SEMTIRO's corporate ISMS policy has been determined as outlined below and has been approved as the policy to be communicated to relevant external parties.

INFORMATION SECURITY MANAGEMENT SYSTEM POLICY

Our organization, providing consultancy and reporting services on carbon and water footprint calculation, sustainability, carbon management, and CDP, as well as certification services for EPD, C2C, Ecolabel, and AWS, has established and implemented a management system referencing the ISO 27001:2013 Information Security Management System Standard to ensure Information Security.

In this regard, our ISMS Policy includes:

1. Classifying information assets by their confidentiality, integrity, and availability values, determining methods to identify security needs, vulnerabilities, threats, and their frequency of occurrence, and managing risks appropriately while addressing risks and opportunities.ilgi
2. Establishing principles for processing risks, reviewing technological expectations within the scope of services, and continuously monitoring risks to maintain them at an acceptable level.
3. Ensuring all information security requirements arising from applicable national and international regulations, legal and related party expectations, agreements, and corporate responsibilities toward internal and external stakeholders.
4. Maintaining and continuously improving the level of information security over time with an optimally cost-effective control infrastructure.
5. Enhancing corporate reputation and increasing employee awareness of ISMS.

Accordingly, the scope of the management system is determined as follows:

Providing consultancy services for carbon and water footprint calculation and reporting, along with the provision of environmental and carbon certification services.

The following section of this document includes the minimum rules to be adhered to by employees to ensure the security of information systems within the organization. The policies outlined below are designed to achieve the stated objectives and are not open for external access.,

1. To secure the confidentiality, integrity, and availability of all information shared and stored within information systems
2. To protect the organization's reputation and investments

These policies define the rules to be followed while designing or operating information systems.

This document is binding for every employee within the organization. In cases of policy violations, disciplinary processes will be initiated for the violator within the organization, and legal action may be taken if necessary.

1- Email Policy

This policy defines the rules for the email infrastructure within the organization. Email accounts used within the organization represent the corporate identity and encompass the proper use of email accounts for all personnel.

Prohibited Use

1. The organization’s email system must not be used to send messages containing elements that may harass, abuse, or harm the rights of the recipient in any way.
2. Care should be taken to ensure messages do not reach unintended recipients.
3. Confidential information within the organization must not be sent through email messages or as attachments.
4. Emails containing executable files as attachments must be immediately deleted and must not be forwarded to others.
5. Harmful or suspicious emails, such as spam, chain emails, or fake emails, must not be replied to.
6. Emails requesting user credentials (username, password, etc.) must be immediately deleted by the recipient.
7. Employees must not send inappropriate content (e.g., pornography, racism, political propaganda) via email.

Personal Use

1. Emails provided to employees are intended for internal and external communication. Personal use should be kept to reasonable levels. 
2. Every email sent outside the company must include a "confidentiality note" and "responsibility note," stating that the organization is not responsible for the email’s content and nature. 
3. Personnel must not share their username and password with others or allow others to use their credentials.
4. Employees must regularly check their emails and respond to corporate messages.
5. Employees must ensure that corporate emails are not visible to unauthorized persons outside the organization.
6. Corporate email accounts may be audited by authorized personnel within the organization when necessary.

The email system includes antivirus and anti-spam solutions to scan and eliminate emails infected with viruses, worms, trojans, or other harmful codes. Every email sent outside the company includes a "confidentiality note" and "responsibility note," stating that the organization cannot be held responsible for the email’s content and nature. The IT officer is responsible for ensuring the secure and trouble-free operation of the email infrastructure.

2- Password Policy

The purpose of this policy is to establish standards for creating strong passwords, protecting those passwords, and determining the frequency of password changes.

Passwords used by users within the organization form the first security layer for user accounts and are vital for information security.

1. All system-level passwords (e.g., root, administrator) must be changed at least once a month.
2. Passwords must be at least 8 characters long and comply with the organization’s complexity requirements.
3. All user-level passwords (e.g., email accounts, desktop computers) must be changed at least once every four months.
4. System administrators must use unique passwords for each system to enhance security.
5. Passwords must not be included in emails or stored in any unprotected electronic format.

