Presidential Circular No. 2019/12 on Information and Communication Security Measures was published in the Official Gazette No.
Within the scope of the Circular published, the Information and Communication Security Guide was prepared in cooperation with the Presidency DDO (Digital Transformation Office) and TSE and with the participation of sector representative private company stakeholders.
Main Purpose of the Guide;
It is the definition of activities to take the most appropriate security measures and to implement the determined measures in order to reduce and eliminate information security and cyber security risks, and to ensure the security of critical information/data that may threaten national security, especially when its confidentiality, integrity or accessibility is impaired, or that may cause great outrage by disrupting public order.
Within the scope of the Information and Communication Security Guide compliance consultancy offered by the National Keep, the studies to be carried out during the compliance phase with the BIGR guide;
Determination of asset groups,
Determining the criticality level of asset groups,
Current situation and gap analysis,
Preparation of the guide application roadmap,
It is beginner level work.
Determination of Asset Groups
In the studies carried out within the scope of BIGR- Information and Communication Security Guide, it is necessary to collect and group the assets under the determined headings, and to review these groups first and then implement the measures. Directory; It includes information processing facilities where information/data in electronic media is stored, transferred and processed, personnel using information processing facilities, and assets in all physical environments that contain information processing facilities.
The main headings of the asset group defined in the BIGR- Information and Communication Security Guide are listed below. This order is the main asset groups in the BIGR guide and should not change.
• Network and Systems
• Applications
• Portable Devices and Media
• Internet of Things (IoT) Devices
• Physical Spaces
• Employee
According to the BIGR- Information and Communication Security Guide, the following issues should be considered while determining asset groups.
Determining under which asset group main title all corporate assets will be placed
Ensuring that all corporate assets are included in a single asset group as much as possible (Corporate assets that need to be addressed by more than one asset group should be evaluated over the asset group with the highest criticality rating, and precautionary clauses related to all asset groups to which they are included should be addressed for the corporate asset.)
Determining the sub-fractions to be used for the definition of asset groups in line with institutional needs (institution service areas, institution organizational structure, technologies, international best practices, IT infrastructures, etc.)
Include assets in the same security isolation in the same asset group whenever possible
Grouping assets that should have different security levels in different asset groups
Reducing the number of asset groups by merging asset groups that are thought to have the same level of security measures.
The number of asset groups under the main heading of each asset group is manageable.
For each defined asset group, the security measure main headings for the associated application and technology area should be selected. For measures under the main headings of application and technology area, the criticality level assigned to the relevant asset group should be considered.
Determination of Asset Group Criticality Degree
After determining the asset groups, it is of great importance to determine the criticality level of these asset groups. The criticality of each asset group will be determined by considering the criticality of the processed data in terms of confidentiality, integrity and accessibility, and the impact of security breaches that may occur. National Keep will carry out the necessary studies with the necessary training, coordination and exemplary studies with the knowledge to determine the asset group criticalities. If your institution will only receive auditing services, it must clearly determine the content of the compliance work. According to this;
The criticality determination dimensions are summarized below:
Dimensions related to processed data
Privacy : Protecting information against unauthorized access
Integrity : Preserving the completeness and accuracy of information
Accessibility : The information is accessible and usable by authorized persons
Domain-related dimensions
analysis report is prepared. Within the scope of current situation analysis studies, technical study, meeting, due diligence with automatic tool, documentation review etc. activities can be carried out. When determining whether a measure has been applied to the asset group, first of all, the implementation status is decided according to the following classification and explanatory information about the current situation is written.
If the measure is applied to all assets in the asset group, it is “totally”
If the measure is applied to most of the assets in the asset group, but partially or not yet applied to some assets, “mostly”
If the measure is applied to a part of the asset group or if the measure is partially applied, “partially”
If the measure is not applied at all, “never”
"Not applicable" if the measure is technically unlikely to be implemented
Evaluations made for each asset group must be recorded with the form in Annex-C.3 of the Information and Communication Security Guide.
Preparation of the Guideline Implementation Roadmap
After determining the activities required to eliminate the deficiencies identified as a result of the gap analysis, planning is made. All relevant legal, regulatory and contractual requirements are taken into account within the scope of the plans. National Keep will carry out the necessary coordination, training, case studies and data control for the preparation of the implementation roadmap. Within the scope of the consultancy service provided, your institution should prepare the necessary data for the implementation roadmap.
The work to be done within the scope of the guideline implementation roadmap is determined. Studies can be grouped as follows, but not limited to the following groups:
Competence acquisition and trainings
Product supply
Procurement of services
consultancy
Development / redevelopment
design / redesign
Compression
Version update
Documentation
Enterprise process improvement
After the work to be done is determined, targets should be determined in 2-3 month periods for each work and planning should be made for the allocation of the necessary resources (personnel, budget, physical environment, etc.). The plans made within the scope of the implementation roadmap should be recorded with the form in Annex-C.4 of the Information and Communication Security Guide.
Any requirement within the scope of additional measures to be implemented as a result of the gap analysis; It may apply compensatory controls if it cannot meet the requirements as defined in the guidance due to technical constraints and business requirements approved by senior management. Compensatory controls will be considered usable if they have the same purpose and effect as the safeguards to which they are superseded. Each compensatory control that is decided to be applied should be recorded with the form in Annex-C.5 of the Information and Communication Security Guide.
Considering that the weakest link in information security is the human factor, it is important that the personnel of the institution, who will take part in both the implementation of security measures and the supervision of the security measures implemented, have a certain competence. In this framework, trainings on information security should be planned within the resources and measurement mechanisms should be implemented to shed light on the development of personnel. It is important that the trainings include applications that will increase the practical skills of the personnel in the relevant field, rather than providing only theoretical knowledge. In the trainings to be planned within this scope, it should be ensured that there is a laboratory environment and that the participants transform the knowledge they learn into skills in this environment.
In order to gain competence to the personnel who will be involved in the studies to be carried out for the implementation of the guide, it is necessary to organize various practice workshops on how to handle the application steps and audit charts in the guide or to participate in the studies to be carried out within this scope. All works carried out in this context will be documented as a guideline implementation roadmap.
Contact Us
Please contact us by filling out the contact form below.