The Purpose and Scope of the Information Security Policy
The Information Security Policy aims to specify critical standards for ensuring the accessibility, privacy, and integrity of AI Business School’s information systems and assets.

With the understanding that information assets are critical to corporate operations and functions, our Company strives to achieve the following goals:

• Assuring information assets’ confidentiality, integrity, accessibility, continuity, and control,
• Limiting the danger of information assets being lost, degraded, or abused, as well as ensuring compliance with laws and regulations,
• Providing the resources needed to manage the Information Security Management System, develop controls, evaluate opportunities for continuous improvement, and conduct the necessary surveillance studies,
• Providing training for developing technical and behavioral competencies to raise information security awareness,
• Protecting information assets from all types of internal and external risks, both deliberate and accidental.

Through sub-policies, procedures, and directives relevant to this policy, AI Business School establishes and oversees the controls required to operate and maintain the Information Security Management System processes.

Our Information Security Policy applies to all domestic and international employees of AI Business School. As well as people who use AI Business School’s information or business systems, third-party service providers and their support staff who are not employees of the Company but have access to the Company’s information due to contractual agreements.

• Responsible

2.1. The Board of Directors and Top Management
The Board of Directors approves the Information Security Policy, which determines the information security strategy and roadmap and requires its implementation to develop an effective information security management structure.

Senior Management allocates the required resources and authority/duty for the Information Security Management System’s establishment and operation.

2.2. All Employees
All employees must follow all policies and procedures outlined in the Information Security Management System category, report any security breaches or violations, and complete all required tasks.

The main goal of the Information Security Policy is to protect, maintain, and manage the confidentiality, integrity, and availability of information and all supporting business systems, processes, and applications.

This means that the information and data remain in competent hands, ensuring it is complete, accurate, available, and known to systems when needed. As a result, AI Business School’s Information Security Policy must be followed by all AI Business School employees, interns, outsourced personnel, dealers, and suppliers.

In this context, asset and process owners are required to:

• Follow the Information Security Policy and Procedures that have been communicated to them,
• Ensure compliance with the Information Security Policy and Procedures that have been displayed to them,
• To report any security breaches or non-compliance with Information Security Policies and Procedures,
• Not to engage in activities that could jeopardize the operation of information systems or put data security at risk,
• Notify the Information Security Manager of any requests for updates or improvements to the Information Security documents,
• Within the realm of business demands, requesting access to information and corporate resources,
• On an administrator and user basis, decide the access privileges of the owned asset and Personal Data, as well as who can access them,
• To be in charge of classifying, updating, and reviewing employee assets, including Personal Data.

Employees must follow the AI Business School Global Code of Conduct and preserve confidential information as outlined in the AI Business School Personnel Regulation. Furthermore, AI Business School agrees to comply with the Personal Data Protection Regulation and take the precautions indicated in the Personal Data Protection Regulation.

2.3. Third Parties

The necessary contracts and standards define the Information Security arrangements that third parties must follow to deliver goods and services to AI Business School and its personnel. These should include at least the following:

• To behave following AI Business School Policies and Procedures, which govern the Company’s relationships with third parties, particularly information security rules specified in contracts or protocols,
• Using the identities granted to them by AI Business School in line with contracts and instructions,
• Not sharing AI Business School’s information and assets with others without Arçelik’s consent and permission,
• If third-party personnel who work with AI Business School quit or are reassigned, they must notify AI Business School immediately and have their authorizations terminated,
• Not copying any data and software on Arçelik’s devices without Arçelik’s permission and approval, recording, taking photographs/videos, or sharing data/acts that may compromise data security or image without Arçelik’s consent and authorization.

• Information Security Policy Ownership and Guidance

IT Security Management will be responsible for the functional ownership of this policy and any standards, supporting papers, and training activities. It will also advise and direct the policy’s implementation throughout AI Business School.

IT Security Management will guarantee that all workers receive adequate training to maintain a high awareness of information security issues and provide general guidance on handling information security incidents.

This will ensure that this policy is backed up by precise standards, procedures, and processes when needed and available. It will also be responsible for ensuring that these policy requirements are communicated to all permanent and temporary workers, as well as all contractors. Furthermore, IT Security Management provides all employees with all policy requirements, whether permanent or temporary, and all contractors.

The principles of the Information Security Policy should be followed by AI Business School Human Resources Employee Regulations. Employees are also accountable for being aware of and adhering to the principles of the Information Security Policy.

• Audit and Complying with Policies and Resolution of NonCompliance

The primary responsibility of each unit manager is to take the required precautions and monitor the system to ensure compliance with the Information Security Policy.

IT Security Management is in charge of conducting periodic audits and reporting to the appropriate parties on compliance with all stated policies and procedures, particularly the Information Security Policy.

Internal disciplinary sanctions, termination of employment, and even the commencement of Judicial and Criminal legal procedures may be implemented if violations of the Information Security Policy are discovered as a consequence of both surveillance, inspection, and notice.

Working together to follow this policy will help us maintain our knowledge and reputation throughout time, as well as assure the success of our business.

• Objectives

AI Business School Information Security strives to maintain AI Business School’s reputation, reliability, information assets, and primary and supporting business activities with the fewest potential business interruptions.

• Ensure full compliance with contracts with third parties,
• Maximize the level of compliance of personnel with awareness, consciousness, and security criteria,
• Ensure full compliance with information systems,
• Minimize information security breaches and turn them into learning opportunities,
• Ensure that information is produced, accessed, and stored in complete accordance with the law and
• Implement the most up-to-date and effective technical security controls.

All personnel is responsible for contributing to the policy’s objectives.