3- Anti-Virus Policy

This policy applies to all PC-based computers within the organization, including all desktop and laptop computers as well as servers.

All computers have antivirus software installed. The servers are hosted in the cloud, and the antivirus system is cloud-based. Updates are performed at least twice a day. System administrators are responsible for ensuring that the antivirus software is continuously operational and up-to-date. Users are prevented from uninstalling the antivirus software from their computers. Any computer infected with a virus must not be reconnected to the network until it has been fully cleaned.

4- Internet Access and Usage Policy

The purpose of this policy is to define the rules necessary for secure internet access for users. The scope of the Internet Access and Usage Policy includes:

1. Internet access for users within the organization is provided through a firewall.
2. Content must be filtered as needed, and unauthorized, prohibited, or non-operational sites must be blocked.
3. Port-based access is granted in a controlled manner when necessary.
4. No user is allowed to connect to the internet via peer-to-peer methods (e.g., Kazaa, eMule, LimeWire, etc.).
5. Accessing and downloading files from websites that violate public morality principles is prohibited.
6. Sending or downloading large files unrelated to work (e.g., music, videos) is prohibited.
7. Software not approved by the organization cannot be downloaded or installed via the internet. For such needs, approval must be obtained from IT staff.
8. Internet access for third parties within the organization is not provided.
9. Internet access logs are maintained in compliance with Law No. 5651.

5- Server Security Policy

The purpose of this policy is to define the required basic security configurations for the servers within the organization. IT system administrators are responsible for implementing and managing these basic security configurations.

General Configuration Rules

1. Unused services and applications on servers are disabled.
2. Access to application services is logged, and access control logs are regularly reviewed.
3. Operating systems, service hosting software, management software, and protective software running on servers are continuously and carefully updated. Antivirus updates are automated, while patch updates are performed manually and controlled by system administrators. Patch updates are applied following a test and approval mechanism.
4. System and application administrators do not use "administrator," "root," or similar privileged accounts unless necessary. They use personal user accounts with assigned privileges. They log in with their user accounts first and then switch to general administrator accounts when needed.
5. Privileged connections are made through technically secure channels (e.g., encrypted networks like SSH, SSL, or IPSec VPN).
6. Servers are hosted in a physically secure cloud environment.

6- Network Devices Security Policy

1. All IP and MAC addresses of devices in the network are recorded in an inventory list.
2. Invalid IP addresses arriving at the router's input port are blocked.
3. New requirements are added in a controlled manner.
4. Default services on devices (e.g., Telnet, HTTP) are disabled. Secure protocols (e.g., SSH, HTTPS) must be used for connections instead.

7- Network Management Policy

The network management policy defines rules to ensure the security and continuity of the network and aims to standardize these practices.

1. Redundancy is provided to ensure the business continuity of computer networks and connected systems (servers). 
2. User access to services on the network is restricted.
3. Unlimited network roaming is prohibited.
4. Technical measures actively controlling communication between allowed source and destination networks (e.g., firewalls) are implemented.
5. Network access is restricted by creating separate logical areas such as VLANs.
6. Network connections must be periodically inspected.
7. Routing on the network is actively monitored.
8. Configuration and setup parameters for all machines connected to the network are aligned with the organization's security policies and standards.
9. Network addresses, configurations, and other design information are stored securely, inaccessible to third parties or external systems.
10. Devices used as firewalls are not utilized for other purposes.
11. Activities on the network are monitored.

8- Remote Access Policy

The purpose of this policy is to establish standards for accessing the organization's computer network from any location. These standards are designed to minimize potential harm to the organization caused by unauthorized access. Remote access is available in the organization due to the nature of work practices.

1. SSL VPN is used for remote access. 
2. Users are granted VPN access based on their individual passwords and the authorized devices assigned to them.
3. During VPN setup, each user receives training on the use of unattended equipment and the principles of a clean desk and clean screen policy.
4. In public areas, the necessity of screen privacy filters is assessed, and filters are installed if deemed necessary to prevent others from viewing screens from the sides.
5. Users accessing the network from their office or home are made sufficiently aware of the importance of not leaving their equipment unsecured.

