VERISAY INFORMATION SECURITY POLICY Document Code: VRS-BGP-001 Version: 1.0 Effective Date: 01 August 2025 Review Date: 01 August 2026 Approved by: Senior Management Prepared by: Information Security Manager
1. AIM AND OBJECTIVE As Verisay Information Technologies Inc., while maintaining our leading position in digital transformation solutions, we are committed to implementing the necessary controls to ensure the security of all information assets of our customers, business partners, and our company. The purpose of this policy is:
To define the core principles of the information security management system (ISMS)
To protect the confidentiality, integrity, and availability of information assets
To ensure compliance with legal and regulatory requirements
To disseminate an information security culture throughout the organization
2. SCOPE This policy covers the following areas: 2.1 Organizational Scope
Verisay Information Technologies Inc. head office (UK)
Turkey R&D offices (Yıldız Technical University Davutpaşa Campus, Karabük University Technopark)
All national and international operations
Suppliers and business partners (within the framework of contractual relationships)
2.2 Technological Scope
Entranet Cloud Suite
Aidango, Trizbi, Titarus, Comwize, Penamo, Flaterp product family
All IT infrastructure, network systems, and data centers
Cloud services and hybrid infrastructures
Mobile applications and IoT devices
2.3 Information Assets
Customer data and personal information
Trade secrets and intellectual property
Financial information and accounting records
Human resources data
Technical documentation and source codes
3. INFORMATION SECURITY PRINCIPLES 3.1 Confidentiality Access to information assets is restricted to authorized individuals only. The "need-to-know" and "least privilege" principles are applied. 3.2 Integrity The accuracy, consistency, and completeness of information assets are protected. Unauthorized changes are prevented and detected. 3.3 Availability Information assets are available in a timely and reliable manner when needed. 3.4 Accountability All information security activities are recorded and auditable. 3.5 Non-repudiation The non-repudiation of performed actions is ensured through technical and legal methods.
4. MANAGEMENT AND RESPONSIBILITIES 4.1 Senior Management
Determines the information security strategy and provides resources
Supports and supervises the implementation of the policy
Defines risk tolerance
4.2 Chief Information Security Officer (CISO)
Responsible for the establishment, implementation, and maintenance of the ISMS
Coordinates risk assessments
Manages security incident response processes
Provides regular reporting
4.3 Department Managers
Responsible for the security of information assets in their departments
Ensures employee training on the policy
Participates in risk assessments
4.4 All Employees
Comply with information security policies and procedures
Report security incidents immediately
Participate in security awareness training
5. RISK MANAGEMENT 5.1 Risk Assessment Process
Risk assessments are conducted at least once a year
Threat, vulnerability, and impact analyses are performed
A methodology compliant with the ISO/IEC 27005 standard is used
5.2 Risk Treatment Strategies
Mitigate
Accept
Transfer
Avoid
5.3 Continuous Monitoring
The effectiveness of security controls is continuously monitored
Key Risk Indicators (KRI) and Key Performance Indicators (KPI) are tracked
6. TECHNICAL SECURITY CONTROLS 6.1 Network Security
Firewalls and IDS/IPS systems are active 24/7
Network segmentation and micro-segmentation are applied
VPN and encrypted communication are mandatory
6.2 Application Security
Compliance with OWASP Top 10 and SANS Top 25 controls
Secure SDLC (Software Development Life Cycle) is applied
Code analysis and penetration tests are conducted regularly
6.3 Data Security
Sensitive data is encrypted (at rest and in transit)
A data classification and labeling system is applied
Data Loss Prevention (DLP) systems are active
6.4 Identity and Access Management (IAM)
Multi-factor authentication (MFA) is mandatory
Role-based access control (RBAC) is applied
A Privileged Access Management (PAM) system is active
6.5 Backup and Business Continuity
3-2-1 backup strategy (3 copies, 2 different media, 1 offsite)
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined
Disaster recovery plans are tested at least twice a year
7. OPERATIONAL SECURITY 7.1 Security Incident Management
24/7 Security Operations Center (SOC) service
Incident classification and prioritization
Incident response plans and forensic analysis
7.2 Vulnerability Management
Automated vulnerability scans are conducted weekly
Critical vulnerabilities are remediated within 24 hours
The patch management process is applied systematically
7.3 Human Resources Security
Security controls during the recruitment process
Security agreements and non-disclosure agreements
Access revocation during the termination process
8. COMPLIANCE AND LEGAL REQUIREMENTS 8.1 Regulatory Compliance
Personal Data Protection Law (KVKK)
European General Data Protection Regulation (GDPR)
SOX, PCI-DSS (where applicable)
Sectoral regulations
8.2 Standard Compliance
ISO/IEC 27001:2013 Information Security Management System
NIST Cybersecurity Framework
COBIT 2019
8.3 Audit and Compliance
Internal audits are conducted every six months
Independent external audits are performed annually
Non-conformities are systematically addressed
9. TRAINING AND AWARENESS 9.1 Security Training Program
Mandatory basic security training upon hiring
Annual updated security awareness training
Role-based specialized training
9.2 Awareness Activities
Monthly phishing simulation tests
Security bulletins and announcements
Security messages on internal communication channels
10. INCIDENT RESPONSE 10.1 Incident Reporting
Security incidents are reported immediately
24/7 incident reporting line: security@verisay.com
Maximum incident reporting time is 4 hours
10.2 Response Process
Detection and Analysis
Containment and Eradication
Cleanup and Recovery
Post-Incident Activities
10.3 Communication Management
Internal communication procedures
Customer and regulator notifications
Media and public communication
11. SUPPLIER AND THIRD-PARTY MANAGEMENT 11.1 Supplier Assessment
Security due diligence processes
Security clauses in contracts
Periodic security assessments
11.2 Cloud Service Providers
Verification of security certifications
Implementation of the shared responsibility model
Control over data residency and sovereignty
12. PERFORMANCE MEASUREMENT AND MONITORING 12.1 Security Metrics
Number of incidents and resolution times
Vulnerability detection and remediation rates
Training completion rates
Compliance scores
12.2 Reporting
Monthly security status reports
Quarterly risk assessment reports
Annual ISMS performance report
13. POLICY MANAGEMENT 13.1 Policy Updates
Annual review is mandatory
Change request process
Version control and approval mechanism
13.2 Communication and Distribution
Announcement to all employees
Publication on the company intranet
Integration into training materials
13.3 Non-conformity Management
Non-conformity detection and reporting
Corrective and preventive action plans
Disciplinary processes
14. APPROVAL AND EFFECTIVENESS This Information Security Policy has been approved by the Senior Management of Verisay Information Technologies Inc. and is effective as of August 1, 2025. CEO Signature: Date: 01.08.2025 CISO Signature: Date: 01.08.2025
APPENDIX A: DEFINITIONS AND ABBREVIATIONS ISMS: Information Security Management System CISO: Chief Information Security Officer DLP: Data Loss Prevention IAM: Identity and Access Management KVKK: Personal Data Protection Law MFA: Multi-Factor Authentication RBAC: Role-Based Access Control SOC: Security Operations Center
APPENDIX B: RELATED DOCUMENTS
VRS-BGP-002: Incident Response Procedure
VRS-BGP-003: Risk Management Procedure
VRS-BGP-004: Access Control Procedure
VRS-BGP-005: Security Training Procedure
This document is confidential and is the property of Verisay Information Technologies Inc.