TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal
• physical environment security measures (eg, protection of server room/data centre, and protection against electromagnetic informa - tion leakage (TEMPEST)). The ICS Guide also sets out sector-specific security measures for e-communications and energy sectors. Additionally, there are other sector-specific regulations setting the require - ments for critical infrastructure cybersecurity. Refer to the details of the sector-specific regu - lations below. E-Communications Sector Security measures to be taken by the actors in the e-communications sector in accordance
• risk assessment and processing methods, and details of transactions made according to these methods; • business continuity plans; and • details on information security breach inci - dents that have occurred. Per the By-Law, operators cannot allow unli - censed software and software going against Information Security Management Systems Policy rules and must take measures to protect information and software against harmful codes and identify security measures for downloading files or software via external networks. Operators are also obligated to define and doc - ument rules related to the transfer of software from the development environment to the pro - duction environment. Energy Sector The actors in the energy sector must take the following security measures per the ICS Guide: • physical access security; • ensuring system continuity; • prevention of data manipulation; • user access management; • SSL/TLS protected communication; • security of GPS communication and synchro - nisation; • ensuring equipment security; • threat intelligence management; • communication with authorities; and • using safe methods for data transmission. The competency model under the By-Law on Cybersecurity Competency Model in the Energy • device configurations; • network access control; • authentication; • access management;
with the ICS Guide are as follows: • service security and continuity; • infrastructure services security; • fraud detection and prevention; • signalling traffic security; • establishing trusted communication; • hardening activities;
• monitoring equipment failures; • ensuring equipment security; • threat intelligence management; • communication with authorities; • prevention of caller ID manipulation; and • ensuring that domestic communication traffic remains within the country. The By-Law on NIS in the E-Communications Sector requires that a report on NIS must be pre - pared by the operator every year – until the end of March – and kept for five years to be sent to ICTA upon request and/or submitted during the inspections made by ICTA. The report includes information such as:
305 CHAMBERS.COM
Powered by FlippingBook