Publication: Sigorta şirketlerinde bilgi güvenliği yönetim sistemi denetimi
Abstract
Hızla gelişen teknoloji ile bilgisayarların ve akabinde internetin hayatımıza girmesi, kötü niyetli uygulamaları da beraberinde getirmiştir. İçinde sigorta şirketlerinin de yer aldığı finansal hizmet kuruluşlarına, her ne kadar bilgilerinin maruz kalacağı risklere karşı önleyici faaliyetler geliştirse de, siber saldırıların sıklığı ve karmaşıklığı artmaktadır.Sigorta şirketleri bir yandan risklerini tedavi etmeye çalışırken diğer yandan tüm yasal mevzuat ve sözleşmelere de uymak zorundadırlar. Sigorta şirketlerinin bünyesinde sakladığı kimlik ve sağlık bilgileri de hızla artmaktadır. Bu bilgilerin Kişisel Verilerin Korunması Kanunu gereğince fiziksel ve dijital ortamlarda korunması gerekmektedir. Bu noktada bilgi güvenliği yönetim sistemi, sigorta şirketlerine stratejik ve taktik anlamında yol gösterici niteliğindedir.Bu çalışmanın amacı; üst yönetimin destek verdiği, kurum kültürüyle entegre bir ISO/ IEC 27001:2013 BGYS standardını kurmak, uygulamak, sürdürmek ve sürekli iyileştirmek isteyen sigorta şirketi yetkililerine ve sigorta şirketlerini denetleyecek olan kişi ve/ veya kurumlara Türkçe bir rehber hazırlamak olarak ifade edilebilir. BGYS ile ilgili faaliyetlerin tüm uygulama adımlarının erişilebilir manada tek bir belge üzerinden Türkçe olarak anlatan kaynak yok denecek kadar azdır. İnternet ortamında erişilebilecek bilgilerin çoğunluğu ISO/ IEC 27001 standardının 2005 versiyonu ile ilgili olup, güncel değildir. Güncel bilgilerin sadece danışmanlık şirketleri tarafından ödenecek ücretler karşılığında verildiği günümüzde, sigorta şirketlerinde BGYS’nin kurulması, yönetilmesi, denetlenmesi ve sertifikasyon aşamaları güncel tablo ve şekiller desteğiyle sırasıyla anlatılmıştır. Bununla birlikte 2013 revizyonu ile uygulanması gereken gizlilik, bütünlük, erişilebilirlik ve süreç temelli bir risk yönetimine çalışmada geniş yer verilmiştir.Yukarıdaki ihtiyaçlara cevap ararken literatür taramasına ek olarak konu ile ilgili çeşitli seminer, çalıştay ve eğitimlere katılım sağlanmış ve bizzat denetçi olarak sigorta şirketlerinde bulunarak gerekli veriler toplanmıştır.
With the rapidly developing technology, the computers and the internet have entered the lives of our customers and have brought malicious practices. Although the financial services organizations, including the insurance companies, have preventive actions against the risks that their information will be exposed to, the frequency and complexity of cyber attacks increase.Insurance companies are obliged to comply with all legal regulations and contracts while trying to treat their risks. The identity and health information stored by insurance companies are also increasing rapidly. This information is required to be protected in physical and digital environments in accordance with the Law on the Protection of Personal Data. At this point, the information security management system is a strategic and tactical guide to insurance companies.The purpose of this study can be expressed as preparing an integrated Turkish guide with the corporate culture and supported by the senior management to the persons and / or institutions that will supervise the insurance company authorities and insurance companies who want to establish, implement, maintain and continuously improve the ISO / IEC 27001: 2013 ISMS standard. The resources that explain all the implementation steps of the ISMS related activities through in a single document and in Turkish are not enough. The majority of the information available on the Internet is related to the 2005 version of the ISO / IEC 27001 standard and is out of date. Although the current information is given only for the fees to be paid by the consultancy companies, the stages of establishment, management, inspection and certification of the ISMS in the insurance companies are explained in the respectively with the support of the current charts and figures. In addition, the 2013 revision has a wide scope in the study of risk management based on confidentiality, integrity and accessibility.In addition to the literature review, participation in various seminars, workshops and trainings has been provided. In addition, audits were carried out in insurance companies and necessary data were obtained.
With the rapidly developing technology, the computers and the internet have entered the lives of our customers and have brought malicious practices. Although the financial services organizations, including the insurance companies, have preventive actions against the risks that their information will be exposed to, the frequency and complexity of cyber attacks increase.Insurance companies are obliged to comply with all legal regulations and contracts while trying to treat their risks. The identity and health information stored by insurance companies are also increasing rapidly. This information is required to be protected in physical and digital environments in accordance with the Law on the Protection of Personal Data. At this point, the information security management system is a strategic and tactical guide to insurance companies.The purpose of this study can be expressed as preparing an integrated Turkish guide with the corporate culture and supported by the senior management to the persons and / or institutions that will supervise the insurance company authorities and insurance companies who want to establish, implement, maintain and continuously improve the ISO / IEC 27001: 2013 ISMS standard. The resources that explain all the implementation steps of the ISMS related activities through in a single document and in Turkish are not enough. The majority of the information available on the Internet is related to the 2005 version of the ISO / IEC 27001 standard and is out of date. Although the current information is given only for the fees to be paid by the consultancy companies, the stages of establishment, management, inspection and certification of the ISMS in the insurance companies are explained in the respectively with the support of the current charts and figures. In addition, the 2013 revision has a wide scope in the study of risk management based on confidentiality, integrity and accessibility.In addition to the literature review, participation in various seminars, workshops and trainings has been provided. In addition, audits were carried out in insurance companies and necessary data were obtained.