New Developments on Information Security in Public Sector
The Circular on Information Security in Public Institutions and Organizations has been published in the Official Gazette
Circular no 2019/12 on Information and Communication Security Measures specifying a serious of measures to ensure the security of data that may have an impact on public order and national safety was published in the Official Gazette No. 30823, dated July 6, 2019. The Circular that consists of 21 articles has aroused interest with many articles contained therein. We may classify the prominent issues in the said publication as below:
Critical data shall be stored and preserved domestically on the physically-secured networks, by taking measures with Log records against modification. Moreover, cloud storage services shall not be used for such storage process, except for institutions’ own private systems or domestic service providers under the supervision of the institutions.
Development of domestic and national encryption systems shall be encouraged in order to enable the submission of classified correspondence of institutions via these systems. Communication between the servers that are available in our country and under the control of the Institution shall be done in an encrypted manner. In cases where radiolink use is mandatory for critical data communication, data shall be encrypted by using devices featuring national crypto systems.
SYSTEMS TO BE USED
No classified data sharing or communication shall be made over mobile applications and social media, except for via domestic mobile applications developed by the institutions authorized for encoded or cryptographic correspondence by the legislation. Use of domestic applications belonging to social media and communication applications shall be preferred. Third parties shall give a letter of undertaking, if possible, stating that the software or hardware to be procured by the public institutions and organizations do not have any feature that is unsuitable for the intended use or any security weakness, which may allow access to the systems without the users’ knowledge/permission. Devices storing classified data shall be removed from the institution only upon the encryption of the data stored therein in respect to the hardware or software and the devices used for such purpose shall be registered. The settings of the e-mail systems of the public institutions shall be configured to ensure security and the e-mail servers shall be in our country and under the control of the relevant institution. Corporate communication shall not be made via non-corporate personal e-mail addresses and corporate e-mails shall not be used for personal purposes. Operators shall not transmit the data in the regions where critical institutions are placed, by radiolink or similar methods, and instead fiber optic cables shall be used for their transmission.
Mobile devices or devices with data transfer feature shall not be kept at work environments where critical data are present, or such communications are made. Classified data or data including corporate confidentiality shall not be stored in unauthorized, personal computers. Furthermore, mobile devices of uncertain origin, including personal mobile devices, shall not be connected to the systems of the institution.
Dissemination security (TEMPEST) shall be implemented at places where classified information is processed by the public institutions and organizations, and measures shall be taken in respect of secure software development and the developed or procured software shall be subjected to security tests before being put into use. Institutions and organizations shall take necessary measures against cyber threat notifications and access authorizations shall be given by taking into consideration actual works performed and needs.
It shall be ensured that industrial control systems are kept disconnected from the Internet and in mandatory cases where such systems must be connected to the Internet, necessary security measures, such as firewall, point to point tunnelling methods, authorization and authentication mechanisms, shall be taken. Vetting process or archive research shall be conducted for senior executives of institutions and organizations who may have a direct effect on national security, and for the personnel to be employed in critical infrastructure, facilities and projects. Measures shall be taken in order to prevent the transfer of the domestic communication traffic, which should be exchanged domestically, to abroad.
In order to mitigate and neutralize security risks, and especially, to ensure the security of critical data that may jeopardize national security or disrupt public order when their confidentiality, integrity or accessibility is compromised, “Information and Communication Security Guide” shall be prepared under the leadership of the Presidency of the Republic of Turkey, Digital Transformation Office, with the contribution of the relevant public institutions and organizations, and the guide to be published at www.cbddo.gov.tr shall be updated in line with the developing technology and the relevant public institutions shall be expected to comply with the issues stipulated therein. Also, with the exception of the duties and activities carried out for the purpose of ensuring national security and protecting confidentiality, the institutions and organizations shall establish inspection mechanisms to ensure the implementation of the guide and inspect the implementation minimum once a year.
Please click here to access the full Circulars, in Turkish published in the Official Gazette.