​Technical and Administrative Measures to be Taken Within the Scope of KVKK
According to Article 12 of the Personal Data Protection Law No. 6698, data controllers are obliged to take all necessary technical and administrative measures to prevent the unlawful processing of personal data, prevent unauthorized access to personal data, and ensure the protection of personal data by providing the appropriate level of security. The following tables are prepared to differentiate these technical and administrative measures and to guide the data controller in establishing a control mechanism.
The list of technical security measures that should be taken within the scope of information security for KVKK and their explanations are as follows:
Technical Measures
Authorization Matrix
Access to systems containing personal data should also be limited. In this context, employees should be granted access authorization only to the extent necessary for their work and responsibilities.
Authorization Control
It is recommended that data controllers create an access authorization and control matrix based on the authorization matrix and create a separate access policy and procedures, and implement these policies and procedures within the data controller organization.
Access Logs
Regularly keeping a record of the transaction movements of all users.
User Account Management
Employees should access relevant systems using a username and password. When creating these passwords, combinations of upper and lower case letters, numbers, and symbols should be preferred rather than digit or letter series that can be easily guessed or related to personal information.
Network Security
The internet gateway can prevent employees from accessing websites or online services that pose a threat to personal data security. If personal data is in electronic form, access between network components can be restricted or components can be separated to prevent a breach of personal data security. For example, if personal data is being processed in a limited area, the existing resources can be allocated only for the security of this limited area rather than the entire network, by limiting the network to a specific part for this purpose.
Application Security
Checks should be made to ensure that the inputs of application systems are correct and appropriate, and control mechanisms should be placed in applications to verify whether the correct information has been corrupted or not intentionally during processing. Applications should be designed to minimize the likelihood of errors occurring during processing that may compromise data integrity.
Encryption
Regardless of which encryption methods are used, it should be ensured that personal data is fully protected.
Penetration Testing
Regular vulnerability scans and penetration tests should be performed to protect information systems against known vulnerabilities, and evaluations should be made based on the results of these tests regarding security vulnerabilities.
Intrusion Detection and Prevention Systems
The existence of endpoint security EDR systems is desirable.
Log Records
All users' transaction logs should be regularly maintained.
Data Masking
Data masking is the process of making sensitive data in a corporate network unintelligible to unauthorized individuals to prevent them from accessing it. Data masking can be done in three ways: static data masking (SDM), dynamic data masking (DDM), and on-the-fly data masking.
Data Loss Prevention Software
DLP (Data Loss/Leak Prevention) is a relatively new type of data protection in the network security field that is increasingly being used. With DLP software, you can prevent unwanted data from leaving your system or monitor the usage of specific files.
Backup
Backed-up personal data should only be accessible by the system administrator, and data set backups should always be kept outside the network. Otherwise, the data set backups may be vulnerable to malware use or data loss and destruction. Therefore, the physical security of all backups should also be ensured.
Firewalls
A well-configured firewall can prevent breaches before they penetrate deeply into the network. The internet gateway can also prevent employees from accessing internet sites or online services that pose a threat to personal data security.
Up-to-date Anti-Virus Systems
To protect against malware, it is also necessary to use products such as antivirus and antispam that regularly scan the information system network and detect threats. However, it is not enough to install these products, and they should be kept up-to-date and regularly scan the necessary files. If personal data is to be obtained from different internet sites and/or mobile application channels, it is also important for connections to be made using SSL or a more secure method to ensure personal data security.
Deletion or Anonymization
Personal data that is no longer needed should be destroyed or anonymized in accordance with the personal data storage and disposal policy and regulation.
Key Management
Key management is the management of encryption keys in a cryptographic system. This management involves the exchange, use, storage, exchange, and production of keys.
