Migros Ticaret A.Ş. management;

Undertakes to ensure that the controls geared toward safeguarding the confidentiality, integrity and accessibility of information systems and the data found on such information systems for the purpose of processing, transmission and storage are developed, operated and up to date and to delineate the required managerial responsibilities in order to make sure that the security risks arising from information systems are being managed sufficiently.

Within the scope of information security controls, for each control process; clearly shall define process owners, their roles, activities and responsibilities, and periodically reviews these powers, roles and responsibilities.

Undertakes to provide the resources and environment necessary to produce the targeted goals in relation to information security controls. Shall implement regular controls in order to determine whether the targeted goals have been achieved and for continual improvement.

Establishes information security policies related to the management of information systems, reviews them at least once a year and ensures them to be up-to-date in line with the changes or technological developments in this particular field of business and notifies them to all relevant stakeholders.

Shall continually monitor and evaluate the effectiveness, adequacy and suitability of information security controls as well as the anticipated risks and the activities aimed at mitigating the effects of such risks. Shall repeat risk analysis related to information systems at least once a year or in case of significant changes in information systems. Shall ensure that major deficiencies in controls as may have been identified as a result of the evaluation are reported to the senior management and that the necessary measures are implemented.

Shall prepare business continuity plans to ensure continuity of all critical business processes according to risk priorities. Determines acceptable downtime and maximum acceptable data loss for critical business processes in business continuity plans.

Is aware of the importance of the human factor in the approach to information security. As a result, it shall support the provision of the training necessary to ensure that employees’ awareness of information security is cultivated and technical competence is achieved. Shall implement the activities necessary to ensure that all personnel are aware of Migros Ticaret A.Ş. Information Security Policy and act in accordance therewith. Shall ensure that the disciplinary process will become applicable in the event of risks intentionally created by people despite such efforts to raise awareness on information security.

The Information Security Manager is responsible for updating and providing the security of the Information Security Policy, defining roles related to the information security process, and preparing and publishing of sub-procedures related to this policy. Within this context, Migros Ticaret A.Ş. is obligated to:
  • Ensure the confidentiality, integrity and accessibility of information assets; take the appropriate physical and logical security measures suitable for the value of the information in its possession;
  • Assign access rights and prevent unauthorized access in line with the “need to know” principle in order to control access to the information;
  • Identify risks at certain time intervals and manage the risks by taking the actions necessary in order to protect the information and information assets;
  • Ensure the confidentiality and integrity of Migros employees and customer information; within this context to implement the necessary measures with the Law no 6698 on the Protection of Personal Data as its basis;
  • Arrange training seminars to increase the information security awareness primarily of its employees and all other critical stakeholders with the knowledge that humans are the most important factor in ensuring information security and to follow up on the results thereof;
  • Provide the necessary infrastructure for guaranteeing the continuity of its services;
  • Prepare business continuity plans to prevent the interruption of its activities and responsibilities toward its stakeholders in the event of any negative instances and to test such plans;
  • Develop an intervention process for any information security breach incidents in order to manage and prevent the recurrence of information security gaps and breach incidents;
  • Keep security needs in mind when developing software;
  • Take precautions to protect information assets against harmful codes such as viruses and cyberattacks from outside of the Company;
  • Ensuring that penetration testing is carried out by real persons or legal entities having national or international competence on penetration testing in order to obtain timely information on technical openings of information systems and to determine the vulnerability of the institution against such openings;
  • Adhere to all domestic and/or international statuary legislation and agreements in support of information security controls.

The Company Information Security Policy is applicable to and mandatory for all personnel who use Company information or business systems regardless of whether they are full time or part time employees, on the payroll or on contract and independent of geographic location or business department. It is essential that third person service providers who do not fall within this classification and persons affiliated therewith such as their support personnel comply with and remain bound by the general principles of this policy and other security obligations and liabilities with which they are required to comply.

Migros Ticaret A.Ş. last modified date: 13.02.2020