In the current era, the transfer of information from classical environments to digital environments, the ease of access to information, and the digitalization of infrastructures have made data valuable that must be protected. In this context, Presidential Circular No. 2019/12 on Information and Communication Security Measures for purposes such as protecting information and increasing cyber resilience in our country was published in the Official Gazette No. 30823 on 6 July 2019 and entered into force. In accordance with the relevant circular. The Information and Communication Security Guide (“Guide”), which shows in detail the precautions to be followed by the relevant public institutions and organizations and businesses operating in the critical infrastructure sectors, in order to ensure the security of information in accordance with the purposes briefly explained, prepared by the Presidency Digital Transformation Office (“DDO”) on July 27. It was shared with the public in 2020. The Information and Communication Security Audit Guide (“Audit Guide”), which shows the procedures and principles to be followed in audit activities, which is one of the stages of compliance with the Guide, was prepared by DDO and shared with the public on October 27, 2021. In this content, we have compiled frequently asked questions about the Guide and Audit Guide for you.
Which institutions and organizations are included in the Information and Communication Security Guide?
The scope of the Information and Communication Security Guide;
- Public institutions and organizations within the state organization,
- It is in the form of enterprises providing services in the sectors of "Electronic Communication", "Energy", "Water Management", "Critical Public Services", "Transportation", "Banking and Finance", which are critical infrastructure sectors.
How is the asset group criticality determined?
In the studies carried out within the scope of the guide, the assets should be grouped and grouped under the determined headings and measures should be implemented by taking these groups into account.
The main headings of the asset group defined in the guide are listed below:
- Network and Systems
- Apps
- Portable Devices and Media
- Internet of Things (IoT) Devices
- Physical Spaces
- Employee
In order to determine the criticality level of assets, asset groups should be defined in accordance with the issues on page 22 of the Guidelines. More than one asset group can be defined for each asset group title.
After the asset groups are determined, the criticality level of these asset groups should be determined. The criticality of each asset group should be determined by taking into account the criticality of the processed data in terms of confidentiality, integrity and accessibility, and the impact areas of security breaches that may occur.
The following steps are followed during the asset group criticality determination phase:
- For each asset group, the questionnaire in Annex-C.1 is filled in with the participation of the relevant stakeholders. Owners of assets, system administrators, developers, user representatives, administrators and the most competent personnel of the institution should participate within the scope of the survey. It is recommended to use the Delphi method in survey filling studies. The survey should be carried out by following the Delphi method application steps below.
- 1. The experts to whom the questionnaire will be administered are determined.
- 2. The questionnaire is filled by experts.
- 3. The results of the survey are evaluated.
- 4. The survey continues until all participants agree on an idea and return to step 2.
- 5. According to all survey results, the agreed decision is implemented.
- The survey score is calculated by adding the scores in the survey form for the answers to the survey questions filled in for each asset group. The degree is determined according to Table 3 in the Guide.
What is the difference between "Confidential Information/Data" and "Critical Information/Data" in the Guide?
Confidential Information/Data within the scope of the Guide, "Information/data classified as "TOP SECRET", "SECRET", "PRIVATE" or "SPECIAL TO SERVICE", depending on the degree of importance it has, and which is deemed inconvenient in terms of national security and country's interests to be disclosed or given to people other than those who need to know. ” defined as. In the classification made here, the degree of confidentiality of information and data is the basic criterion.
Critical Information/Data in the Directory;
- “All kinds of information/data that may cause legal sanctions in case of security weakness, and whose content will cause very serious material or moral damage to the institution by unauthorized personnel or persons,
- Data processed by assets calculated as criticality level 3,
- Special categories of personal data defined by the Law on the Protection of Personal Data No. 6698 dated 24.03.2016.” defined as.
Confidentiality is not the main criterion in determining critical information and data. Confidentiality, integrity and accessibility of the processed data and domain size are important in determining critical information/data. Regarding domain-sized information/data; dependent assets, number of people affected, institutional results, sectoral impact and societal consequences.
Are third parties that provide services to institutions, organizations and businesses within the scope of the Information and Communication Security Guidelines obliged to comply with the Guide?
Third parties providing services to institutions, organizations and businesses within the scope of the Information and Communication Security Guide are not directly obliged to comply with the Guide. However, since those within the scope are obliged to comply with the requirements of the Guide in the supply and operation of services and products, third parties will indirectly comply with these requirements in their services and products.
There is a separate section for the Electronic Communication sector and the Energy sector in the guide. Are these two sectors only responsible for implementing the measures in this chapter?
Although institutions and organizations operating in the critical infrastructure sectors are obliged to implement all the measures in the Guide, the Guide also includes sector-specific security measures to be implemented additionally.
Which institutions and organizations are responsible for performing audit activities?
Except for the institutions and organizations that carry out duties and activities within the scope of ensuring national security, all institutions and organizations within the state organization that host data processing units or receive data processing services from third parties within the framework of contracts are obliged to carry out audit activities. Initial audits must be completed by 31 December 2022. District municipalities and district governorships are not included in the scope of the 2022 audit.
How to create an audit team through service procurement in public institutions and organizations?
The audit team should consist of at least 2 auditors. Depending on the scope of the audit and the complexity of the systems audited, the number of auditors in the audit team may be increased.
If the audit team is formed through service procurement;
- The team must have at least one lead auditor and auditor who are authorized within the scope of TSE Information and Communication Security Guidelines Compliance Audit Service Personnel and Firm Certification Program. The lead auditor in the team is also the Audit Coordinator. In case there is more than one lead auditor in the team, one of the lead auditors is assigned as the Audit Coordinator.
How to create an audit team through service procurement in enterprises providing critical infrastructure services?
The audit team should consist of at least 2 auditors. Depending on the scope of the audit and the complexity of the systems audited, the number of auditors in the audit team may be increased.
If the audit team is formed through service procurement;
- The team must have at least one lead auditor and auditor who are authorized within the scope of TSE Information and Communication Security Guidelines Compliance Audit Service Personnel and Firm Certification Program. The lead auditor in the team is also the Audit Coordinator. In case there is more than one lead auditor in the team, one of the lead auditors is assigned as the Audit Coordinator.
CyberArts; TSE Information and Communication Security Guide has been authorized by TSE to carry out audit activities under the TSE-BIG-0010 code within the scope of the Compliance Audit Service Personnel and Firm Certification Program.
Will sanctions be applied to institutions and organizations that do not perform audit activities?
- Oversight activities will be carried out by the Digital Transformation Office, based on the information regarding the declarations and notifications made by institutions and organizations through the Information and Communication Security Compliance and Audit Monitoring System.
- In case of a weakness due to the failure to carry out the compliance activities and audits in the Guidelines, the sanctions already determined in the relevant legislation will apply. Considering the size and impact of the damage that may occur, internal judicial or administrative investigation processes can be operated.
- Regulatory and supervisory institutions for businesses providing critical infrastructure services will be able to impose sanctions within the framework of the procedures and principles to be determined within the scope of primary and secondary legislation.
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.