9- Wireless Communication Policy

This policy covers all wireless communication devices (e.g., laptops, mobile phones, PDAs) used within the organization. It aims to prevent wireless devices from accessing the organization's computer network without proper security measures in place. 

Wi-Fi user authentication is enforced through MAC address filtering on the network. Users whose MAC addresses are not registered in the system cannot connect to the Wi-Fi.

10 - Software and Hardware Inventory Creation Policy

This policy establishes rules for creating an inventory of the organization's IT resources (hardware and software). It covers all hardware and software used within the organization (e.g., PCs, servers, printers, operating systems, etc.). The implementation of this policy is the responsibility of the ISMS Representative.

1. A formal hardware and software inventory must be created and kept up-to-date.
2. The inventory table should include at least the following information: Serial Number, Asset Group, Brand/Model, Asset Owner, Asset Custodian, Location, Confidentiality Value, etc.
3. These tables will be stored on SharePoint and updated periodically by the assigned responsible person.
4. The ISMS Representative will conduct an information update audit at least once a year.
5. Inventory data must be accurately maintained. Missing or incorrect inventory data can hinder sound decision-making for future hardware and software changes.
6. Inventory data should be reviewed every six months. Incomplete inventory data can lead to theft or mismanagement, resulting in significant losses.

11 - Business Continuity Policy

This policy establishes standards related to information security and business continuity. 

Scope:

1. Necessary measures have been implemented to ensure the uninterrupted operation of the information system.
2. To maintain the uninterrupted operation of the organization's IT systems, clustering (cluster), remote replication, and local replication are applied.
3. System logs are backed up in emergency situations.
4. Any security breach is reported to the IT Director.
5. Level A (Data Loss): Unauthorized access, corruption, or deletion of critical organizational information.
6. Level B (Service Interruption): Disruption of organizational services or situations that may cause interruptions.
7. Level C (Suspicious Situations): Suspected, but unproven, conditions that could lead to the scenarios described in Levels A or B.
8. For each defined severity level, the risks that may arise, the potential losses to the organization, and the action plans to be executed both before and after the risk materializes must be identified and documented.
9. In emergencies, company employees are required to inform the IT department.

12- Authentication and Authorization Policy

This policy defines the authentication and authorization standards for accessing the organization's information systems. It applies to both the organization's employees and external users accessing its systems.

1. The systems that organizational users and external users from partner companies can access, along with the authentication methods required, are defined and managed on the Office 365 SharePoint platform.
2. All centrally accessed application software, packaged programs, databases, operating systems, and log-on enabled systems are monitored by defining user roles and permissions.
3. The principle of granting only the minimum necessary access rights is adhered to.
4. Access and authorization levels are periodically reviewed and updated when necessary.
5. All users are responsible for maintaining the security of the information on systems allocated to them by the organization.
6. Logs of both successful and unsuccessful system access attempts are regularly maintained.
7. To monitor user activities, each user is assigned a unique user account.

13- Database Security Policy

This policy outlines the standards for the uninterrupted and secure operation of the organization's database systems. All database systems are within the scope of this policy.

1. An inventory of database systems has been established, and the responsible person for each system has been identified.
2. Operational rules for databases have been defined.
3. Database system logs are maintained and reviewed by the IT department when necessary.
4. Database backup policies have been established, responsible system administrators have been assigned, and backups are regularly verified.
5. Database access policies are defined within the framework of the "Authentication and Authorization Policy."
6. Error correction and data restoration rules are designed to align with the organization's "Business Continuity" needs.
7. Systems storing data are hosted in physically secure cloud environments.
8. Notifications are made before applying patches and updates, and subsequent application controls are performed.
9. Only RDP, SSL, and original database management software are used on database servers, with FTP, Telnet, and other clear-text connections disabled. 
10. Root and administrator access to the database server is granted only in exceptional circumstances. Root and administrator passwords are held by authorized personnel.
11. All user activities are logged in the database.
12. Database administration is assigned to a single individual.
13. Only authorized personnel can access database servers.
14. Admin passwords are changed periodically and securely stored in a sealed envelope in the organization’s safe.

14- Change Management Policy

This policy defines the standards for executing configuration changes in the organization's information systems without compromising security or system continuity.

