Privilege and User Rights Management Policy

1. Purpose: To define the rights of users and rules of privilege within the institution.

2. Scope: Covers all users and units benefiting from information technology facilities.

3. Responsible Parties: All senior management is responsible for ensuring all employees act in accordance with this policy.

4. Implementation:

Privilege Management
Privileges are limited to folder access, software installation, connection times, network settings, general internet usage, guest internet access, remote work/access. They are reviewed at least once every 12 months, and re-authorizations are made due to employment entry or exit and job change reasons.
For upper managers, the request is sent to the Manager. The Manager sends an approval letter to the system administrator for the fulfillment of the request.
If it belongs to institution personnel; The personnel makes the privilege request to their supervisor. If the supervisor accepts, the request is sent to the Manager. After the Manager evaluates the request, if found appropriate, they send an approval letter to the Information Technology Service Provider for the privilege. Privilege access rights are granted for the duration deemed appropriate by the Manager. At the end of the period, the granted rights are removed by the Information Technology Service Provider.
For service providers; The relevant supervisor of the service provider makes the privilege request. The request is sent to the Manager. Privilege access rights are granted for the duration deemed appropriate by the manager. At the end of the period, the granted rights are removed by the Information Technology Service Provider.

User Rights
Storage or installation of software not related to work (including installation files) is prohibited under all circumstances.
Users cannot install software on their computers without the Manager's approval, even if technically possible, as it may cause copyright law violations and technical problems.
If there is a need to install work-related software, the opinion and approval of the Information Technology Service Provider must be obtained.
Software such as security analysis software and system management software are installed on computers and workstations only by the Information Technology Service Provider. Installation is done with the Manager's approval.
Installation and use of auxiliary system programs is only free for the information technology department.
Auxiliary system programs are installed and used only to solve user problems. Auxiliary system programs are not used in system management.
Auxiliary system programs can be used when remote work is required with limited access rights in very special cases. In this case, it is mandatory to open a request and get the Manager's approval.
After the process is completed, the auxiliary system program is terminated immediately.
Connection times for software usage are agreed upon with the relevant software responsible parties. It is applied to groups defined within the scope of influence.

Configuration and Security Settings
Users cannot lower the level of security settings on their computers, even if technically possible.
As examples of security settings; MS Internet Explorer and MS Outlook security zone settings (Internet Explorer securityzone settings), virus protection program settings, operating system update settings, personal firewall settings, BIOS settings and other hardware and software security settings can be counted.
Users cannot run new network services (such as web server, database server) from their personal computers, even if technically possible.
They cannot define new users and user groups on their computers, or change the rights of existing users and user groups.
If configuration and security settings need to be changed due to their needs, it is mandatory to apply to the Information Technology Service Provider for comment and approval.
Configuration and security setting changes can only be made by the Information Technology Service Provider and for the necessary duration.

Network and Network Services Access Rights
Access rights of users in our company are limited to their unit's area.
Access restrictions are managed with Active Directory.
Authorization charts related to access restrictions have been created, continuity is ensured and they are reviewed after employment-related changes.
Access to printers and similar facilities over the network is configured by the Information Technology Service Provider.
When access to applications in other subnets over the network is required, this access is configured by the Information Technology Service Provider.
Local administrator rights have been removed except for the "power user/local admin" group.
Being included in the power user group is for the duration defined by the manager.
For power user group rights, the user first requests from their administrative supervisor. If the administrative supervisor finds the request appropriate, they consult with the Manager.
If the Manager finds the request appropriate, they open a record to the Information Technology Service Provider through the help desk.

Document Access Rights
Based on the job change notification made by the Human Resources department, access settings in the current department folder must be removed and access settings for the new department folder must be made.
For new personnel, a written (email) request must be received from the human resources unit regarding which folder and folder permission rights. If there is no written request, no access permission change process is performed.
The Information Technology Service Provider is obliged to check and authorize document access permissions of all computer users at least once in 12 months and during job changes.

Folder Access Permissions
The Bilsoft New Partner folder has been configured so that only users included in the domain infrastructure can log in.
Department users have full authority to folders opened for each department, and access permissions to other department folders are made subject to manager approval.

Device Usage
Under user rights, all users' USB ports (external disks) devices are passive. If needed, time-limited and limited number of authorizations are made by the Information Technology Service Provider with the approval of the relevant manager.
If usage is mandatory, usage rights are given according to Privilege management. Responsibility belongs to the user.
Consultants, customers, visitors are not included in the institution network.
Service providers' use of their devices is subject to permission and privilege management is applied.
The "device diagnosis policy" is active over the domain. A log is kept of every connected device.

BILSOFT SOFTWARE COMPUTER INDUSTRY AND TRADE LIMITED COMPANY