Skip to main content

Information Security Policy

Purpose

The purpose of this policy is to define the approach and objectives of senior management to prevent violations related to legal, regulatory, contractual obligations, and all security requirements, and to communicate these objectives to all employees and relevant parties. Our company is committed to protecting the confidentiality and integrity of all physical and electronic information assets it owns.

Scope

This policy covers the commercial activities carried out within BAŞAK GIDA DAĞITIM PAZARLAMA SAN. VE TİC. A.Ş. (the Company) and the protection of electronic information assets obtained from activities such as logistics, storage, accounting, finance, quality assurance, procurement, human resources, legal, sales, marketing, internal auditing, and IT operations. It also encompasses the processing, storage, protection, confidentiality, and integrity of personal data held within the company, in compliance with relevant laws.

To ensure information security, our company will allocate the necessary financing, adequate equipment, and infrastructure to establish and maintain the required systems.

Our information security system activities include emergency plans, data backup procedures, protection against viruses and hackers, access control systems, and information security incident reporting.

Based on risk assessments, the necessary resources and conditions will be provided to achieve the identified objectives. Threats and vulnerabilities detected through these assessments will be mitigated, ensuring the security of information for both our personnel and the customers we serve, in line with our information security policy.

Employees will be encouraged to adopt the requirements of the Information Security Management System (ISMS) as part of their work practices. All employees and third parties will receive appropriate training related to the ISMS.

Applicable information security requirements, as well as opportunities and obligations arising from these requirements, will be fulfilled and continuously improved.

The adaptation of all relevant parties, including our personnel (and the employees of our suppliers), to this system will be ensured.

Access Control Policy

To ensure the integrity of data in compliance with legal regulations and to provide timely and accurate solutions to internal company demands:

  • Necessary information has been conveyed to employees during the orientation phase.
  • Required infrastructure and equipment have been identified.
  • Resources have been allocated to ensure uninterrupted continuity of the necessary infrastructure and equipment.
  • Employees have been informed through training about what needs to be done to protect the company’s information, and their responsibilities have been documented in employment contracts.
  • Necessary infrastructure for the backup of all data has been established, and responsible individuals have been assigned.
  • Required access operations on the network have been restricted.
  • The fundamental principles of our information security are confidentiality, integrity, and accessibility by authorized individuals.

Clean Desk Policy

The purpose of this policy is to define the required conditions for reducing the risks of unauthorized access, information loss, and damage to paper documents, removable storage media, and personal computers during and outside of normal working hours.

Employees must adhere to the following conditions:

  • Computers should be turned off or locked outside working hours.
  • Computers must be locked when employees step away during working hours (screen savers should activate within 5-10 minutes and be password-protected).
  • Documents containing personal and confidential information must not be left on printers.
  • After completing a task, the printer should be locked.
  • Printer passwords must not be shared with others.
  • No company or personal documents should be left on desks at the end of the workday.
  • Confidential company documents should be stored in locked environments.
  • Classified documents should be destroyed after they have served their purpose.
  • Letterhead papers belonging to the company should be stored in locked cabinets.
  • Sensitive and classified information printed from printers must be retrieved immediately.
  • Documents containing private company information should not be kept on computer desktops.
  • Passwords for computers should never be written down on paper.

Secure Development Policy

Secure development is a requirement for providing secure services. To ensure this:

  • Secure development environments will be used.
  • During the lifecycle of our software development services, security requirements will be identified at the design phase, and these security requirements will be implemented.
  • Security checkpoints will be created in software development services, and compliance with these security controls will be ensured during testing.
  • All developers will be trained to avoid, detect, and fix vulnerabilities.

Information Security

Information, like other critical business and institutional assets, is valuable to an organization and must be adequately protected. Information security ensures business continuity and minimizes losses by protecting against hazards and threats. Information security is defined in this policy as preserving the following qualities of information:

  • Confidentiality: Ensuring that information is accessible only to those authorized to access it.
  • Integrity: Ensuring the accuracy and completeness of information and processing methods, and protecting them from unauthorized modifications.
  • Availability: Ensuring that authorized users have access to information and related resources when required.

Information Security Objectives

The Information Security Policy aims to:

  • Guide employees on acting in compliance with the company’s security requirements.
  • Increase awareness and consciousness levels regarding information security.
  • Minimize risks that may arise within the company.
  • Protect the company’s reliability and image.
  • Ensure compliance with agreements made with third parties.
  • Implement technical security controls and ensure the continuity of core and supporting business activities with minimal disruption.

Information Security Organization

  • The IT Management Representative is responsible for maintaining and improving information security activities.
  • The IT Manager is responsible for establishing and operating the Information Security Management System (ISMS).

General Principles of the Policy

The company commits to complying with the established Information Security Management System and continuously improving its effectiveness. This policy also regulates detailed rules and requirements through IT procedures.