Purpose and Scope of Information Security and Its Adoption by the Management

Erciyes University Drug Research and Application (ERFARMA) regards corporate knowledge as an extremely valuable asset. Information is critical to the sustainability of our work activities and must be protected appropriately. ERFARMA aims to minimize the risks that may arise regarding the Confidentiality, Integrity, Availability of corporate information and the effects of these risks by applying the Information Security Management System (ISMS) ISO 27001 standard.

This declaration has been approved by the ERFARMA Administrative Board. ERFARMA has adopted the fulfillment of the following issues in particular:

• Ensuring the confidentiality, integrity and availability of ERFARMA information and information systems,

• Identifying risks to information assets and managing risks in a systematic way,

• Fulfilling the requirements of Information Security Standards,

• Complying with all legal regulations regarding Information Security,

• Evaluating continuous improvement opportunities and carrying out studies in order to keep the Information Security Management System alive,

• Carrying out trainings to develop technical and behavioral competencies in order to increase information security awareness,

• Preparation and publication of other sub-procedures related to this declaration by the Information and Communication Technologies Director (ISMS representative).

ERFARMA's Information Security Declarations are valid and compulsory for all ERFARMA personnel using ERFARMA information or work flow systems, regardless of the location or work unit and whether full-time, part-time, permanent or contracted. All persons, such as third party service providers and support personnel affiliated to them, who do not fall into these classifications and who need access to ERFARMA information, must adhere to the general principles of this policy and other security responsibilities and obligations that they must comply with.

Responsibilities of All Employees

The aim of Information Security and this declaration is to protect, maintain and manage the confidentiality, integrity and availability of information and all support business systems, processes and applications. This means keeping the information of ERFARMA in authorized persons, ensuring that information is complete, accurate and available and that information and systems are available when needed. For this reason, all ERFARMA and outsourced personnel, interns, researchers and other personnel, regardless of their positions or duties,are responsible for doing their jobs in a way that protects the information within ERFARMA.

In addition to ensuring that ERFARMA's information is complete, correct and available, all ERFARMA personnel must also comply with the protection of confidential information specified in the ERFARMA Personnel Regulation Rules and the ERFARMA Work Ethics Principles. ERFARMA undertakes to take measures specified in the Personal Data Protection Law. The Information Security declaration is reviewed at least once a year in parallel with the asset and risk updates made in order to reflect the current risks faced by ERFARMA information assets.

In order to keep new risks and changes in risks under control, the Information Security Declaration is updated with new necessary additions. In addition, any ERFARMA employee may request the Information Security Management System officer to change the declaration in order to improve the Information Security Declaration and to better reflect the controls that ERFARMA needs. Requests made are handled and evaluated by the Information Security Management System officer. Information Security Declaration principles should be applied in parallel with ERFARMA Human Resources Personnel Regulation Rules.Employees are also responsible for being aware of the Information Security Declaration and complying with these principles.

Compliance with the Inspection and Declaration and Resolution of Non-Compliance Each unit manager is primarily responsible for taking necessary measures and monitoring the system to ensure the compliance with the Information Security Declaration.Violations of the Information Security Declaration may cause damage to ERFARMA as a result of the failure to implement the controls needed against the risks and may lead to the criminal liability according to the new Turkish Criminal Code and to the compensation liability for material damages. Therefore, the aforementioned violation is also a violation of the ERFARMA Personnel Regulation and may result in a disciplinary penalty.Information Security Declaration violations detected as a result of surveillance, audit and denunciation may lead to disciplinary penalties that may result in termination of employment and even the juridical and criminal legal proceedings. Working together to implement this declaration will help to continually protect our information and reputation and ensure the continued success of our work.

Objectives

In order to protect the reputation, reliability and information assets of ERFARMA and to continue its basic and supporting work activities with the least possible interruption, ERFARMA Information Security aims

• to fully ensure the continuity of information systems,

• to maximize the compliance level of employees with the awareness and safety requirements,

• to ensure full compliance with contracts made with third parties,

• to minimize the information security violation incidents and turn them into an opportunity to learn,

• to produce, access and store the information in full compliance with the law,

• to implement the most up-to-date and effective technical security controls.

Each ERFARMA employee is responsible for contributing to these goals. This declaration has been approved by the ERFARMA Administrative Board (Director of the Center).