TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal
administrative fine between TRY1 million and TRY10 million. TS ISO/IEC 27001 Certificate In the e-communications and energy sector, and for e-invoice service providers, obtaining a TS ISO/IEC 27001 certificate is a de jure standard. However, many other organisations also choose to voluntarily comply with this standard as a good practice to improve cybersecurity. The Financial Sector • The BRSA requires all banks to meet Control Objectives for Information and Related Tech - nologies (COBIT) standards. COBIT process management is used not only in banks but also in the finance and production sectors. • The By-Law on Banking Cards and Credit Cards require organisations entering into merchant agreements with banks to comply with the Payment Card Industry Data Security Standards (PCI DSS) standards. • According to the CMB’s Communiqué on Independence Audit of Information Systems, auditors who audit publicly held companies must have a Certified Information System Auditor (CISA) certificate. The Healthcare Sector The By-Law on Health Information Management Systems requires health information systems’ service providers to have following certificates: • TS ISO/IEC 27001; • TS ISO/IEC 15504 Software Process Improve - ment and Capability Determination (SPICE) certificate at a minimum of the second level, which is obtained from institutions and organ - isations with TS ISO/IEC 17065 accreditation and include SPICE lead auditor; or
• CMMI certificate at a minimum of the third level, which is obtained from institutions or companies with CMMI lead auditor.
6. Cybersecurity in Other Regulations
6.1 Cybersecurity and Data Protection Data controllers are obliged to provide an appro - priate level of security for the personal data they process. Hence, data controllers must ensure that their processors provide a level of security for personal data that is, at minimum, equivalent to their own. Data controllers are also held liable for the security measures taken by data proces - sors. They may conduct or commission the necessary audits on their processors’ systems containing personal data, review the results, and inspect the data processor on-site. The DPA issued the Guideline on Personal Data Protection (Technical and Organisational Meas - ures) (the “Measures Guideline” ) in 2018, which lists and details the technical and administrative measures to be taken by data controllers. The guideline suggests the following cybersecurity- related measures: • using a firewall and internet gateway; • patch management; • software updates; • limiting access to systems containing per - sonal data; • using strong passwords for such systems; • creating an access control matrix; • using brute force algorithm (BFA); • using antivirus, antispam and similar products that regularly scan the information system network and detect potential threats; and
314 CHAMBERS.COM
Powered by FlippingBook