policy

Conflict of Interest Policy

Information Security Policy

Information Security Policy

Information Security Policy

Member Information Statement

Member Information Statement

Member Information Statement

Cookie Policy

Cookie Policy

Cookie Policy

Membership Agreement

Membership Agreement

Membership Agreement

Crowdfunding Agreement

Crowdfunding Agreement

Crowdfunding Agreement

Member Electronic Commerce Communication Approval

Member Electronic Commerce Communication Approval

Member Electronic Commerce Communication Approval

STARTUPFON CROWD FUNDING PLATFORM INC.

INFORMATION SECURITY POLICY

SECTION ONE

OBJECTIVE, SCOPE AND LEGAL BASIS

STARTUPFON CROWD FUNDING PLATFORM INC.

INFORMATION SECURITY POLICY

SECTION ONE

OBJECTIVE, SCOPE AND LEGAL BASIS

STARTUPFON CROWD FUNDING PLATFORM INC.

INFORMATION SECURITY POLICY

SECTION ONE

OBJECTIVE, SCOPE AND LEGAL BASIS


Purpose

Article 1- The purpose of this Policy is to take precautions regarding information sharing and security in parallel with the requirements of the information age, due to the duties and position of Startupfon Crowdfunding Platform Inc. (hereinafter referred to as the Platform), to ensure the protection of information against all threats that may arise intentionally or accidentally from within and/or outside, evaluated in terms of confidentiality, integrity, and availability, and to carry out the activities effectively, accurately, quickly, and securely.

This Policy aims to frame the information security conditions to which the employees and relevant parties of the Platform must comply in all its activities, and to regulate the principles and rules regarding written regulations.

Scope

Article 2- This policy covers the information system assets located in the headquarters and branches of Startupfon Crowdfunding Platform Inc., personnel with access to information systems, business processes related to software development, sales, installation, support, integration, training, consulting services, and the establishment, operation, management, and use of information systems; the Information Security Policy, prepared by senior management, ensures the confidentiality, integrity, and availability of information when necessary, and is approved by the board of directors. The approved information security policy is announced to the personnel and the public. This policy includes the definition of necessary roles and responsibilities for the operation of information security processes, the establishment of processes for managing risks related to information systems, and the implementation and monitoring of controls.

2.1 Internal Scope

Administration, Structure, Roles, and Responsibilities of the Organization

The departments included in the scope;

Includes Information Technologies, Finance, Accounting, and Information Quality Management.

Policies, goals, and strategies to be implemented

• Policies defined in all management systems,

• Annual Information Security Management System goals determined by Management,

• Organizational culture,

• Capabilities understood in terms of resources and knowledge (e.g., capital, time, people, processes, systems, and technologies),

• Management Representatives and the Information Security Management System team appointed by management for the establishment, operation, and maintenance of the Information Security Management System,

• Relationships with internal stakeholders and their perceptions and values, the organization's culture, standards, guidelines, and models adapted by the organization, the nature and scope of contractual relationships are also included.

• Standards, guidelines, and models adopted by the organization for Information Security management systems,

• Issues related to products, production processes, design activities, installation and service activities, strategic plans, financial opportunities, human resources structure that may positively or negatively affect our responsibility for Information Security,

• Controversial problems and changing situations or discussions affecting the ability to achieve the intended outputs determined by the Platform Information Security Management System.

  • External Scope

Policies, goals, and strategies to be implemented

  • Social and cultural, political, legal, regulatory, financial, technological, economic, natural, and competitive environments at international, national, regional, or local levels,

  • Global Competition Law, Policies, and Procedures,

  • Confidentiality of supplier and investor data,

  • Relationships with stakeholders that have an impact on the organization’s objectives and their perceptions and values,

  • All Platform employees and subcontractors, including Top Management, to meet investor expectations

  • All Platform employees, including Top Management, to ensure investor satisfaction,

  • All relevant legal regulations, regulatory, contractual obligations, standards,

  • Suppliers and outsourced service providers,

  • Product certifications are outside the scope.

Legal Basis and Definitions

Article 3- This Policy has been prepared based on the “Crowdfunding Communiqué (lll – 35/A.2)” published in the Official Gazette dated 27.10.2021 with number 31641 and the “Information Systems Management Communiqué (VII-128.9)” published in the Official Gazette dated 9.1.2020 with number 31003 (“Information Systems Management Communiqué”).

3.1. ISMS: Information Security Management System.

3.2. Inventory: All types of information assets important for the institution.

3.3. Know-How: The competence to perform a task.

3.4. Information Security: Information, like all other institutional and commercial assets, is a valuable asset for a business and therefore must be properly protected. The Platform considers know-how, processes, formulas, techniques and methods, personnel information, commercial, industrial, and technological information as CONFIDENTIAL INFORMATION.

3.5. Confidentiality: The restriction of access to the content of information only to authorized individuals who have permission to view the information/data. (Example: Even if the email is intercepted during encrypted email transmission, unauthorized individuals can be prevented from reading the emails.)

3.6. Integrity: The ability to detect unauthorized or erroneous modifications, deletions, or additions and to ensure detectability. (Example: Storing summary information along with data stored in databases, digital signatures)

3.7. Availability: The asset must be ready for use whenever it is needed. In other words, systems must be continuously available, and the information in systems must not be lost and must remain continuously accessible. (Example: Use of uninterruptible power supplies and redundant power supplies in chassis to protect servers from power fluctuations and outages).

3.8. Information Asset: The assets that the Platform possesses and are important for carrying out its business without interruption are as follows within the processes covered by this policy:

• All types of information and data presented in paper, electronic, visual, or auditory media,

• All software and hardware used to access and modify information,

• Networks that enable the transfer of information,

• Departments, units, teams, and employees,

• Facilities and special areas,

• Solution partners,

• Services, products, or services provided by third parties.

