Information Security

Information Security

1. Purpose, Scope, and Management Adoption of Information Security

Revotas regards corporate information as a highly valuable asset. Information is of critical importance for the continuity of our business activities and must be properly protected. By implementing the Information Security Management System (ISMS) ISO 27001 standard, Revotas aims to minimize risks related to the Confidentiality, Integrity, and Availability of corporate information and the potential impacts of these risks.

This policy has been approved by Revotas top management.
Revotas top management has specifically committed to ensuring the following:

  • Ensuring the confidentiality, integrity, and availability of Revotas’ information and information systems,

  • Identifying risks to information assets and managing these risks in a systematic manner,

  • Meeting the requirements of Information Security Standards,

  • Complying with all legal regulations related to Information Security,

  • Continuously evaluating improvement opportunities and taking action to sustain the Information Security Management System,

  • Conducting training programs designed to improve technical and behavioral competencies in order to raise awareness of information security,

  • Ensuring that other sub-procedures related to this policy are prepared and published by the Information and Communication Technologies officers.

Revotas’ Information Security Policies are mandatory and applicable to all personnel who use corporate information or business systems—whether full-time, part-time, permanent, or contractual—regardless of their geographical location or business unit. Third-party service providers and their support staff who require access to corporate information must also comply with the general principles of this policy and adhere to other security responsibilities and obligations required of them.

2. Responsibilities of All Employees

The purpose of Information Security and this policy is to protect, maintain, and manage the confidentiality, integrity, and availability of information, as well as all supporting business systems, processes, and applications. This means ensuring that Revotas’ information remains in authorized hands, is complete, accurate, and available, and that information and systems are ready for use when needed.

Therefore, all corporate and outsourced personnel, as well as interns, regardless of their position or duty, are responsible for carrying out their work in a manner that protects information within the organization.

In addition to ensuring that Revotas’ information remains complete, accurate, and readily available, all personnel must also comply with the protection of confidential information stated in employee contracts and adhere to corporate business ethics principles.

Revotas is committed to taking the measures specified in the Personal Data Protection Law and to working in full compliance with the Personal Data Protection Policy.

3. Policy Ownership and Guidance in Information Security

The functional ownership of this policy, all standards, supporting documents, and training activities will be carried out by Information Security Managers. These managers will also act as advisors and guides regarding the implementation of this policy across the organization.

Information Security Managers will ensure that all employees receive appropriate training to establish a proper level of awareness on Information Security issues, and will provide guidance in handling information security incidents. They will ensure that this policy is supported by detailed standards, procedures, and processes when required, and that such documents are readily available. They are also responsible for ensuring that the requirements of this policy are communicated to all employees (permanent or temporary) and all contractor personnel.

The IT Manager is responsible for establishing the overall governance framework related to Information Security, ensuring its continuity, and keeping this policy up to date. This includes ensuring that the policy continues to reflect the changing risk environment or threats facing the business requirements, information, and information systems of the organization.

Information Security Policies are reviewed at least once a year in line with updates to assets and risks, in order to reflect the current risks to Revotas’ information assets. To keep control of new or changing risks, the policies are updated with necessary additions. In addition, any employee may request changes to the Information Security Policies to improve them and better reflect the controls required by the organization. Such requests will be evaluated and addressed by the Information Security Management.

The principles of the Information Security Policy should be implemented in parallel with Revotas Human Resources personnel rules. Employees are also responsible for being aware of the Information Security Policy and complying with its principles.

4. Auditing, Compliance, and Resolution of Non-Compliance

Each department manager is primarily responsible for taking necessary measures to ensure compliance with the Information Security Policy and for overseeing the system.

The Information Security Management is responsible for the periodic auditing of compliance with all published policies, procedures, and standards—especially the main Information Security Policy—and for reporting to relevant parties.

Violations of the Information Security Policy may result in harm to Revotas due to the lack of necessary controls against risks, and may also lead to criminal liability under the new Turkish Penal Code, as well as liability for compensation of financial damages. Therefore, such violations are also breaches of the Personnel Regulations and may result in disciplinary sanctions.

Violations of the Information Security Policy detected through oversight, audit, or reporting may lead to disciplinary measures ranging up to termination of employment, and even legal and criminal proceedings.

Working together in the implementation of this policy will help ensure the continuous protection of our information and reputation, and the sustainability of our business success.

5. Information Security Policy

Revotas Information Security aims to protect corporate reputation, reliability, and information assets, and to ensure that core and supporting business activities continue with minimal disruption.

To this end, Revotas is committed to:

  • Protecting the information assets processed, stored, and shared with other organizations, in line with the principles of confidentiality, integrity, and availability,

  • Managing information assets, determining their security values, needs, and risks, and implementing controls against security risks through a management system that is continuously improved,

  • Identifying continuous improvement needs and opportunities through risk assessments related to activities, in alignment with the organization’s vision and mission,

  • Following technological developments and changes within the scope of provided services,

  • Ensuring business continuity by reducing the impact of information security risks,

  • Complying with national and international regulations, legal and regulatory requirements, contractual obligations, and corporate responsibilities towards internal and external stakeholders,

  • Possessing the competence to respond quickly to information security incidents and minimize their impact,

  • Maintaining and improving the level of information security over time with a cost-effective control infrastructure,

  • Enhancing the organization’s reputation and protecting it against negative impacts stemming from information security risks,

  • Protecting personal data in line with the Personal Data Protection Law,

  • Conducting training to raise employees’ awareness and competencies on information security, providing the necessary support, and becoming a leading example in the industry by integrating with other management systems.