SUSTAINABILITY REPORT 2018

RISK MANAGEMENT AND ETHICS

Information Security and Privacy

*** You can check the table by scrolling to the right

Priority Areas 2018 Goals Performance in 2018 Status 2019 Goals
Information Security
  • To increase security monitoring capabilities.
  • To add more topics to the awareness program.
Information Security monitoring systems and
additional initiatives (such as 2FA) were implemented over
all CCI countries to increase security maturity.
Employees were informed about modern
information security threats and topics
through Security awareness trainings.
Achieved
  • Implement «secure-by-design» «privacy-by-design» approach
    in product development and lifecycle management for sustainable security culture.
  • Extend cybersecurity focus to OT/IoT to increase visibility with OT
    intrusion detection systems and effectively protect production systems in our plants.
  • Implement early and accurate threat detection systems by
    leveraging advanced deception technologies to ensure post-breach defense, contain cyber attacks, mitigate the damages thus increase cyber resilience.
  • Challenge CCI’s security maturity and resilience to sophisticated attacks by
    emulating attackers who use advanced tactics, techniques and procedures.

According to the Global Risk Report by the World Economic Forum; cyber risk is one of the major and rising risks around the globe. To address this challenge and mitigate risks, CCI owns a robust information security and privacy program with the following key elements to secure its information assets:

CCI is maintaining robust information security and privacy program with the following key elements.

Information Security Governance:

CCI runs company-wide information security governance structure that enables the effective management of potential risks and incorporates security and privacy controls into our information systems and services. Information Security Steering Committee, which consists of the Executive Committee and the security management team, acts as the governing body since 2009. CCI has implemented a comprehensive Information Security Management System (ISMS) based on the ISO 27001 ISMS standard to achieve its security objectives. CCI complies and was certified with ISO 27001 standardsin 2016 and completed the surveillance audit in 2017 and 2018.

Security Awareness

CCI has been running a mandatory cybersecurity awareness program for all employees since 2014, thereby promoting cybersecurity awareness across the company. The awareness program reports are submitted to top management to inform them of any risk.

This awareness program includes online training, awareness posters on display at CCI work places, as well as email notifications on diverse topics such as phishing, travel security, URL security, email security, physical security.

Regulatory Compliance

CCI designed and implemented many initiatives aimed at ensuring compliance with the requirements of:

  • Turkish Personal Data Protection Law no. 6698 (KVKK)
  • Communiques published by Capital Markets Board of Turkey
  • Authorized Economic Operator program of Turkish Ministry of Customs and Trade
  • The Law of the Republic of Kazakhstan on Personal Data and Their Protection

Privacy and Data Protection

CCI takes precautionary measures to secure the personal information of its employees and customers. Our IT environment, security measures, policies and cyber security awareness program support compliancewith the privacy and data protection requirements.

Cyber Risk Insurance

CCI possesses cyber risk insurance to mitigate cyber-related security breach or events. Cyber risk insurance covers the cost of restoring the loss in terms of business income or reputation owing to the damage of computers and computer networks.

Business Continuity

CCI implements TCCC’s Incident Management and Crisis Resolution (IMCR) program, which is designed to create and maintain an efficient,integrated structure for preventing and managing incidents. Implementation of the IMCR program is a key management activity and is everyone’s responsibility at CCI.

To ensure that we prevent or reduce the impact of incidents on our business, we have incident management teams in each country of operation. Each team joins our annual training sessions, and collectively work on simulations of complex incidents.

As part of the IMCR program, each country conducts the IMCR Validation program every three years, which aims to create readiness for crisis situations, build awareness, identify gaps and develop action plans for improvements.

In 2019, we plan to conduct the IMCR Validation Program in Azerbaijan, Kazakhstan, Kyrgyzstan and in Pakistan.