3.9. Senior Management:

3.10. ISMS Committee:

3.11. ISMS Manager

3.12. SSL VPN: It is a type of connection to a network secured by using the internet browsers provided by operating systems without requiring any software or hardware on the end-user side. It is possible to use SSL VPN with mobile devices or personal devices.

3.13. Static IP: IP addresses assigned by Internet Service Providers may change over time. Static IP addresses, however, do not change; they remain fixed for the assigned device or server.

3.14. Server: A computer technology that responds to user requests over a computer network.

3.15. Driver: A driver is a software that allows your computer to communicate with hardware or devices.

3.16. Switch: A network hardware that allows computers and other network devices to connect to each other.

3.17. Tunnel: A data obfuscation method used by applications to access the corporate network.

3.18. UTP Cable: Unshielded twisted pair cable used for data communication between computers.

3.19. Virus Pattern: It is a signature file used by antivirus programs to recognize viruses.

3.20 VLAN (Virtual Local Area Network): This is a logical grouping made by connecting network users and resources to ports on a switch.

3.21. VPN: The abbreviation for Virtual Private Network, which is a technology used for secure remote access to networks. Since it creates a virtual network extension, a machine connecting remotely appears to be physically connected to the network.

3.22 Router: It guides the computers on the network to find their directions. In other words, devices that serve to transfer IP packets from one network to another are called routers.


SECOND CHAPTER

PARTIES, RESPONSIBILITIES, and UNITS


Responsibility and Authority

Article 4- The qualities and qualifications of the tasks for which responsibilities and authorities are defined are specified in job descriptions. It is for the continuation and development of activities related to information security. The ISMS Team is appointed by Senior Management. Representatives of the ISMS have been appointed from the departments within scope. Appointments have been made by name as ISMS team members. The ISMS Manager is responsible for the currency and continuity of the Information Security Policy. Updates to the Information Security Policy are determined in Management Review meetings and reflected in the document by the ISMS Manager. Each update is approved by Senior Management.

4.1. Management Responsibility

• The Platform’s Senior Management commits to complying with the defined, enforced, and implemented Information Security System and providing the necessary resources for the efficient operation of the system, ensuring that the system is understood by all employees.

• During the establishment of the ISMS, the ISMS Management Representative is appointed by a letter of appointment. When necessary, the document is revised by senior management and the appointment is repeated.

• Managers at the management level assist in giving responsibility to the personnel at lower levels regarding security and serve as role models. The understanding starting from the upper levels must reach down to the lowest rank employees in the organization. Therefore, all managers support their employees to comply with written or verbal security instructions and participate in security-related activities.

• Senior Management creates the budget necessary for comprehensive information security activities.

4.2. Responsibilities of ISMS Team Members

• Conducting inventory and risk analysis studies related to their departments,

• Informing the Management Representative when there is a change that will affect the information security risks in the information assets under their responsibility, to conduct a risk assessment,

• Ensuring that department employees are working in accordance with policies and procedures,

• Raising awareness about ISMS within their departments, ensuring communication, and meeting documentation requirements,

• Being responsible for maintaining the existing structure of the ISMS and providing continuous improvements.

4.3. Responsibilities of Internal Auditors

• Responsible for conducting and reporting audit activities in internal audits assigned in accordance with the internal audit plan.

4.4. Responsibilities of Department Managers

• Responsible for the implementation of the Information Security Policy and ensuring that employees comply with the principles, ensuring that third parties are aware of the policy, and reporting security breach incidents related to information systems they notice.

4.5 Responsibilities of All Employees

• Responsible for carrying out their activities in accordance with the information security objectives, policies, and information security management system documents,

• Tracking the information security objectives related to their unit and ensuring that the targets are met.

• Paying attention to any information security vulnerability observed or suspected in systems or services and reporting it,

• Required to enter into confidentiality agreements and meet information security requirements in addition to service contracts (consulting, etc.) with third parties that are not under purchasing responsibility.

4.6. Responsibilities of Third Parties

• Responsible for being aware of and complying with the Information Security Policy as well as the behaviors specified under the ISMS.

Information Security and Risk Management Framework

Article 5- Information, like other essential commercial and corporate assets, is an asset that has value for a business and an organization and therefore must be properly protected. Information security protects against hazards and threats to ensure business continuity and minimize losses. Information security is defined in this policy as the protection of the following information qualities:

  • Confidentiality: Guaranteeing that information is accessible only to individuals who have been granted access privileges,

  • Integrity: Ensuring the accuracy of information and processing methods and that they cannot be altered without authorization,

  • Availability: Ensuring authorized users can access information and related resources as quickly as needed.

The information security policy document is a document that specifies the highest-level principles to be used during the application of the audits created to deliver the above protections and requirements.

The Platform's risk management framework covers the identification, assessment, and treatment of information security risks. Risk Analysis, feasibility statements, and risk treatment plans describe how information security risks are controlled. The ISMS is responsible for the management and execution of the risk treatment plan. All these activities are detailed in the “Asset Inventory and Risk Assessment Procedure.”

Information Security Goals and Objectives

Article 6- This policy aims to guide Platform employees to act in accordance with security requirements, to raise awareness and consciousness levels, and thereby to ensure that the core and supporting business activities of the company continue with minimal disruption, to maintain its reliability and image, and to protect the physical and electronic information assets affecting the company’s entire operations to ensure compliance defined in contracts with third parties. The targets set by management are monitored at specified intervals and reviewed in ISMS meetings.

Information Security Organization

Article 7- An organization has been established regarding the Information Security Management System as follows in the Platform.

