INFORMATION MANAGEMENT

INFORMATION SECURITY MANAGEMENT

The Information Security Management System (ISMS) was established to protect the confidentiality, integrity and accessibility of information within ENKA by applying asset and risk management processes and to assure the interested parties of managing the risks properly. ISMS is a part of ENKA’s corporate processes and general management structure. Information security processes were taken into consideration in the design and controls of information systems and scaled in accordance with ENKA’s needs.

ENKA has implemented a comprehensive Information Security Management System (ISMS) based on the ISO/IEC 27001 ISMS standard to achieve its information security objectives.

The processes, information and employees pertaining to the activities carried out in the headquarters of ENKA İnşaat ve Sanayi A.Ş. within the scope of; design and engineering, procurement and supply chain management, occupational health -safety and environmental management, quality management, machinery and equipment management, sustainability, corporate communication, human resources and administration, information technologies, finance, accounting, export operations, financial control, investor relations, and legal affairs, management and execution of oil, gas & petrochemical and power plant projects, operate an Information Security Management System in accordance with ISO/IEC 27001 information security management system standard.

ENKA complies and was certified with ISO/IEC 27001 standards in the year 2020.

ENKA is maintaining a robust information security program with the following key elements.

INFORMATION SECURITY GOVERNANCE

Information Security Policy and Principles have been established by the Senior Management.

Information security objectives determined in line with the ENKA corporate strategies, the objectives are monitored, assessed and at least once a year, reviewed in Information Security Management Review activities conducted by the Senior Management.

Security governance structure that enables the effective management of potential risks and incorporates information security and privacy controls into our information systems and services has been established.

Information Security Procedures and Instructions have been developed and communicated to all employees.

The evaluation of information security performance and the effectiveness of the information security management system is carried out under the monitoring and measurement program.

INFORMATION SECURITY POLICY

The Corporate Information Security Policy refers to the requirements, definitions, rules, practices, responsibilities and workflows that are prepared according to the related laws and standards based on the business requirements compatible with and supports ENKA corporate business objectives.

In this regard, ENKA Senior Management, in all of its company operations that are carried out in the light of its vision to be one of the best and innovative companies among the engineering and construction companies serving worldwide, and in line with its mission to design, build and deliver safe, high-quality and cost-effective construction projects, has made a commitment to ensure the security of the information of ENKA and its stakeholders, to protect information assets, to meet information security requirements and expectations within the scope of applicable requirements and international standards, to improve information security performance by systematically managing risks, to ensure infrastructure and operational security, and to assure that all employees will operate within the framework of the company information security policies and procedures.

INFORMATION SECURITY PURPOSES

Protecting against attacks on the company network,

To ensure that critical information is available in case of outsourced software providers terminating service or having service interruption,

Providing secure access to the Company’s common network by the employees via VPN,

Ensuring that software development requests contain sufficient detail and evaluating the applicability of the requests,

Assessment of weaknesses that may arise from the access of non-company personnel to the company network and taking precautions,

To review the effects of the improvements in the software used on the existing business processes before the change,

To prevent security weaknesses that may be caused by remote access programs,

Ensuring the security of corporate information shared with third parties,

Investigating vulnerabilities that may arise in order to ensure critical and / or institutional information security on servers,

To limit access to offices to authorized persons to ensure information security,

Information security trainings and awareness programs are applied to employees in order to prevent leakage of information,

Protecting critical documents kept in physical archives against fire,

To prevent the exposure of confidential information by reducing the number of copies in order to prevent the disclosure of personal information,

Protecting critical documents kept in physical archives against the effects of floods, fires, etc.

Implementing a staff training program to assign competent staff in relevant positions,

In case of a possible disaster, to ensure the normalization of the systems that do not serve able to serve at the time accepted,

To ensure business continuity and prevent possible service interruptions.

ENKA EMPLOYEES’ INFORMATION SECURITY ROLES & RESPONSIBILITIES

To learn and comply with ENKA ISMS policy and procedure requirements
To ensure information is protected in line with its classification level
To report information security incidents, gaps and violations to the Information Security Management System Administrator or ENKA Ethics Hotline (+90 212 376 1010)
To participate in information security awareness training programs
To make suggestions for improvements to the information security management system
To work in accordance with ENKA corporate policy and procedures.

PRIVACY & DATA PROTECTION

Precautions are taken to secure the personal data of its employees and customers.
Information technologies environment, security measures, policies and cyber security awareness program support compliance with the privacy and data protection requirements.
Organizational measures in place and technical controls (including access controls and firewalls to providing security controls, spam, malware and antivirus software) are essential such as incident monitoring.

MONITORING CHANGES TO RISK

The suitability, adequacy, effectiveness of the Information Security Management System and ENKA’s Information Security activities are periodically reviewed, at least once a year, through the management review activity.

Risk analysis are repeated periodically. At least once every six months, and after significant changes to business processes, risks or assets, a risk analysis is held for processes affected by the change.

The risk levels identified during risk analysis work are compared to previous risk analysis to monitor changes to risk.

The status of the risk processing plan is taken up as an agenda item at periodic ISMS committee meetings and the risk processing status is updated.

CYBER SECURITY

Managing cyber risks to sensitive information assets and systems is a top priority for ENKA.

By taking into account the increasing trend in the scope, severity, and costs of cyber-attacks, where most of the attacks seek to damage data and systems or steal sensitive information such as trade secrets or personal data, we pay utmost attention to protect our information and assets.

Cyber risk is one of the major and rising risks around the globe. To address this challenge and mitigate risks, ENKA owns a robust information security program with the following key elements to secure its information assets:

To ensure that information security risks related to their affiliated unit(s) are identified, to evaluate risk processing results
In order to achieve information security management system objectives, to ensure that necessary monitoring and assessment activities within the company and affiliated units are conducted and to encourage their implementation
Every employee understands the Information Security Policy and is aware of their roles in preventing and mitigating cyber threats
Mandatory ISMS and Cybersecurity awareness programs for all employees.