Occupational Health and Safety Policy
To conduct risk assessments in order to prevent and reduce injury causing and health threatening risks to our employees, subcontractors and visitors, to establish the relevant Occupational Health and Safety Management System, to conduct improvement and development activities, provide informative training for our employees and encourage their involvement, to determine the Occupational Health and Safety goals and objectives to create Occupational Health and Safety programs, to provide all necessary resources for the implementation of these programs, to conduct our activities in compliance with the Occupational Health and Safety regulations as well as the standards adopted by all the institutions that we are affiliated with.
Information Security Policy
Information Security is possible by providing the integrity and accessibility of information assets but not by providing their confidentiality.
Information Security indicates;
- Confidentiality requirement, accessibility of the information only by the authorized persons
- Integrity requirement, providing the completeness and authentication of information assets, protection from unauthorized changes,
- Accessibility requirement, availability of information assets when needed by the authorized users.
AROMSA forms its own regulatory principles for its institutional operation with the purpose of providing its information security. With this purpose, it undertakes to exhibit continuous improvement in its Information Security Management System. Determination of information security policy, defining the security roles and doing all related updatings are realized with the support of top management and coordination of all units. Where necessary, AROMSA may ask the opinions of internal and external specialist.
In AROMSA, information assets are suitably classified. Evaluation of the assets are done and value of the assets are calculated in order to develop the control in suitable level.
Third Party Information Security Policy
A risk assessment is done before giving access permission to third party personnel for AROMSA information systems. Below stated criteria defines the particularities at the point of giving the access permission.
- Third party employee or company representative notifies the information process systems desired to be accessed.
- Way of access (such as physical access, logical access, providing the access fro inside of outside of AROMSA) has been defined in Physical Security Policy and Access Control Policy and it is determined in the way it is foreseen in these policies.
- Sensibility and value of the information to be accessed are determined by System / Asset Owner.
- The level of audit log to be recorded by being in connection with the access of AROMSA Information Systems for third party personnel is determined by BT System Director and Information Security Director.
- Required controls for the protection of the information of AROMSA not open to the access of external parties are applied by taking Access Control Policy as the reference.
- Legal and judicial conditions related to the parties other than AROMSA and their obligations arising from the agreement must be taken into consideration.
By also including the protection and improvement of the existing information security policies, procedures and instructions, when changes related to service procurement become in question, the risks belonging to third parties are reviewed by the Asset Owner and Information Security Directors. Change demands may come from AROMSA and also from Third Parties.
Particularities to be considered in the process of managing third party agreement changes are additionally determined by AROMSA Corp.