  • The ISMS Management Representative is responsible for the maintenance and development of activities related to the ISMS.

  • The ISMS Manager is responsible for the establishment and operation of the Information Security Management System.

  • The ISMS Management Representative and the ISMS Manager are appointed by Senior Management.

  • ISMS Responsible personnel have been identified in the units included in the scope. ISMS Responsible personnel are obliged to follow and coordinate the Information Security Management System activities in their own units.

Business Continuity Plan

Article 8- The Platform has prepared a Business Continuity Plan and Emergency Action Plan based on the Information Systems Management Communiqué. These plans, which are necessary for the Platform to carry out its value-creating activities at a predetermined level during any disaster, crisis, and emergency situation, document and define the scope, structure, basic elements, information systems continuity plan, and emergency and unexpected situation plan. The goal is to minimize the operational, financial, legal, and reputational negative effects, manage issues, identify the actions to be prioritized in the event of any unforeseen and emergency situation, and protect the company's assets and reputation.

Risk Management

Article 9- The Platform’s ISO 27001 Risk Management Framework includes the identification, assessment, and treatment of Information Security and Service Management risks. Risk Analysis and Risk Treatment Plan describe how Information Security and Service Management risks are controlled. The ISMS Executive and Management Committee is responsible for the management and execution of the Risk Treatment Plan.

In the management of risks related to information systems, at a minimum, the following issues are taken into consideration:

  1. Negative consequences of failing to adapt to developments in the competitive environment due to the rapid advancements in information technologies, difficulties in adaptation, and changes in legal regulations,

  2. The potential for unforeseen errors and fraudulent activities due to the use of information systems,

  3. The possibility of dependency on external service providers due to the use of external resources in information systems,

  4. Significant reliance of business and services on information systems,

  5. The increasing difficulty in ensuring the security of transactions conducted through information systems, data, and records kept for audit trails.

The Risk Management Plan below has been prepared for the issues mentioned above.


RISK MANAGEMENT PLAN

Device Name

Critical Asset

Value

Threat:

Clarity

Probability

Effect

Risk Taking

Regulatory / risk mitigation activities

THE SOFTWARE

IS CONDITIONED

MAIN SERVERS

Power outage

It works with electricity

RISK MANAGEMENT PLAN

1

5

Risk kabul

edilmiştir

There is a UPS available as a backup against possible interruptions. In the event of any malfunction or inadequacy with the UPS, there are generators that activate during the interruption.

Device

Name

Critical Asset

Value

Threat

Clarity

Probability

Effect

Risk

Undertaking

Regulatory / risk mitigation activities

Software

is Running on

Main

Servers


Electricity

interruption

It runs on electricity

working

1

5

Risk accepted

has been made

There is a UPS available as a backup against possible interruptions. In the event of any malfunction or inadequacy with the UPS, there are generators that activate during the interruption.


Physical

intervention

Human

factor

1

5

Risk accepted

has been made

Access to the physical servers located in the data centre can only be performed by the authorised individuals designated by the company.


Internet

connection

disconnection

Service

providers

1

5

Risk accepted

has been made

The data centre used has a backup fibre and radio link infrastructure feature.


DDoS and

similar

attacks

Digital

Attacks

1

3

Risk

will be reduced

DDoS protection systems are used on websites and servers. The servers first perform bot control based on the IPs making requests in cases of high traffic. If the requests continue persistently, the IPs that are the source of the attacks are blocked.

ALL OFFICES

COMPUTERS


3

Hardware

Malfunction

Hardware

Structure

2

4

Risk

will be reduced

Technical support is provided within the company. If necessary, the required infrastructure is provided for hardware service providers.


Being hacked and

infected by

pirated software


User

by

occurring

risk

4

4

Software protection is supported by up-to-date antivirus programs and firewalls. Configuration backups are taken specifically for each version.

ACCOUNTING

SOFTWARES

CONDITIONED

SERVER


4

Internet

Connection

Disconnection

Service

providers

1

5

Risk

will be reduced

The internet connection of the data centre in use is currently provided by two service providers. If there is a problem with either service provider, the mirror servers located at the other location will come into action.


Virus

Attack

Building and

the venue's

features

1

5

Risk

will be reduced

Data should be physically backed up in Istanbul. In the event of a potential disaster scenario, the server located at the other site becomes active.


Software Malfunction

Software

structure

1

5


Risk

will be reduced

All software's technical support infrastructures are evaluated, and if necessary, technical support staff will intervene.


Electricity

Cut

It runs on electricity

working

1

5

Risk accepted

has been

DDoS protection systems are used on websites and servers. In the event of high request volumes, servers primarily perform bot control based on the IPs making the requests. If the requests continue persistently, the IPs from which the attacks are coming are blocked.


Working Environment,

Humidity, Temperature

The environment

physical

conditions

2

5

Risk

will be reduced

In the data centre, the system room and archive have been equipped with environmental monitoring devices that ensure the real-time tracking of environmental conditions.


Physical

Intervention

Human

factor

2

3

Risk

will be reduced

There is a burglar alarm; the front door must remain closed, and camera recordings are being stored. Access to the system room is controlled, and entry authorisation has been given to 2 personnel.


Natural Disasters,

Fire,

Flooding

Building and

the features of the

space

1

5

With third parties

to be shared

A burglar alarm is present. The environment is being monitored with the help of cameras. Business insurance is available. The exterior door is secured. 24-hour security is in place.


Virus Attack

Technical

clarity

4

3

Risk

will be reduced

There is antivirus software; unlicensed programs have been removed; access to social networks and inappropriate content sites will be blocked.


