INFORMATION SECURITY POLICY

1.Purpose of the Policy and Its Strategic Importance
This Information Security Policy has been established to ensure full compliance with the obligations introduced by the Capital Markets Board of Türkiye (CMB) through the “Communiqué on the Principles and Procedures Regarding Information Systems Management (VII-128.10)” published in the Official Gazette dated March 13, 2025.
The Policy defines the fundamental strategic framework for protecting information—one of our organization’s most valuable assets—enhancing resilience against cyber threats, ensuring operational continuity, and fulfilling legal obligations in full. This document addresses information security not merely as a technological requirement, but as an integral component of corporate governance and risk management.
2.Scope
This policy covers all information assets within HKTM, the information systems that process, store, or transmit these assets, related business processes, and all employees, consultants, and external service providers. The provisions of this policy apply to all locations and operational activities of the organization
3.Information Security Governance and Responsibilities
3.1 Importance of the Governance Structure
Effective information security governance is the cornerstone of a successful and sustainable security program. Without full support from senior management, clearly defined roles, and accountability mechanisms, security investments may be rendered ineffective, and serious administrative sanctions may arise due to regulatory non-compliance. This structure ensures that information security decisions align with strategic objectives, resources are allocated appropriately, and compliance with the VII-128.10 Communiqué is guaranteed.
3.2 Roles and Responsibilities
The fundamental roles and responsibilities required to ensure compliance with the Communiqué and effective information security management are defined below:
Board of Directors / Senior Management: Approve policies and procedures related to information systems management in writing. Approve roles and responsibilities related to information systems management in writing. Approve guidelines and usage procedures regarding the security classification of information assets. Approve action plans related to risk management activities. Review annual evaluation and audit reports related to information systems controls
Information Security Officer: Report directly to senior management. Not assume any other operational responsibilities in information systems management. Coordinate the review of the information security policy at least once a year. Participate in approval mechanisms for remote access processe.
Information Asset Owner: Conduct authorization review controls for the information assets under their responsibility and implement necessary action
Internal Auditor: Conduct information systems audits annually. Report audit results, identified findings, and related action plans to senior management. Report authorization process audit results and identified non-conformities to senior management. The primary responsibility of these roles is to protect the organization’s information assets. Proper identification, classification, and risk management of these assets constitute the main focus of the asset and risk management processes addressed in the next section.
4. Asset Management and Risk Analysis
4.1 Strategic Value of Asset and Risk Management
Without an effective asset inventory and a systematic risk management process, cybersecurity resources may be misprioritized, leaving critical assets unprotected. This situation poses both regulatory non-compliance risks and potential loss of valuable data in the event of a cyberattack. This process ensures efficient use of resources by focusing defense mechanisms on the right areas and fulfills the proactive security approach mandated by the communique.
4.2 Policy Provisions
Asset Inventory: A comprehensive inventory covering all information assets, the services supported by these assets, and related business processes shall be created and kept continuously up to date.
Annual Risk Assessment: A comprehensive risk management process shall be conducted organization-wide at least once a year. This process shall include defining risk criteria, analyzing threats and vulnerabilities to assets, determining risk levels, planning controls and actions to mitigate identified risks, and monitoring the effectiveness of corrective actions.
One of the most fundamental controls to mitigate risks identified during the risk assessment process is managing who can access information, when, and under what conditions. Therefore, the next section focuses on access control and identity management policies.
5. Access Control and Identity Management
5.1 Fundamental Principle of Access Control: 
Access control management is based on the principle of “least privilege.” According to this principle, users and systems are granted only the minimum access rights necessary to perform their duties. This approach significantly limits unauthorized access, insider threats, and lateral movement capabilities of attackers, thereby minimizing the impact of potential data breaches.
5.2 Access Control Policies
Authentication: Strong and multi-factor authentication (MFA) mechanisms shall be implemented for access to all systems and applications.
Password Management: A comprehensive password management policy covering complexity, minimum length, validity period, password history control, and secure storage shall be implemented and mandatory for all personnel.
Privileged Account Management: The use of administrator and other privileged accounts shall be strictly controlled, logged, and regularly monitored.
Authorization Review: Information Asset Owners shall periodically review user authorizations for systems and applications under their responsibility. Authorizations shall be revoked immediately in cases of role changes, termination of employment, or redundancy.
Remote Access: Remote access to the corporate network shall be granted only with the approval of the Information Security Officer. Devices used for access must have up-to-date antivirus software and essential security controls such as firewalls.
