+90 212 244 9222

23July2019

New Developments on Information Security in Public Sector

New Developments on Information Security in Public Sector

The Circular on Information Security in Public Institutions and Organizations has been published in the Official Gazette

Circular no 2019/12 on Information and Communication Security Measures specifying a serious of measures to ensure the security of data that may have an impact on public order and national safety was published in the Official Gazette No. 30823, dated July 6, 2019. The Circular that consists of 21 articles has aroused interest with many articles contained therein. We may classify the prominent issues in the said publication as below:

STORAGE

Critical data shall be stored and preserved domestically on the physically-secured networks, by taking measures with Log records against modification. Moreover, cloud storage services shall not be used for such storage process, except for institutions’ own private systems or domestic service providers under the supervision of the institutions.

ENCRYPTION

Development of domestic and national encryption systems shall be encouraged in order to enable the submission of classified correspondence of institutions via these systems. Communication between the servers that are available in our country and under the control of the Institution shall be done in an encrypted manner. In cases where radiolink use is mandatory for critical data communication, data shall be encrypted by using devices featuring national crypto systems.

SYSTEMS TO BE USED

No classified data sharing or communication shall be made over mobile applications and social media, except for via domestic mobile applications developed by the institutions authorized for encoded or cryptographic correspondence by the legislation. Use of domestic applications belonging to social media and communication applications shall be preferred. Third parties shall give a letter of undertaking, if possible, stating that the software or hardware to be procured by the public institutions and organizations do not have any feature that is unsuitable for the intended use or any security weakness, which may allow access to the systems without the users’ knowledge/permission. Devices storing classified data shall be removed from the institution only upon the encryption of the data stored therein in respect to the hardware or software and the devices used for such purpose shall be registered. The settings of the e-mail systems of the public institutions shall be configured to ensure security and the e-mail servers shall be in our country and under the control of the relevant institution. Corporate communication shall not be made via non-corporate personal e-mail addresses and corporate e-mails shall not be used for personal purposes. Operators shall not transmit the data in the regions where critical institutions are placed, by radiolink or similar methods, and instead fiber optic cables shall be used for their transmission.

DEVICES

Mobile devices or devices with data transfer feature shall not be kept at work environments where critical data are present, or such communications are made. Classified data or data including corporate confidentiality shall not be stored in unauthorized, personal computers. Furthermore, mobile devices of uncertain origin, including personal mobile devices, shall not be connected to the systems of the institution.

OTHER MEASURES

Dissemination security (TEMPEST) shall be implemented at places where classified information is processed by the public institutions and organizations, and measures shall be taken in respect of secure software development and the developed or procured software shall be subjected to security tests before being put into use. Institutions and organizations shall take necessary measures against cyber threat notifications and access authorizations shall be given by taking into consideration actual works performed and needs.

It shall be ensured that industrial control systems are kept disconnected from the Internet and in mandatory cases where such systems must be connected to the Internet, necessary security measures, such as firewall, point to point tunnelling methods, authorization and authentication mechanisms, shall be taken. Vetting process or archive research shall be conducted for senior executives of institutions and organizations who may have a direct effect on national security, and for the personnel to be employed in critical infrastructure, facilities and projects. Measures shall be taken in order to prevent the transfer of the domestic communication traffic, which should be exchanged domestically, to abroad.

In order to mitigate and neutralize security risks, and especially, to ensure the security of critical data that may jeopardize national security or disrupt public order when their confidentiality, integrity or accessibility is compromised, “Information and Communication Security Guide” shall be prepared under the leadership of the Presidency of the Republic of Turkey, Digital Transformation Office, with the contribution of the relevant public institutions and organizations, and the guide to be published at www.cbddo.gov.tr shall be updated in line with the developing technology and the relevant public institutions shall be expected to comply with the issues stipulated therein. Also, with the exception of the duties and activities carried out for the purpose of ensuring national security and protecting confidentiality, the institutions and organizations shall establish inspection mechanisms to ensure the implementation of the guide and inspect the implementation minimum once a year.

Please click here to access the full Circulars, in Turkish published in the Official Gazette.

Written by Kübra Özkahraman, Posted in Personal Data Protection Law

  • Notification!

    Contents provided on this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents of this notification without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance is put in the preparation of this article, CottGroup® and member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject. Prior to taking any action in regards the above, please consult your client representative if you are a customer of CottGroup® or consult to a relevant party.

About The Author

Kübra Özkahraman

Quality Assurance & Training Responsible
This website is using cookies.
In this website, we use cookies to develop your user experience, obtain efficient work and track statistical data. You are agreeing to our use of cookies by browsing our website. Please review Çerezler (Cookies) page for detailed information of how we manage the cookies. This choice is valid for 30 days until you delete the cookies in your web browser.
x
Hizmetlerimiz devam ediyor.

Due to the Covid-19 Coronavirus pandemic to secure the health of our employees our business operations are held remotely until further notification. CottGroup® will have its business processes carried out efficiently and smoothly thanks to our BCP plans and strong technological infrastructure. As always, our customers and business partners will be able to reach us via our phones and e-mails.