Systemintegration für IT-Infrastruktur, Cybersecurity und Data Analytics

  1. Introduction and overview 

We rely on the confidentiality and availability of our information and systems to accomplish our core business mission: to provide the highest level of service and access to our customer, whilst maintaining security.   

In addition, regulatory requirements, as well customer and investor expectations, are being driven by a greater focus on the need to take a risk-based approach to securing confidential, particularly personal, information.    

This policy is a commitment of top management and has been approved by top management. 


This policy sets out what we will do to ensure that our information and systems are protected against unauthorised access, disclosure, loss, modification or destruction. Where appropriate, more detailed policies will be developed to expand on a control area.  


This policy encompasses the people, processes and technology that process, transmit or store our physical and digital information.  

In addition, this policy covers anyone who has access to our information and systems however they are employed or under a term of contract, including third parties and partners.  

  1. People Management  

Lifecycle: Information security requirements must be embedded into each stage of the employment/contract life cycle, specifying security related actions required during induction, ongoing management and termination of employment.  

Responsibilities: Ownership of critical information and systems must be assigned to appropriate staff, supported by clearly defined responsibilities for protecting the assets.  

Device safety: When working away from the office, we must take all reasonable efforts to protect computing devices and the information they handle against loss, theft and misuse.   

Security awareness: A security awareness programme must promote and embed expected security behaviour in all staff.  

Security skills: Appropriate staff must be trained in how to run systems and applications correctly and how to develop and apply information security controls.  

  1. Information Risk Management  

Risk management: Our information and systems must be consistently protected by appropriately identifying, analysing, assessing, mitigating and communicating information risks.  

  1. Information Management   

Information classification: An information classification scheme, based on the criticality of our information assets, must be applied throughout our systems.  

Information privacy: Responsibility for managing information privacy must be established and security controls applied for handling personal and sensitive personal data.  

  1. Cryptography  

Solutions: Cryptographic solutions must be subject to approval, documented and applied as required.  

Key management: Cryptographic keys must be managed tightly and protected against unauthorised access or destruction.  

  1. Physical Assets   

Hardware suitability: Robust and reliable hardware must only be acquired following consideration of security requirements and identification of any security and privacy deficiencies.  

Device configuration: Mobile devices must be built using standard secure configurations and subject to security management practices to protect information against unauthorised disclosure, loss and theft.   

Device connectivity: Appropriate measures must be taken to ensure secure connectivity to our IT services.  

Portable devices: The use of portable storage devices must be subject to approval, access to them restricted and information stored on them protected.  

Personal devices: Technical and procedural security controls must be implemented to protect our information and systems when accessed from personal devices. 

  1. Business Applications   

Protection of business applications: Business applications must be protected by using sound security architecture principles.  

  1. Identity and Access Management  

Identity: Identity and access management arrangements must provide effective and consistent user administration, identification, authentication and access control mechanisms.  

Access: Access to our information and systems must be robust and be restricted to authorised individuals for specific business purposes.  

  1. Systems Management  

Design: Systems and networks must be designed to cope with current and predicted information processing requirements and be protected using a range of in-built security controls.  

Configuration: Systems must be configured to function as required and to prevent unauthorised or incorrect updates.  

Service Providers:  Services must be obtained from service providers capable of providing any required security controls and be supported by documented contracts or service level agreements.  

Performance management: Systems must be monitored continuously and reviewed from a business user’s perspective.  

Backups: Backups of essential information and software must be performed in accordance with a defined cycle and tested on a regular basis. 

Change management: Non-standard changes to systems must be tested, reviewed and applied using a change management process.  

  1. Networks and Communications  

Wireless security: Wireless access in key office locations must be subject to authorisation, users and computing devices authenticated and wireless traffic encrypted.  

Traffic: Network traffic must be routed through well configured network security controls prior to being allowed access to other networks or before leaving our networks.  

Maintenance: Maintenance of critical systems and networks must be restricted to authorised individuals, confined to individual sessions and subject to review.  

Email and Instant Messaging: Email and instant messaging systems must be protected by a combination of policy, awareness, procedural and technical security controls.  

  1. Technical Security Management  

Architecture: A security architecture must be established to help manage the complexity of providing information security at scale.  

Malware response: Activities must be performed to make users are aware of the risks from malware and to specify the actions required to minimise those risks.  

Malware solution: Our systems must be safeguarded against all forms of malware by maintaining up-to-date malware protection software, which is supported by effective procedures for managing malware-related incidents.  

Intrusion detection: Intrusion detection mechanisms must be applied to critical systems.  

Vulnerability management: Technical vulnerabilities must be identified and remediated within agreed timescales.  

Security event logging: Important security-related events must be recorded in logs; protected against unauthorised change and analysed on a regular basis using automated and manual methods.  

Incident management plan: An incident management framework must include all relevant individuals, information, capabilities and tools required.  

Incident management process: Information security incidents must be identified, responded to, recovered from and followed up using a documented and tested process.  

  1. Supply Chain Management  

Supplier and partner assurance: Information risks must be identified and managed throughout all stages of the relationship with external suppliers and partners and must include their supply chain if applicable.  

Outsourcing: The selection and management of outsource providers must be governed and supported by documented agreements that specify the security requirements to be met.  

  1. Physical and Environmental   

Physical protection: All critical facilities must be physically protected against accident, attack or unauthorised physical access.  

Hazard protection: Critical facilities must be protected against fire, flood, environmental and other natural hazards.  

  1. Business Continuity and Disaster Recovery  

Crisis management: The crisis management process must be supported by a crisis management team which details the actions to be taken in the event of a major incident or serious attack.  

Plans: Business continuity and disaster recovery plans must be documented to support all critical business processes.  

Testing: Business continuity and disaster recovery plans must be tested on a regular basis.  

  1. Security Monitoring and Improvement  

Security audit: The information security status of our environments must be subject to thorough, independent and regular security audits.  

Security performance: Information security performance must be monitored regularly and reported to specific audiences, such as Senior Management.  

Risk management: Reports relating to information risk must be produced and presented to Senior Management on a regular basis.  

Compliance monitoring: A security compliance management process must be established which comprises information security controls derived from business, regulatory, legal and contractual requirements.  

  1. Exceptions  

Exceptions process: Every effort must be made to comply with this policy. However, if you feel you have a valid business case for an exception, then you must contact the security team to assess and manage the request.  

Mehmet Yüksel
Managing Director
BDT Group
Version 1.0