Temporary User Access:Defined, time-limited, and approval-based authorization processes shall be implemented for external service providers or temporary personnel.
While access controls secure entry points to systems, the internal security of the systems and applications themselves must also be ensured. The next section addresses system and application security as part of layered defense.
6. System and Application Security
6.1 Multi-Layered Nature of System and Application Security
A comprehensive information security strategy cannot be limited to network and access controls alone. Security encompasses server configurations, application code quality, mobile device management, and data validation controls. Vulnerabilities in these areas constitute the largest attack surface. The VII-128.10 Communiqué mandates proactive and detailed security measures to minimize this surface.
6.2 Policy Areas
Operation of Information Systems (Article 14)
Performance monitoring and capacity planning shall be conducted for critical systems.
Known vulnerabilities shall be proactively tracked and patched in a timely manner based on risk assessments.
Configuration management procedures shall be implemented to ensure secure and standard-compliant system configurations.
The use of removable media such as USB drives shall be controlled, and sensitive data stored on such media shall be encrypted.
Up-to-date malware protection solutions shall be used on all servers and end-user devices, and email security filtering mechanisms shall be implemented.
User-uploaded files shall be scanned for malicious content and managed securely.
Additional authentication steps and secure one-time password (OTP) generation shall be mandatory for critical mobile application transactions (e.g., money transfers).
Additional security controls shall be applied in cases of SIM card or operator changes.
Users shall be informed about active sessions and failed authentication attempts.
Secure systems and applications can only function effectively on a secure network infrastructure. The next section focuses on network security and communication policies.
7. Network Security and Communication
7.1 Network Security: The Foundation of Corporate Defense
Network security is the fundamental defense layer that protects the organization’s digital boundaries against cyber threats. Failure to effectively manage unauthorized access attempts, DDoS attacks, and threats targeting data confidentiality may result in customer loss, reputational damage, and severe financial penalties. Therefore, network security is vital for operational continuity.
7.2 Network Security Policy Provisions
Security Measures: Whitelist/Blacklist implementations allowing only permitted applications and services, and DDoS protection mechanisms to prevent service disruptions shall be in place.
Encryption: Up-to-date and strong encryption protocols and authentication controls shall be used to ensure data confidentiality and integrity for internal and external communications.
Data Center Security: Strict physical and logical security controls shall be implemented to prevent unauthorized access and data leakage during access to data centers.Despite proactive controls, security incidents may still occur. Rapid and effective response is critical to minimizing damage and restoring operations. The next section addresses incident management and continuity planning.
8. Information Security Incident Management and Continuity
8.1 Importance of Incident Management and Continuity for Resilience
Modern cybersecurity approaches are based on the principle of “not if an incident will occur, but when.” Therefore, proactive incident detection, effective response processes, and robust business continuity plans are indispensable for ensuring organizational resilience, minimizing operational disruptions, and preventing financial and reputational losses.
8.2 Policy Requirements
Audit Trails: Audit logs related to significant events (e.g., user logins, authorization changes, data access) shall be created, centrally collected, managed, and regularly monitored for suspicious activities.
Incident Management Process: A clearly defined process shall be implemented for detecting, analyzing, containing, identifying root causes, and resolving information security incidents.
Corporate CSIRT: A Corporate Cyber Security Incident Response Team (CSIRT) shall be established, or an authorized individual shall be appointed, to centralize incident response capabilities.
Business Continuity and Disaster Recovery:
Business impact analyses shall define Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Disaster Recovery Centers (DRC) shall be located in a different geographical area from the primary data center to avoid shared risks.
Transition to the DRC and return tests shall be conducted periodically, and results shall be reported to senior management.
9. Policy Compliance, Review, and Exemptions
9.1 Continuous Nature of Policy Compliance
This information security policy is a living framework requiring continuous monitoring, auditing, and adaptation to evolving threats, technological developments, and regulatory requirements.
9.2 Compliance and Review Rules
Review: The policy shall be reviewed at least once a year under the coordination of the Information Security Officer and submitted to senior management for approval if updates are required.
Internal Audit: Compliance with this policy and the VII-128.10 Communiqué shall be audited at least annually by the Internal Audit unit. Outsourcing is not permitted for this audit activity.
Reporting: Evaluations, risk analyses, and internal audit results related to information systems controls shall be reported to senior management at least once a year.
9.3 Exemption Scope
HKTM is not among the institutions exempted under the VII-128.10 Communiqué and is therefore obligated to comply with all provisions of the Communiqué.
9.4 Appendix A: VII-128.10 Compliance Timeline

Approval Section
This policy has been reviewed by the HKTM Board of Directors and was published with the Board Decision dated 26.06.2025 and numbered 139.

General Manager