Cyber Security and Data Privacy

Ziraat Katılım strives to maintain the high-level of standards of cyber security infrastructure by focusing on identifying emerging risks and continuously improving system security in order to protect the confidentiality and security of customer and Bank data.
‍
This approach encompasses a holistic information security management strategy that incorporates comprehensive security policies and standards, a robust security awareness and training program, and the deployment of advanced and layered defense mechanisms.
‍
The Information Security Committee is responsible for determining the duties and responsibilities related to information security at the Bank.
‍
Ziraat Katılım cyber security and data privacy strategies are based on globally recognized standards and models in compliance with the national regulations listed below.

• Banking Law No. 5411

• The Regulation on Information Systems and Electronic Banking Services of Banks and various regulations released by the Banking Regulation and Supervision Agency (BRSA)

• ISO 27001 Information Security Management System Requirements Standard

• ISO 27005 Information Security Risk Management System

• Information and Communication Security Guide of the Digital Transformation Office of the Presidency of the Republic of Türkiye

• PDPL (Personal Data Protection Law)

• The COBIT (Control Objectives For Information and Related Technology) Standards

• NIST (US National Institute of Standards and Technology) Standards

Ziraat Katılım has established an IT Risk Management structure in line with its information security strategies and policies. The Bank classifies its information assets based on their security values, determines security controls in accordance with the criticality of these assets, implements tests in connection with these controls, and strives to bring them to levels below the threshold value by implementing continuous improvement activities against the risks identified as a result of the tests.
‍
Ziraat Katılım Bank manages its cyber security processes effectively by taking into account the Information and Communication Security Guide of the Digital Transformation Office of the Presidency of the Republic of Türkiye, the Regulation of the Banking Regulation and Supervision Agency on Banks’ Information Systems and Electronic Banking Services, and other legal regulations and best practices.

Systems Established to Protect Data Confidentiality

Ziraat Katılım takes all necessary technical and administrative measures to securely store personal data, prevent unlawful processing, and destroy such data in accordance with the law. In line with the obligation to inform stipulated in the Personal Data Protection Implementation Principles and Procedures legislation, the Bank includes the necessary information in all channels and shows sensitivity to obtaining the necessary explicit consents.
‍
In order to raise awareness on the protection of personal data, all employees are provided with both in-class and remote trainings, and the completion of these trainings is mandatory. Under the BRSA’s Circular on Penetration Tests for Information Systems, penetration tests are conducted at least once a year by independent firms. These tests aim to identify and correct security vulnerabilities such as unauthorized access to the Bank’s information systems or access to sensitive information. Penetration test results are presented to the Board of Directors, and necessary action plans are undertaken.
‍
The Bank has established Network Security Control Systems against threats from the corporate network and external networks. Regarding the use of network resources, rules have been set for issues such as USB usage, out-of-bank file sharing, database and application access, and non-standard application installations. In addition, standards have been established regarding the computers and access to be provided for third-party company employees, consultants, independent audit firm employees, and external auditors who will perform work at the Bank’s location.
‍
The use of network resources is monitored with Data Leakage Prevention (DLP) Systems, preventing data leaks in line with the established rules and policies. Security processes are supported by creating trace records of transactions.

Measures Taken Against Cyber Security Threats

Ziraat Katılım aims to implement the most effective data privacy and security solutions by following new and advanced security systems in line with its legal responsibilities. The Cyber Security Center operates seven days a week without interruption, examining the Bank’s systems and alarm mechanisms, scanning for vulnerabilities, gathering intelligence, and responding to cyber threats.
‍
The following systems are actively and uninterruptedly used in the center:

• Network and client security products and devices: Antivirus, DDoS protection, IPS, EDR/ EPP systems, NAC and WAF systems, firewall, and email security products.

• DLP systems and Web/DNS security systems and solutions to prevent data leaks.

• SIEM systems; the capacity to generate alarms by monitoring all security logs.

• Software code review systems; the solutions to ensure the security of the applications used.

• Penetration testing systems and vulnerability management systems.

It supports the Bank’s information security processes without interruption.

Cyber Security and Data Privacy Trainings and Awareness Activities

Ziraat Katılım conducts a comprehensive Information Security Awareness Program for all employees with the aim of spreading security culture and awareness throughout the Bank and sharing security responsibility among all employees with the cyber security and data privacy policy it has determined. As part of this program, monthly bulletins are issued and periodic surveys are conducted to measure employees’ perception of information security risks.
‍
In addition, internal drills are conducted throughout the year using social engineering methods to raise awareness against phishing attacks. The results of these drills are evaluated, and appropriate training programs are planned and assigned to enhance employee awareness.
‍
Face-to-face in-class information security training programs are included in the Bank’s orientation programs organized for recruited employees, and updated information security trainings are assigned to all personnel throughout the year.