EticSoft Information Security Policy

Rationale

EticSoft possesses information assets created by its employees, business partners, and customers. It is necessary to identify any intentional or unintentional threats to these assets and define the risks these threats may pose, as well as determine and manage processes related to protecting the confidentiality, accessibility, and structure of these assets.

Purpose

The General Information Security Policy aims to establish principles for identifying threats to EticSoft’s information assets, preventive measures and implementation processes, and business continuity throughout this process.

Scope

While the General Information Security Policy serves as the top reference for all information security-related processes, a special information security policy can be created specifically for any product, service, customer group, location, or project when deemed necessary.

Implementation and Management

An EticSoft Information Security Board consisting of three members is established to update and periodically review the information security policy, meeting at least twice a year. Meetings are recorded with minutes. The EticSoft Information Security Board is responsible for evaluating and executing policy items and related regulations one by one.

Objectives and Principles

  • Identifying information assets, classifying their confidentiality and risk levels, determining the relationships, integrity, and accessibility of information assets,

  • Establishing a system for managing information security,

  • Creating regulations (procedures) related to the Information Security Policy,

  • Preparing disaster recovery scenarios and systems,

  • Evaluating the relationship between company employees’ access rights to information assets and their duties, and assessing options for removing, restricting, and monitoring these accesses respectively,

  • Determining access procedures needed by customers to manage their own information,

  • Conducting needs analysis for recording information assets, evaluating options for removing, reducing, anonymizing, or de-identifying unnecessary data sets respectively,

  • Identifying physical environment in EticSoft’s offices, connected networks, devices accessing these networks, corporate and personal devices used by personnel, information assets these devices can access, and evaluating options for removing, reducing, and monitoring access after necessity analysis,

  • Conducting announcements, training, and meeting activities to increase information security awareness,

  • Following developments in reports, industrial standards, and scientific publications related to information security,

  • Preparing Information Security Reports separately for all projects, products, and services, and presenting these reports to the EticSoft Information Security Board,

  • Identifying security, privacy, and integrity risks that may arise from systems used by business partners, company employees, and customers who will use products and services.