ULAK Communications Inc. develops end-to-end domestic network technologies, sustains existing 4.5G technologies developed with national resources, and produces world-class, innovative, dynamic, and creative R&D-based solutions for 5G and beyond to meet the needs arising from advancing technologies and applications. ULAK conducts high-value-added work in broadband communication technologies, generating patents and intellectual property rights (IPR). Together with its ecosystem in Türkiye and friendly nations, ULAK contributes to the development of communication technologies.

Most of the information and business processes produced, stored, transmitted, and processed by ULAK are dependent on the information and communication systems in which they are processed.

The general purpose of information security and privacy is to ensure the confidentiality, integrity, and accessibility of sensitive organizational information and personal data processed within these systems in line with relevant laws and agreements. This is achieved through a balance between risks and measures via an effective information security and privacy risk management approach.

Core Principles

  • Confidentiality agreements are signed with employees, customers, and third parties to secure organizational privacy needs.
  • Security requirements for outsourced activities are analyzed and expressed in specifications and contracts.
  • An inventory of information assets and personal data processing is created based on information security and privacy needs.
  • Corporate data is classified, and security needs and usage rules are defined for each class.
  • Security and privacy controls are implemented during hiring, job changes, and termination processes.
  • Physical security controls are established for assets stored in secure areas according to their needs.
  • Roles and responsibilities for information security and privacy are defined based on the principle of separation of duties.
  • Information security and privacy principles are applied in all projects regardless of type.
  • Regular communication is maintained with authorities and special interest groups for security and privacy.
  • Organizational assets are used only for purposes defined by asset owners and in compliance with laws and contracts.
  • Supplier relationships are controlled through tests and evaluations for security, privacy, and business continuity.
  • Technical and physical protection measures for remote work are established considering corporate risks.
  • Policies and controls are developed for assets exposed to physical threats inside and outside the organization.
  • Procedures are established for capacity management, third-party relations, backups, system acceptance, and other security processes.
  • Administrative and technical procedures for personal data security processes are developed and managed.
  • Audit logs for network devices, operating systems, servers, and applications are configured to meet security needs and protected against unauthorized access.
  • Access rights are assigned on a need-to-know basis, using the most secure technologies and techniques available.
  • Security requirements are identified for system procurement and development, and compliance is verified during acceptance or testing.
  • The necessary infrastructure is established for reporting information security and privacy breach incidents and vulnerabilities. Records of breach incidents are maintained, necessary corrective and improvement actions are implemented, and learning from security incidents is ensured through awareness training sessions. Business continuity plans are prepared, maintained, and tested for critical infrastructure.
  • The acceptable use rules for assets are defined through policies and procedures prepared within the scope of the ISMS.
  • Protection measures for portable devices and environments are developed considering corporate risks.
  • Maintenance of devices used in business processes is performed per manufacturer recommendations.
  • Strong passwords and encrypted transmission of credentials are ensured to protect sensitive identity information.
  • Networks are segmented based on operational requirements, and access permissions are structured on a need-to-know basis.
  • Protection against malicious software, technical vulnerability management, patch management, and the use of malware detection products are implemented. Additionally, user awareness is regarded as an essential element in ensuring the integrity of the protection system.
  • Personal data is not retained longer than necessary for its processing purpose.
  • Necessary administrative and technical precautions are taken to prevent unauthorized access to personal data.
  • Contracts and legal requirements for deleting personal data are met.
  • Information security and privacy policies are developed and maintained per applicable personal data protection regulations.
  • Training programs to enhance technical and behavioral competencies are conducted to raise awareness of information security and privacy.
  • As required by laws and security measures, activity logs are stored and reviewed regularly.