Theft

Portable

asset

1

5

Risk

will be reduced

There is a burglar alarm. The area is being monitored with cameras. Business insurance is in place. The external door is kept closed. Security is available 24 hours a day. There is a Mobile Device Usage Policy for staff taking notebooks outside.

PC, PRINTER,

BARCODE DEVICE,

MOBILE TERMINAL,

FAX, PHONE,

ETC.

5

Working Environment,

Humidity,

Temperature

The environment

physical

conditions

2

6

Risk

will be reduced

Environmental monitoring devices are used to track conditions such as humidity and temperature.


Theft

Human

factor

2

3

Risk

will be reduced

Both the data centre and the company headquarters are monitored 24/7 by security cameras and security personnel. No one without permission can access the building and the area where the server is located. Even if there is a possibility of data being physically stolen in any way, existing data with high security requirements is encrypted, so even if physically obtained, it cannot be used by third parties. In the scenario where the data and hardware on the server are physically stolen, mirror servers will be activated.


Physical

Intervention

Human

factor

1

5



Risk accepted

has been made

Access to the physical servers located in the data centre can only be carried out by authorised personnel designated by the company.


Electricity

Cut

It is working with electricity


3

3

Risk

will be reduced

UPS is available.


Configuration

Fault

Software

structure

1

5



Risk

will be reduced

Technical support is resolved in-house. Infrastructure is provided for hardware service providers if necessary.


Band Width

Overflow

Excess traffic /

device

capacity

1

2



Risk

will be reduced

The server configurations can be urgently increased by the technical staff according to the capacity of the data traffic being monitored in real time.


Work environment,

humidity, temperature

The

physical

conditions

1

4

Risk accepted

has been made

There are backup climate control systems available in the data centre with TIER III certification.

5

Natural disasters,

fire,

flood

Building and

the characteristics of the

space

1

5

Risk accepted

has been made

Data centres with TIER III certification are resilient to earthquakes of magnitude 9 with seismic isolators, and are safe against natural disasters and calamities.


Theft

Human

factor

2

5

Risk

will be reduced

Both the data centre and the company headquarters building are monitored 24/7 by security cameras and security personnel. No one has access to the building or the area where the server is located. Even if the possibility of physical theft of the data is included in any way, the currently high-security data is encrypted, so even if physically obtained, it cannot be used by third parties.

Physical Intervention

Human factor

1

5

Risk kabul

edilmiştir

Access to the physical servers located in the data centre can only be done by the authorised personnel designated by the company.

Internet

disconnection

of the connection

Service Providers

1

5

Risk kabul

edilmiştir

The data centre used has a backup fibre and radio link infrastructure feature.

Work environment,

humidity, temperature

The physical

conditions

1

4

Risk kabul

edilmiştir

Backup climate control systems are available in data centres with TIER III certification.

5

Natural disasters,

fire, flooding

The building and the space

features

1

5

Risk acceptance

has been made

A data centre with TIER III certification is resistant to earthquakes of magnitude 9 with seismic isolators, making it safe against natural disasters and calamities.

Theft

Human factor

2

5

Risk

will be reduced

Both the data centre and the company headquarters building are monitored by security cameras and security personnel 24/7. No one has access to the building or the area where the server is located. Even if there is a possibility of data being physically stolen in any way, the currently high-security data is encrypted, so even if it is physically acquired, it will not be used by third parties.

Configuration

error

Software structure

1

5

Risk

will be reduced

Technical support is provided internally within the company. Configuration backups are taken specifically for each version.

Bandwidth

exceeding

Excess traffic /

device capacity

1

2

Risk

will be reduced

The server configurations can be promptly increased by the technical personnel based on the currently monitored data traffic capacity.

DDoS and

similar attacks

Digital attacks

1

3

Risk kabul

edilmiştir

DDoS protection systems are used on websites and servers. The servers primarily perform bot checks based on the IPs making the requests in case of heavy traffic. If the request continues persistently, the IPs from which the attacks are coming are blocked.

Software Fault

Software Fault

1

5

Risk

will be reduced

All software's technical support infrastructures are evaluated, and if necessary, technical support personnel are deployed.

ALL OFFICES

COMPUTERS

3

Hardware Fault

Hardware Structure

2

4

Risk

will be reduced

Technical support is resolved in-house. Infrastructure is provided for hardware service providers if necessary.

Hacking and piracy

by malware

infection

Risk

occurring by the user

4

4

Software protection is supported by up-to-date antivirus programs and firewalls. Configuration backups are taken specifically for each version.

Power Outage

It works with electricity

1

5

Risk kabul

edilmiştir

A UPS is available as a backup against potential outages. In case of any faults or deficiencies with the UPS, a generator is also available. The UPS units are located in the system room to protect against overheating. If there are also issues with the operation of the generators, mirror servers located at different sites will come into operation.

Physical Intervention

Human factor

1

5

Risk kabul

edilmiştir

Access to the physical servers located in the data centre can only be carried out by authorised personnel designated by the company.

Accounting

Software

Server on Which It Runs

4

Internet

disconnection

of the connection

Building and space

features

1

5

Risk kabul

edilmiştir

The internet connection of the data centre in use is currently provided by two service providers. If there is a problem with either service provider, the mirror servers located at the other location will come into action.

Work environment,

Humidity, Temperature

The physical

conditions of the forest

2

5

Risk kabul

edilmiştir

In the data centre, the system room and archive have been equipped with environmental monitoring devices that ensure the real-time tracking of environmental conditions.

Natural Disasters,

Fire, Flooding

OK

1

5

Risk

will be reduced

Data should be physically backed up in Istanbul. In the event of a potential disaster scenario, the server located at the other site becomes active.