1. Personnel authorized to make changes in information systems are system administrators and application administrators within the IT department.
2. A software and hardware inventory is maintained to monitor software versions.
3. Before any change is implemented, all affected systems and applications are identified and documented.
4. Approval for the changes is obtained from the IT Director and relevant managers prior to implementation.
5. Comprehensive planning is conducted before the changes, including identifying potential issues and creating rollback plans. Approval for this planning is obtained from the IT Director.
6. Changes to commercial software are carried out within the framework of rules approved by the respective vendor.
7. Logs are reviewed and verified after changes are made to the systems.

15- Information Systems Backup Policy

This policy defines the rules for the organization's information systems backup policy. All critical information systems and the employees responsible for operating them fall within the scope of this policy.

1.  
2. To minimize system downtime and potential data loss due to errors in information systems, configuration, system information, and corporate data are regularly backed up.
3. Data backups are taken online to HDDs in the operational environment.
4. Backups are stored in both cloud environments and on-premises within the organization.
5. Backup environments are tested regularly to ensure reliability and readiness for use in emergency situations.

16- Clean Desk and Clean Screen Policy

This policy defines the workspace layout and work practices required to ensure the confidentiality of sensitive information, as well as the integrity and accessibility of information-related environments. All employees are subject to this policy.

1. Employees' computers and screens are positioned to prevent unauthorized individuals from viewing them. In secure areas, workstations are arranged so that screens are visible only to the user. Secure areas are equipped with card-access doors.
2. Users log in with their own passwords and do not share them with others. When stepping away from their screens, they must lock their screens. These practices are covered in orientation and information security training sessions. Screens are set to automatically lock after one minute of inactivity.
3. No documents or storage media (USB, HDD, etc.) containing sensitive information should be left on desks.
4. To prevent damage from spills, desks should not have beverages like tea, coffee, or water, nor should food or beverages be brought into secure areas (e.g., data entry zones, accounting, HR, and IT areas).
5. No documents containing sensitive information should be left on desks. Such materials must be stored in designated files or locked cabinets.

17- Mobile Device Policy

This policy is issued to manage risks arising from the use of mobile devices and implement supportive security measures.

CORPORATE USE

1. Only approved and registered portable information processing devices may be used to access company information resources.
2. Company-owned portable devices must primarily be used for official and authorized corporate tasks.
3. Portable devices must be stored in physically secure locations or manners when left unattended.
4. Limited personal use of these devices is permitted as long as it does not conflict with company interests.
5. Devices must be used in compliance with applicable laws and regulations.

IMPROPER USE

1. Company-owned portable devices may not be used for illegal activities, actions conflicting with corporate interests, or activities disrupting normal operations and business activities.
2. Company confidential information may not be stored on portable devices without encryption. Approved encryption methods by the company must be used for protection.
3. Company information may not be transmitted without using approved encryption methods and secure transmission protocols. Additionally, information must be scanned for malware before being transferred to the corporate network. 

MONITORING

1. The company reserves the right to monitor all activities conducted using portable devices.
2. The company reserves the right to share information about activities conducted on portable devices with third parties, law enforcement, or judicial authorities without user consent and/or to block access or delete content.

18- Secure Disposal Policy

1. Documents must be retained for specified durations according to administrative and legal regulations. Personal data is retained as specified in the VERBIS system, and all documents and records are stored for the periods determined by the management system in their respective environments (HDD, paper, external storage, server, storage, etc.). At the end of these retention periods, appropriate destruction methods are applied. Documents on paper are shredded, while data on HDDs is irreversibly erased using software. This process is conducted under the supervision and responsibility of the ISMS Representative. When disposing of computers, the HDDs must be erased or destroyed, with verification carried out by the ISMS Representative. 
2. The destruction location must be determined based on the type and characteristics of the material to be destroyed.
3. Data units must be inventoried and accounted for before the destruction process begins.
4. Physical inspection must verify that all broken parts are completely destroyed.
5. Destruction records must be documented and retained for three years as specified in the record-keeping policies.
6. Destroyed HDDs and similar environments must be disposed of according to electronic waste regulations and handed over to licensed waste collectors.

Revision Number: 01
Date of Revision: 20.12.2024
Date of Preparation: 01.11.2021