Purpose

The purpose of the Information Security Policy is to ensure and protect the security, integrity and availability of all information used by KKB. Below you can find the definition of these terms.

CONFIDENTIALITY

Confidentiality means that the information is accessible only to the individuals or parties permitted legally or with the consent of the concerned party. Confidentiality is violated in the case that the information is readable and/ or writable, editable, or accessible to those other than targeted.

INTEGRITY

Integrity means that the information is available to the targeted individuals or parties in consistency with its original form, without any distortion or change. A partial distortion or change on the information would mean an integrity violation.

AVAILABILITY

Availability means the information is accessible when needed. The difference with confidentiality is that availability focuses on the accessibility of the information, whereas confidentiality concerns who has access to it.

Scope

“Information Security Policy” covers all operations and activities aiming at ensuring information security including practices, policies, procedures, standards as well as the Information Security Management System. The policy also covers all units using the KKB IT infrastructure, third parties accessing the information systems; and service, software or hardware providers providing technical service for the information systems.

Sanctions / Penalties

In case of violation of the Information Security Policy, sanctions may be imposed in line with the Disciplinary Procedures, or legal proceedings can be initiated within the framework of the enforced legislation on information technologies laws (software security, system security, privacy and property rights etc.).

Responsible Parties

All personnel, guest users and service providers accessing the corporate data using KKB Information systems acknowledge and undersign the responsibilities on the confidentiality agreement.

Update

Information Security Policy is revised at least once a year or when deemed necessary; and is reissued with the approval of the Board of Directors. Additionally, when required, the items that need revision are evaluated and updated even before the revision date.

Annexes

KKB Information Security Policy stipulates the effective running of the rules and steps within the processes, policies, standards and other documents given below.

• User Access and Authorization Process
• Asset Based Risk Evaluation Process
• Information Security Event Management Process
• Patch Management Process
• IT Software Development and Maintenance Process
• IT Data Architecture Management Process
• Process and Organizational Management Process
• Audit Trails Standard
• Malware and Unlicensed Software Protection Standard
• Software Security Standard
• Network Security Standard
• E-mail Security Standard
• Internet Use Standard
• Physical and Environmental Security Standard
• KKB New Server and Client Configuration Security Standard
• New Server and Client Configuration Security Standard
• Document Security Standard
• Database Security Standard
• Mainframe Security Standard
• Data Back-up Security Standard
• User Computers, Portable Devices, Telephone Systems and Fax Use Standard
• Personal Devices Use Standard
• Clean Desk Standard
• Cryptographic Key Management Procedure
• Social Media Guide
• Business Continuity Framework
• Data Classification Guide
• Information Security Awareness Index Criteria