Theft

OK

2

3

Risk

will be reduced

Both the data centre and the company headquarters are monitored 24/7 by security cameras and security personnel. No one without permission can access the building and the area where the server is located. Even if there is a possibility of data being physically stolen in any way, existing data with high security requirements is encrypted, so even if physically obtained, it cannot be used by third parties. In the scenario where the data and hardware on the server are physically stolen, mirror servers will be activated.

Power Outage

It works with electricity

3

3

Risk

will be reduced

UPS is available.

Physical Intervention

Human factor

2

3

Risk

will be reduced

There is a burglar alarm; the front door will be kept closed, and camera recordings are being stored. Access to the system room is controlled and has been granted to 2 personnel.

PC, PRINTER,

BARCODE DEVICE,

HANDHELD TERMINAL,

FAX, TELEPHONE ETC.

5

Natural Disasters,

Fire, Flood

Building and space

features

1

5

  1. with the parties

to be shared

There is a burglar alarm present. The environment is being monitored with the help of cameras. There is a business insurance policy in place. The outer door is secured. 24-hour security is available.

Work environment,

Humidity, Temperature

The physical

conditions of the forest

2

5

Risk

will be reduced

Environmental monitoring devices are used to track conditions such as humidity and temperature.

Virus Attack

Technical Clarity

4

3

Risk

will be reduced

There is antivirus software; unlicensed programs have been removed; access to social networks and inappropriate content sites will be blocked.

Theft

It works with electricity

1

3

Risk

will be reduced

A burglar alarm is present. The premises are being monitored with the help of cameras. Business insurance is available. The outer door is kept closed. 24-hour security is present. There is a Mobile Device Usage Policy for staff who take notebooks outside.


Roles and Responsibilities Table

Article 10- This article contains clear definitions of the process owner, roles, activities, and responsibilities for each control process for the Platform. Additionally, while control processes are carried out periodically, activities aimed at reducing the impact of identified risks or risk are continuously monitored and evaluated through periodic performance measurements related to Information Systems controls regarding effectiveness, adequacy, and suitability. Significant control deficiencies identified as a result of the evaluation are reported to senior management, and necessary measures are immediately taken.








Roles and Responsibilities Table

Article 10- This article contains clear definitions of the process owner, roles, activities, and responsibilities for each control process on the Platform. Although control processes are carried out periodically, activities aimed at continuously monitoring and evaluating the effectiveness, adequacy, and appropriateness of information systems controls in relation to periodic performance measurements, as well as mitigating the anticipated impact of risks or risk, are consistently followed up and assessed. Significant control deficiencies identified as a result of the assessment are reported to senior management and necessary precautions are taken immediately.
















BGYS Management Representative

  • To establish and operate the Information Security Management System,

    to allocate the necessary resources and responsibilities,

  • to support the BGYS infrastructure and to ensure its continued operation,

  • to ensure the implementation of mechanisms that will inform employees about BGYS,

  • to ensure the use of educational methods for employees to understand and recognise the risks they may encounter related to information security,

  • to plan and provide for the needs identified to ensure information security,

  • to approve comprehensive BGYS documents,

  • to approve the residual risks identified as a result of the comprehensive risk analysis of BGYS.

BGYS TEAM MEMBERS RESPONSIBILITY

  • Conducting asset inventory and risk analysis studies related to the departments,

  • When there is a change that may affect the information security

    risks in the information assets under their responsibility, the Management Representative must be informed for risk assessment,

  • Ensuring that department employees work in accordance with policies and procedures,

  • Creating awareness within the context of the Information Security Management System (ISMS) related to the departments,

    ensuring communication, and meeting documentation requirements,

  • Responsible for maintaining the existing structure within the ISMS and ensuring continuous improvements.

INTERNAL AUDITOR RESPONSIBILITY

  • In accordance with the internal audit plan, the assigned internal audits are

    responsible for carrying out and reporting on the audit activities.

BGYS MANAGER

  • Ensuring the establishment and operation of the Information Security Management System,

  • Coordinating Management Review meetings,

  • Performing revisions and control of ISMS documents,

  • Approving comprehensive ISMS documents,

  • Coordinating employees' information security awareness training and

    evaluating training activities,

  • Assessing the results of risk analysis, determining controls

    and coordinating their implementation,

  • Assessing information security incident events and tracking them,

  • Monitoring and approving Corrective and Preventive actions related to Information Security

    and records,

  • Reviewing the Information Security Policy at regular intervals and

    ensuring the approval of the ISMS Management Representative.

UNIT RESPONSIBLE

  • Knowing and complying with the Information Security Policy,

  • Adhering to the behaviours required under the ISMS,

  • Communicating necessary suggestions for the healthy operation of the ISMS to the relevant parties and contributing to the improvement of the system,

  • Reporting any security breach incidents related to information systems noticed to the Unit Manager,

  • Participating in Information Security Awareness training

RESPONSIBILITIES OF ALL EMPLOYEES

  • They carry out their work in accordance with the information security goals, policies, and information security

    management system documents.

  • They prepare a report on the information security goals related to their unit and ensure that the goals

    are achieved.

  • They pay attention to and report any observed or suspected

    information security vulnerabilities in systems or services.

  • They are responsible for additional confidentiality agreements

  • for service contracts (consultancy, etc.) made with third parties and are not responsible for procurement, as well as ensuring the information security requirements.

THIRD PARTIES

  • To know and comply with the Information Security Policy,

  • To adhere to the behaviours that must be followed as defined within the ISMS,

  • To comply with the Confidentiality Agreements it has committed to,

  • To report incidents considered necessary for the proper functioning of the ISMS to the relevant

    individual

  • To understand the Needs of the Relevant Stakeholder and act in accordance with the Communication matrix


Asset Management

Article 11- This article contains matters related to Asset Management.

