KJ Power Generator
Information Security Policy
1. Introduction
KJ
Power Generator is committed to maintaining a robust security posture to
protect its critical systems and sensitive data. This document serves to
articulate the comprehensive security architecture underpinning our operations,
ensuring compliance with the exacting standards expected by high-level public
institutions. The subsequent sections provide an in-depth examination of our
email infrastructure, corporate information management system, accounting
software, physical security measures, remote access protocols, and overarching
security policies.
2. Email Infrastructure Security
2.1 Platform
Our
email infrastructure is founded upon Google Gmail, integrated with Google
Workspace, which provides enterprise-grade security capabilities. All available
security features have been meticulously configured to protect communications
across the organisation.
2.2 Security Features
- Authentication: Multi-factor authentication
(MFA) is compulsory for all users, incorporating biometric verification (e.g.,
fingerprint or facial recognition) or hardware security tokens (e.g., YubiKey)
alongside traditional credentials.
- Encryption: Transport Layer Security
(TLS) is employed for all email transmissions, with Secure/Multipurpose
Internet Mail Extensions (S/MIME) mandated for communications containing
sensitive information.
- Threat Protection: Gmail’s advanced spam
filtering and artificial intelligence-driven threat detection mechanisms are
fully operational. The Google Advanced Protection Programme is implemented for
personnel with elevated risk profiles, such as senior management.
- Access Control: Role-based access control
(RBAC) governs email system access, supported by continuous monitoring and
real-time alerts for anomalous activities.
- Data Loss Prevention (DLP): Configured DLP policies
within Google Workspace prevent the unauthorised dissemination of sensitive
data, such as financial records or personal information.
- Audit and Compliance: Email activities are systematically archived via Google Vault, ensuring
compliance with legal and regulatory obligations.
2.3 Additional Measures
- Regular penetration testing
and security updates are conducted to maintain system resilience.
- Employees
receive mandatory training on phishing recognition and email security best
practices, supplemented by annual simulation exercises.
3. Corporate Information Management System (CIMS) Security
3.1 Overview
The
Corporate Information Management System (CIMS) is an internally developed
platform that consolidates the management of production, human resources,
sales, procurement, production planning, imports, and other operational
functions.
3.2 Technical Infrastructure
- Development Platform: Built using the Microsoft
.NET Framework, adhering to secure software development life cycle (SDLC)
principles.
- Database: Microsoft SQL Server, with
the Always Encrypted feature activated to protect sensitive data at all times.
- Hosting: Deployed on Amazon Web Services
(AWS), leveraging AWS Shield and Web Application Firewall (WAF) for enhanced
security.
3.3 Security Architecture
3.3.1 Key Management
- A dedicated key server
facilitates secure communication between the user interface and service layers,
generating dynamic keys with a lifespan of 24 hours or 10,000 uses, whichever
occurs first.
- Keys are
encrypted using the AES-256 algorithm and transmitted exclusively between
authorised servers.
3.3.2 Network Security
- IP Restrictions: Communication is restricted
to fixed IP addresses over HTTPS, with external access prohibited.
- Firewall Protection: Windows Defender Firewall
supplements AWS security groups, permitting only essential traffic (e.g., port
443).
- DDoS
Mitigation: Cloudflare’s enterprise-grade services provide distributed denial-of-service
(DDoS) protection and a web application firewall.
3.3.3 Data Encryption and Authentication
- Password Security: User passwords are hashed
using bcrypt with salting, replacing the outdated MD5 algorithm.
- Session Management: JSON Web Tokens (JWT) govern
user sessions, with automatic termination after 30 minutes of inactivity.
- Data
Encryption: Sensitive data is encrypted using AES-256, with AWS Key Management Service
(KMS) securing data at rest.
3.3.4 Backup and Disaster Recovery
- Daily encrypted backups are
stored on AWS S3 with geographic redundancy.
- A
disaster recovery plan ensures a Recovery Time Objective (RTO) of 15 minutes
and a Recovery Point Objective (RPO) of 5 minutes.
3.3.5 Monitoring and Compliance
- AWS CloudTrail and CloudWatch
provide continuous monitoring, with real-time anomaly detection.
- Biannual penetration testing
by external specialists ensures system integrity.
- Compliance
is maintained with ISO 27001, GDPR, and KVKK standards.
4. Accounting Software (LOGO) Security
4.1 Access Control
- The LOGO accounting
application is accessible solely from the internal company network, with
external access precluded.
- RBAC
ensures that only authorised personnel can interact with the system.
4.2 Network Security
- Physical and virtual
firewalls protect network traffic, configured to allow only necessary
connections.
- Employee
and guest networks are segregated, with guest access requiring authentication
via a captive portal.
5. Physical Security Measures
5.1 Facility Security
- Access Control: Physical access to facilities is restricted to authorized personnel using biometric verification and access cards.
- Surveillance: 24/7 surveillance systems monitor all critical areas, with real-time alerts for unauthorized access.
- Security Personnel: Trained security personnel are stationed at key points to ensure compliance with security protocols.
5.2 Data Center Security
- Environmental Controls: Data centers are equipped with advanced environmental controls to maintain optimal conditions for hardware.
- Redundancy: Critical systems are designed with redundancy to ensure continuous operation in case of hardware failure.
- Disaster Recovery: Comprehensive disaster recovery plans are in place to restore operations swiftly in the event of a major incident.
6. Remote Access Protocols
6.1 VPN Access
- Secure VPN: Remote access to the corporate network is facilitated through a secure VPN, with multi-factor authentication required for all connections.
- Encryption: All data transmitted over the VPN is encrypted using AES-256 to ensure confidentiality and integrity.
- Access Control: VPN access is restricted to authorized personnel, with role-based access controls in place to limit access to sensitive systems.
6.2 Remote Desktop Protocol (RDP)
- Secure RDP: Remote desktop access is secured using RDP over VPN, with multi-factor authentication and strong password policies enforced.
- Monitoring: All RDP sessions are monitored and logged for security and compliance purposes.
- Access Control: RDP access is restricted to authorized personnel, with role-based access controls in place to limit access to sensitive systems.
7. Security Policies
7.1 Acceptable Use Policy
- All employees must adhere to the Acceptable Use Policy, which outlines acceptable and unacceptable use of company resources.
- Violations of the Acceptable Use Policy may result in disciplinary action, including termination of employment.
7.2 Data Protection Policy
- All employees must adhere to the Data Protection Policy, which outlines the measures in place to protect sensitive data.
- Violations of the Data Protection Policy may result in disciplinary action, including termination of employment.
7.3 Incident Response Policy
- All employees must adhere to the Incident Response Policy, which outlines the procedures for responding to security incidents.
- Violations of the Incident Response Policy may result in disciplinary action, including termination of employment.
Musa KÜRKÇÜ
Chairman of the Board
March 11th, 2025
Download Document
