The Presidency of Turkey – The Decree on Information and Communication Security Measures (2019/12)

Unofficial translation by Dr. Mehmet Bedii Kaya

DISCLAIMER:
This document is an unofficial translation of the Decree on Information and Communication Security Measures (2019/12) issued on 6 July 2019 by the Presidency of Turkey. The text in this document is not the official translation and is provided for information purposes only. While care has been taken to ensure accuracy, the translator does not guarantee that the translation is free from error or omission. Use of the text is at the user’s own risk.

Official Journal Date: 06.07.2019
Official Journal No: 30823

DECREE
The Presidency

Subject: Information and Communication Security Measures

DECREE
2019/12

The transfer of data to digital environments, the facilitation of access to information, the digitalization of infrastructures, and widespread use of information management systems brings about serious security risks. The following measures have been deemed appropriate in order to diminish and neutralize security risks encountered, in particular, for ensuring the security of critical data that may jeopardize national security or deteriorate public order, especially when its confidentiality, integrity or accessibility is compromised.

(1) Critical information and data such as population, health and communication records and genetic and biometric data will be securely stored domestically.

(2) Critical data in public institutions and organizations shall be kept in a secure network located in an environment closed to the Internet and with further physical security, access to the devices to be used in this network shall be provided in a controlled manner, and the log records shall be stored by taking measures against alternation.

(3) Data of public institutions and organizations, shall not be stored in cloud storage services, except in own private systems of such institutions organizations or in local service providers who are under the control of such institutions or organizations.

(4) Aside from the national mobile applications that have been developed by institutions authorized for coded and encrypted communications in accordance with the relevant legislation, classified data-sharing communication shall not be conducted through mobile applications.

(5) Classified data-sharing communication shall not be conducted through social media.

(6) The use of national social media and communications applications shall be preferred.

(7) Dissemination security (TEMPEST) or similar security measures shall be taken by public institutions and organizations when classified information is processed.

(8) No mobile devices and devices capable of transfer shall be available in the rooms/environments where critical data, document and document exist and/or interviews are conducted.

(9) Data, files and documents containing classified or institutional private information shall not be stored on devices (laptop, mobile device, external memory, etc.) that are not institutionally authorized or used personally.

(10) Portable devices (laptop, mobile devices, external memory/disc, CD/DVD, etc.), including devices which are being used personally, which’s sources are not certain shall not be connected to the institutional systems. The devices with store classified information shall only be taken out of the organization provided that the data contained in the devices are encrypted at hardware and software level; any devices used for this purpose shall be recorded.

(11) The development of domestic and national encryption systems shall be encouraged, and it shall be ensured that classified communications are conducted through these systems.

(12) The manufacturer and/or suppliers shall be required to undertake a commitment to the extent possible any software or hardware to be acquired by public institutions and organizations does not contain any feature, unsuitable for the intended use or any back door (security vulnerability, which allows access to the system without the user’s knowledge/permission).

(13) Measures shall be taken for the safe development of software. Acquired or developed software shall be subject to security testing before use.

(14) Institutions and organization shall take the necessary measures regarding cyber threat notifications.

(15) The access authorization of staff, including senior executives, to the systems shall be conducted through taking into account the actual work and needs.

(16) Industrial control system shall be kept close to the Internet, and the necessary security measures (firewall, end-to-end tunneling methods, authorization, identification mechanisms, etc.) shall be taken in cases when such systems are required to be open to the Internet.

(17) Security investigation or archive investigation shall be conducted in accordance with the relevant regulation for senior executives of institutions and organizations of strategic importance in terms of directly affecting national security and for the staff to be employed in critical infrastructure, facilities and projects.

(18) The settings of public e-mail systems shall be configured to be secure; email services shall be hosted in our country and under the control of the institution, and communication between servers shall be conducted in encrypted form.

(19) No corporate communication shall be made from non-corporate and personal e-mail addresses, and corporate e-mails shall not be used for personal purposes (private communication, private social media account, etc.).

(20) The operators authorized to provide communication services shall establish an Internet exchange point in Turkey. Measures shall be taken in order to prevent domestic communication traffic data that needs to be exchanged domestically to be transmitted out of the country.

(21) The data in the regions where the critical institutions are located shall not be carried over radio-link or similar methods, but shall be carried over fiber-optic cables. In critical data communication, radio-link communication shall not be used; however, where it is mandatory, the data shall be encrypted by using devices with national encryption systems.

In order to diminish and neutralize security risks encountered, in particular, for ensuring the security of critical data that may jeopardize national security or deteriorate public order, especially when its confidentiality, integrity or accessibility is compromised, and in accordance with national and international standards as well as information security criteria, “Information and Communication Security Guide” shall be prepared under the coordination of the Turkish Presidency Digital Transformation Office with the necessary contribution by the relevant public institutions and organizations to be implemented in public institutions and organizations and entities providing services as critical infrastructures, and published at the www.cbddo.gov.tr address. The Guide will be updated in line with the needs, developing technology, changing circumstances and modifications in the National Cyber Security Strategy and action plans.

All public institutions and organizations and entities providing services as critical infrastructures when establishing new information systems shall comply with the procedures and principles stated in the Guide. Existing information technology infrastructures with due consideration of security level priorities shall be gradually aligned with these principles in accordance with the plan to be included in the Guide following its publication. During compliance projects and newly established information systems, the current update version published at the specified address shall be taken into consideration.

Aside the duties and activities carried out within the scope of ensuring national security and protection of confidentiality, institutions and organization shall establish an audit mechanism for the implementation of the Guidelines and shall supervise the implementation at least once a year. The results of the audit and any corrective and preventive actions, shall be submitted to the Digital Transformation Office in accordance with the principles and procedures specified in the Guidelines.

For your information and consideration.
5 July 2019
Recep Tayyip ERDOĞAN
PRESIDENT

Unofficial translation by Dr. Mehmet Bedii Kaya

For the Turkish version, please visit https://www.mbkaya.com/bilgi-ve-iletisim-guvenligi-tedbirleri-genelgesi/