Our Information Assets are classified according to their responsible parties and importance levels, and the inventory is provided below, which is updated when necessary. Portable media is protected against loss or theft risks based on the sensitivity level of the information it contains, and portable media that holds high importance information or software that provides access to this information is not taken out of the institution without authorization. Necessary precautions are taken to ensure that no organizational data, information, or licensed software is present before disposing of storage media. Clean desk and clean screen principles have been adopted by our company.

Our Asset Inventory dated 31 October 2022 is as follows:








Asset Management

Article 11- This article contains matters regarding Asset Management.

Our Information Assets, the persons responsible for them, and the inventory containing their classification according to importance levels are outlined below, and updates are made as necessary. Portable media are protected against risks of loss or theft according to the sensitivity level of the information they contain, and portable media that hold highly confidential information or software that grants access to this information are not taken outside the organization without authorization. Necessary measures are taken to ensure that there is no data, information, or licensed software belonging to the organization before storage media are disposed of. Clean desk and clean screen policies have been adopted by our company.

Our Asset Inventory dated 31 October 2022 is as follows:







Inventory No:

Type

Brand

Model

Time of Purchase

Serial Number

SFKFP-01

Monitor

  • To allocate the necessary resources and responsibilities for the establishment and operation of the Information Security Management System,

  • To support the BGSY infrastructure and to ensure its continued operation,

  • To ensure the implementation of mechanisms that enable employees to be informed about the BGYS,

  • To ensure the use of educational methods for employees to understand and recognise the risks they may encounter regarding information security,

  • To approve the Security Policy and to ensure its implementation within the Platform,

  • To approve comprehensive documents of the BGYS,

  • To approve the residual risks identified in the comprehensive Risk analysis of the BGYS

Samsung

QLED

09 October 2022

  • Conducting asset inventory and risk analysis studies related to the departments,

  • Informing the Management Representative when there is a change that will affect the information security risks in the information assets under their responsibility, for the risk assessment to be carried out,

  • Ensuring that department employees work in accordance with the policies and procedures,

  • Creating awareness within the framework of the Information Security Management System (ISMS) related to the departments, ensuring communication, and fulfilling documentation requirements,

  • Is responsible for maintaining the existing structure in the ISMS and ensuring continuous improvements.


  • Ensures that the activities are conducted in accordance with the information security objectives, policies, and documents of the information security management system,

  • Tracks the information security objectives related to their own organisation and ensures the achievement of those objectives.

  • Responsible for drawing attention to and reporting any observed or suspected information security vulnerabilities in systems or services,

  • In addition to service contracts made with third parties that are not under the responsibility of procurement (consultancy, etc.), is responsible for making confidentiality agreements and ensuring compliance with information security requirements.

  • To be aware of and comply with the Information Security Policy,

  • To adhere to the required behaviours specified within the ISMS,

  • To comply with the Privacy Agreements it has pledged,

  • To report any incidents to the relevant person that are deemed necessary for the healthy operation of the ISMS

  • To understand the requirements of the Relevant Stakeholder and act in accordance with the Communication table

INTERNAL AUDITOR RESPONSIBILITY

  • In accordance with the internal audit plan, they are responsible for carrying out and reporting on the audit activities in the assigned internal audits.

