INFORMATION SECURITY POLICY

ININAL Information Security Policy has been prepared to inform all employees, suppliers, branches, representatives, business partners and stakeholders about ININAL's information security scope, aims, objectives, principles and principles and roles and responsibilities related to information security.

This policy covers the scope of information security, objectives, principles, management support, risk management framework, continuity, duties and responsibilities, compliance requirements and sanctions to be applied in case of violation of data and information within ININAL

The Information Security Committee is responsible for ensuring the currency and continuity of the Information Security Policy. Updates to be carried out in the Information Security policy are determined at the Information Security Committee meetings and reflected in the document by the Information Security Manager. The document is approved by the Board of Directors at each update. The duties and responsibilities of the relevant parties within this scope are described in the Information Security Roles and Responsibilities Procedure. All unit managers are responsible for the continuous review and improvement of the systems within their areas of responsibility, and all employees are responsible for using and implementing up-to-date documents. Details regarding the information security requirements and rules framed by this policy are regulated by information security procedures. Company employees and third parties are obliged to know these procedures and to carry out their work in accordance with these rules.

All unit managers are responsible for the continuous review and improvement of the systems within their areas of responsibility, and all employees are responsible for using and implementing up-to-date documents. Details regarding the information security requirements and rules framed by this policy are regulated by information security procedures. Company employees and third parties are obliged to know these procedures and to carry out their work in accordance with these rules.

• The Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions
• The Regulation on Payment Services and Electronic Money Issuance and Payment Service Providers
• The Communiqué on Information Systems of Payment and Electronic Money Institutions and Data Sharing Services of Payment Service Providers in the Field of Payment Services
• ISO/IEC 27001 Information Security Management System Standard
• ISO/IEC 27031 Information Security Management System Business Continuity Guide
• BS 10012 Privacy of Personal Data Standard
• ISO 20000 IT Service Management Standard
• ISO 22301 Business Continuity Management Standard

INİNAL; in order to ensure information security requirements arising from national, international or sectoral regulations to which it is subject, to fulfill the requirements of the relevant legislation and standards, to meet its obligations arising from agreements, and corporate responsibilities towards internal and external stakeholders:

• Takes administrative and technical measures to ensure the protection of the privacy of personal information.
• Implement infrastructure and controls that will ensure the confidentiality of information, protect its integrity and guarantee its continuous accessibility (availability).
• Provides authorization in accordance with the principle of segregation of duties in analysis, design, development, testing and implementation processes and establishes an approval mechanism in critical processes.
• Provides physical and logical separation of development, test and production environments.
• Ensures that the minimum authorization principle required for the authorization of users is ensured and that authorizations are checked regularly.
• Establishes network security against threats from external networks.
• Sets up a layered security architecture and ensure continuous surveillance.
• Utilizes techniques to verify that the service is provided by the company in the services offered through the mobile application and website.
• Ensures that measures to ensure security such as encryption and masking are taken in the transmission and storage of sensitive payment data and personal information.
• Assures the reliability of the encryption keys used.
• Provides the security of sensitive payment data used by applications running on mobile devices (sensitive payment data cannot be used by other applications, inaccessible in case of loss/theft).
• Identifies existing risks by periodically conducting assessments on Information Security; reviews action plans as a result of the assessments and ensures follow-up.
• Takes measures to ensure the security of applications running on mobile devices and provides the necessary updates.
• Manages all its components in an integrated manner by establishing an information security organization to ensure the management and coordination of information security activities.
• Creates an inventory of assets related to information and information processing facilities, identifies ownership and manages risks on information assets.
• Performs information security incident management activities that include the steps of detecting, reporting and preventing recurrence of information security incidents.
• Makes information security awareness a part of the corporate culture and ensures that employees keep information security awareness at a high level.
• Takes the necessary physical and environmental security measures to ensure the security of information in areas where information is processed.
• Identifies and implements security requirements in the acquisition, development and maintenance of information systems.
• Carries out business continuity activities to prevent interruptions in business activities and to ensure continuous access to information.
• Implements the necessary security controls in all relevant areas to control access to information and prevent unauthorized access.
• Ensures continuous improvement by following up-to-date technologies and innovations in information security and developing solutions.
• Complies continuously with the system by controlling, monitoring and reviewing the efficiency of the information security management system with internal and external audits.

7. INFORMATION SECURITY GOALS AND OBJECTIVES

The Information Security Policy aims to guide the company's employees, suppliers, representatives, business partners and stakeholders to act in accordance with the company's security requirements, to increase their level of consciousness and awareness and thus minimize the risks that may occur in the company, to protect the reliability and image of the company, to ensure compliance with the compliance specified in contracts with third parties, to implement technical security controls, to ensure that the company's core and supporting business activities continue with minimum interruption, to protect physical and electronic information assets that affect the entire operation of the company against internal and external intentional or unintentional threats.

8. INFORMATION SECURITY ORGANIZATION

Company management creates the information security organization within the company. In this regard, the activities related to the establishment, maintenance and management of security policies in the company with a holistic approach are carried out within the scope of the Information Security Management Process. The roles and responsibilities to coordinate and manage the security control processes of the company are determined within the scope of the Information Security Roles and Responsibilities Procedure and assigned to the relevant persons. New policies are developed to meet the needs arising from developments in security technologies.

9. RISK MANAGEMENT FRAMEWORK

The Company's risk assessment approach to information security is determined by the Information Security Committee and defined within the scope of the Information Security Management Process. The information security risk assessment approach determines the methods by which the company's information security risks will be determined, how risk levels will be calculated and how risks will be assessed. The identification, rating, processing and review of risks that may arise in relation to information assets are carried out in accordance with the determined risk assessment approach.

As a result of the risk assessment study, an "Information Systems Risk Assessment Report" is prepared, including actions to mitigate risks. The Information Security Plan is created and updated annually.

Information Security Roles and Responsibilities Procedure

Information Systems Risk Assessment Report

All company employees, suppliers, agents, representatives, business partners and stakeholders are obliged to comply with security requirements arising from applicable laws, regulations and contracts, intellectual property rights, license agreements and security requirements set by the company. Managers ensure compliance with security policies and standards in the operation of all processes in their areas of responsibility. All company employees are responsible for the use of company data in accordance with their degree of confidentiality.

Information security review activities are carried out within the scope of the Information Security Management Process to audit compliance with the Company's information security policies. The status of compliance with the Information Security Policy is reported to the Board of Directors at least once a year.

Revisions to legislation or information security implementation processes require a review of the policy. The revised and updated policy is approved by the Board of Directors. The approved policy is published unclassified on the common file server accessed by all employees of the organization and on the ININAL website.

This policy is reviewed and audited at least (1) once a year under the responsibility of the Information Security Manager within the scope of service delivery and activities with a security approach.