Monitor

Samsung

QLED

QE55Q60BAU

Monitor

Samsung

RT46K6000S

Tablet

Samsung

SM-X200

R9YT30ZY5AV

Nebula

Apollo

04 March 2022

ZX85HH0DU

SFKFP-5

Laptop

Apple

MacBook Air

12 September 2018

C02LL8KYF5V7

SFKFP-6

Laptop

Apple

MacBook Air

12 September 2018

U34ZK7HGD9C3

SFKFP-7

Laptop

Apple

MacBook Air

18 November 2017

L84XX1SJH5V1

SFKFP-8

Laptop

Apple

MacBook Air

01.104.2019

H62HS4KFH8B3

SFKFP-9

Laptop

Apple

MacBook Air

18 May 2015

L37KL3NDV0A0

SFKFP-10

Laptop

Apple

MacBook Pro

26 January 2021

C28GS7BES1K4

SFKFP-11

Laptop

Apple

MacBook Air

20 June 2020

U64HE2WSJ7D3

SFKFP-12

Laptop

Apple

MacBook Air

20 June 2020

C36DG5DJD8A4

SFKFP-13

Laptop

Huawei

Matebook

13th March 2021

G43VLS6JFK4K3

SFKFP-14

Microphone

Saramonic

Blink 500 B2

18 October 2022

UJ38C42KSW

SFKFP-15

Wireless Modem

ZTE

11 September 2022

ZTE736DSH386

SFKFP-16

Printer

HP

11 October 2022

ZTE736DSH386

SFKFP-17

Camera

Panasonic

03 April 2021

PN8367HD88V

SFKFP-18

Laptop

Lenovo

LENOVO IP

15 October 2023

MP2FRM2F

SFKFP-19

Laptop

Lenovo

LENOVO IP

15 October 2023

MP2FRM25

SFKFP-02

Monitor

Samsung

RTF

09/10/2022

SFKFP-03

Tablet

Samsung

SM-X200

01.10.2022

R9YT30ZY5AV

SFKFP-04

Projection

Nebula

Apollo

04.03.2022

ZX85HH0DU

SFKFP-05

Laptop

Apple

MacBook Air

12 September 2018

C02LL8KYF5V7

SFKFP-06

Laptop

Apple

MacBook Air

12 September 2018

U34ZK7HGD9C3

SFKFP-07

Laptop

Apple

MacBook Air

18.11.2017

L84XX1SJH5V1

SFKFP-08

Laptop

Apple

MacBook Air

01.04.2019

H62HS4KFH8B3

SFKFP-09

Laptop

Apple

MacBook Air

18.05.2015

L37KL3NDV0A0

SFKFP-10

Laptop

Apple

Macbook Pro

26 January 2021

C28GS7BES1K4

SFKFP-11

Laptop

Apple

MacBook Air

20 June 2020

U64HE2WSJ7D3

SFKFP-12

Laptop

Apple

MacBook Air

20 June 2020

C36DG5DJD8A4

SFKFP-13

Laptop

Huawei

Matebook

13th March 2021

G43VLS6JFK4K3

SFKFP-14

Microphone

Saramonic

Blink 500 B2

18 October 2022

UJ38C43KSW

SFKFP-15

Wireless Modem

ZTE

Home Gateway

11 September 2022

ZTE736DSH386

SFKFP-16

SFKFP-16

Printer

HP

Smart Tank 515

11 October 2022

HG73L9367Y

SFKFP-17

Camera

Panasonic

Eva 1

03 April 2021

PN8367HD88V

SFKFP-18

Laptop

Lenovo

LENOVO IP

15 October 2023

MP2FRM2F

SFKFP-19

Laptop

Lenovo

LENOVO IP

15 October 2023

MP2FRM25


Principle of Separation of Duties

Article 12- This article outlines the principle of separation of duties to reduce the risks of errors, deficiencies or misuse regarding Information Systems. Within the applied organizational structure, Information Systems - Data Security Unit and Software Development Units have been established, and necessary tests are conducted based on the nature of the test, either with other units or external resources.

In our company;

  1. The separation of duties principle is applied in the development, testing, and operation of systems, databases, and applications. Duties and responsibilities are reviewed at regular intervals and kept up-to-date.

  2. When designing information systems processes, it is considered that critical operations should not be dependent on a single individual or an external service provider.

  3. In situations where it is not possible to fully and appropriately separate duties, compensatory controls are established to prevent and detect potential errors, deficiencies, or misuse.

Physical and Environmental Security

Article 13- This article contains provisions regarding Physical and Environmental Security.

To ensure that physical access is only performed by authorized personnel, secure areas are protected with necessary entry controls by our Administrative Affairs Unit. Access to and exit from secure areas is justified, authorized, recorded, and monitored. In addition, physical protection measures are taken against damage caused by fire, flood, earthquake, explosion, looting, and other natural or man-made disasters.

Network Security

Article 14- This article contains provisions related to Network Security. The measures outlined in this article are the responsibility of the Information Systems and Data Security Unit and the Administrative Affairs Unit.

  1. Secure wired and wireless network protocols are implemented to protect networks against threats and ensure the security of systems, databases, and applications that utilize the networks.

  2. Permissions are defined for users included in the network according to the levels created. User network passwords are changed at specified intervals.

  3. Necessary measures are taken to protect communication infrastructures against eavesdropping and physical damage.

  4. Mobile devices are assessed as ‘Guest Network Participants’ for security measures regarding the risks related to network access of mobile devices that are not system components, and the necessary security protocols are implemented for system component mobile devices.

  5. To prevent unauthorized access to the information systems infrastructure, the network is monitored and unauthorized access attempts are reported, and necessary measures are taken.

  6. Special connection processes are implemented to increase the security level of high-risk applications.

  7. Security criteria, service levels, and management requirements for any network services obtained through internal resources or external sourcing are defined and included in service agreements.

  8. Necessary authorizations are made to monitor users providing remote access. In this context, automatic equipment identification is considered to authorize connections from certain locations and equipment.

  9. In communications with networks outside the corporate network, security firewall solutions that are continuously monitored for threats that may come from external networks are used.

  10. Different sub-sections of the internal network, which have different security requirements, are separated, and controls are established to ensure supervised transitions.

  11. Physical and software firewalls are activated for network systems accessible both internally and remotely.

Authentication and Email Usage

Article 15-

15.1 Authentication- This article contains provisions regarding the authentication of System Users.

User login information and passwords in the platform system are stored in an encrypted manner. This ensures user security even in the event of breaches. A




Separation of Duties Principle

Article 12 - This article refers to the principle of separation of duties and responsibilities to reduce the risks of error, deficiency, or misuse in Information Systems. Within the organizational structure implemented, Information Systems - Data Security Unit and Software Development Units have been established, and necessary tests are provided according to the nature of the test either with other units or external sources.

In our company;

  1. The principle of separation of duties is applied in the development, testing, and operation of systems, databases, and applications. Duties and responsibilities are reviewed periodically and kept up to date.

  2. When designing information systems processes, it is considered that critical transactions should not depend on a single employee or an external service provider.

  3. In situations where it is not possible to fully and appropriately separate duties, compensatory controls are established to prevent and detect possible errors, deficiencies, or misuse.

Physical and Environmental Security

Article 13 - This article contains provisions regarding Physical and Environmental Security.

By our company's Administrative Affairs Unit; safe areas are protected with necessary entry controls to ensure that physical access is only granted to authorized personnel. Entries and exits to safe areas are justified, authorized, recorded, and monitored. Additionally, physical protection measures are taken against damage caused by fire, flood, earthquake, explosion, looting, and other natural or human-made disasters.

Network Security

Article 14 - This article contains provisions regarding Network Security. The responsibilities for the measures stated in this article lie with the Information Systems and Data Security Unit and the Administrative Affairs Unit.

  1. Wired and wireless secure network protocols are implemented to protect networks against threats and to ensure the security of systems, databases, and applications using the network.

  2. Authorities are defined according to the levels created for users included in the network system. User network login passwords are changed at certain intervals.

  3. Necessary measures are taken to protect communication infrastructures against eavesdropping and physical damage.

  4. As a security measure against risks related to network access of mobile devices, non-system element mobile devices are considered as 'Guest Network Participants' and necessary security protocols are implemented for system element mobile devices.

  5. The network is monitored to prevent unauthorized access to the information systems infrastructure, and unauthorized access attempts are reported, and necessary precautions are taken.

  6. Special connection processes are implemented to increase the security level of high-risk applications.

  7. The security criteria, service levels, and management requirements for all network services provided through internal resources or external usage are defined and included in service agreements.

  8. Necessary authorizations are made to control users who provide remote access. In this context, automatic equipment identification is taken into account to authorize connections from certain locations and equipment.

  9. In communications with networks outside the corporate network, firewall solutions that are continuously monitored for threats from external networks are used.

  10. Subsections of the internal network that have different security requirements are separated, and controls are established to ensure controlled transitions.

  11. Physical and software firewalls are activated for network systems accessible from both internal and remote connections.

Authentication and Email Usage

Article 15 -

15.1 Authentication - This article contains provisions regarding the Authentication of System Users.

User login credentials and passwords in the platform system are stored in an encrypted manner. Thus, user security is ensured even in the event of breaches. To maintain a certain level of security for users' passwords, a 'Password Security Procedure' is implemented in the system. According to this procedure, passwords have the following characteristics:

  • In the event of forgetting the password, a temporary password is sent to the user's registered email address. The user is required to change this password upon the first login to the system.

  • Passwords must be changed every 60 days. Warning messages are sent starting 10 days before the expiration of the passwords. In case of expiration of passwords, users are required to change their passwords.

Passwords are used for different purposes. Some of these include: user passwords, web access passwords, email access passwords, screen saver passwords, router access passwords, etc. All users must pay attention to choosing a strong password. Weak passwords cannot be used.

Weak passwords have the following characteristics.

• Passwords are at least 4 characters long.

• Passwords contain a word found in the dictionary.

• Passwords have common values such as.

• Name of a pet owned by a family or friend or the name of an artist.

• Computer terminology and names, commands, hardware or software.

• Sequential letters or numbers like AaaBb, qwerty, qazwsx, 123321.

Strong passwords have the following characteristics.

• They contain both uppercase and lowercase characters (A-Z, a-z).

• They must consist of at least 8 characters.

• They contain digits, punctuation characters, and letters (0-9, !, @, &, =, (, }, ?,).

• They include alphanumeric characters.

• They should not be slang terms or technical words in any language.

In addition to these measures, users will be logged out of open sessions when they change their passwords. Users who can see their current open sessions can view their current open sessions and previous successful/failed login attempts under the Security & Logins section in their profiles.

Additionally, users are required to verify their email accounts, mobile phone numbers, T.C. identification numbers through e-government, and MKK registration numbers if applicable, sequentially during their initial registration in the system. Users who do not carry out these processes cannot perform transactions on the platform.

An additional security measure is provided by requiring users to authenticate via an SMS sent to their mobile phone for every login using two-factor authentication.

15.2 Email Usage - It is forbidden for employees to use the web email system from computers whose security cannot be ensured, outside the institution; to send unwanted email messages. (These may include emails containing advertising messages that the recipient specifically does not want), unauthorized use or modification of email header information, creating or forwarding chain emails, and sending unrelated messages to multiple news groups. Additionally, employees are not allowed to send inappropriate content (pornography, racism, political propaganda, materials containing intellectual property, etc.) via email.

Spam, chain emails, fraudulent emails, etc. should not be responded to in the platform, and the IT Unit should be informed.

Email addresses belonging to employees opened in domain name addresses of the platform cannot be considered personal emails and cannot be used. These electronic email addresses are defined for the purpose of carrying out the institution's business and activities reliably and in a timely manner and are entrusted solely to individuals, and ownership rights always belong to the domain name owner. Access to these electronic mails cannot be blocked under any circumstances based on the claim that they contain personal information.

It should be considered that electronic transmissions made through domain name addresses owned by the platform represent the institution and should not be used for purposes outside that.

The platform is responsible for providing the necessary management and infrastructure for the secure and successful transmission of emails within the institution. The IT Unit is also responsible for the successful operation of this process.

Emails infected with viruses, worms, Trojans, or other malicious codes can harm users. Such emails should be analyzed and cleaned by anti-virus systems. This process is the responsibility of the IT Unit.

Data Privacy, Wireless Communication, and Remote Access

Article 16 -

16.1 Data Privacy - This article contains provisions regarding Data Privacy according to KVKK regulations. The platform places great importance on protecting personal data shared with us by entrepreneurs, investors, our shareholders, business partners, employees, and other natural persons who establish relationships with us through job applications or visiting our websites, either on their behalf or as an agent or a representative of a company or organization. In this context, our organization, which is the data controller under the Law No. 6698 on the Protection of Personal Data (KVKK), publicly shares its rules and policies regarding the processing of personal data and the use of cookies and similar technologies with the

Start investing in joint ventures with experienced funds on Startupfon!

Start investing together!

VC APPROVED INITIATIVES

SIMPLIFIED INVESTMENT PROCESS

Yatırım Yapmaya Başla

Copyright © 2024. Startupfon. All rights reserved.

Contracts

·

Start investing with experienced funds on Startupfon
!

VC APPROVED INITIATIVES

SIMPLIFIED INVESTMENT PROCESS

Yatırım Yapmaya Başla

Copyright © 2024. Startupfon. All rights reserved.

Contracts

·

Start investing with experienced funds on Startupfon!
Get started with joint investment!

VC APPROVED INITIATIVES

SIMPLIFIED INVESTMENT PROCESS

Yatırım Yapmaya Başla

Copyright © 2024. Startupfon.

All rights reserved.

Contracts

·