Policy on Privilege and User Rights Management

1. Objective:

Define the rights and privileges of users within the organization.

2. Scope:

Encompasses all users and units benefiting from information technology facilities.

3. Responsibilities:

All employees are responsible for adhering to this policy, and overall management is accountable.

4. Implementation:

Privilege Management

Privileges are restricted to folder access, software installation, connection durations, network settings, general internet usage, guest internet access, and remote work/access. Reviewed at least once every 12 months, and reauthorizations are conducted upon entry, exit, or changes in responsibilities.

• Privilege Management for Top Executives:

  • Requests are sent to the Manager. The Manager sends an approval letter to the system administrator for request fulfillment.

• Privilege Management for Company Personnel:

  • Personnel submits privilege requests to their supervisor.
  • If accepted by the supervisor, the request is sent to the Manager.
  • After evaluating the request, the Manager sends an approval letter to the IT Service Provider for the privilege.
  • Access is granted for the duration approved by the Manager. Access granted is revoked by the IT Service Provider at the end of the period.
• Privilege Management for Service Providers:
  • The service provider's relevant supervisor submits a privilege request.
  • The request is sent to the Manager.
  • Access is granted for the duration approved by the manager. Access granted is revoked by the IT Service Provider at the end of the period.

User Rights

Software Installation

• Storing or installing non-work-related software (including installation files) is strictly prohibited.
• Users cannot install software on their computers without the approval of the Manager, as it may violate copyright laws and cause technical issues.
• In case of the need for business-related software installation, the opinion and approval of the IT Service Provider must be obtained.
• Security analysis software and system management software are installed on computers and workstations only by the IT Service Provider with the approval of the Manager.
• Installation of auxiliary system programs is only allowed for the IT department.
• Auxiliary system programs are installed and used only to resolve user issues, not for system administration.
• In rare cases where limited access is required for remote work, the use of auxiliary system programs is allowed. Request and approval from the Manager are mandatory in this case.
• The auxiliary system program is terminated immediately after the operation is completed.
• Connection times for software usage are agreed upon with the respective software owners and applied to defined groups within the domain.

Configuration and Security Settings

• Users cannot lower the level of security settings on their computers, such as:
  • Security zone settings affecting MS Internet Explorer and MS Outlook,
  • Virus protection program settings,
  • Operating system update settings,
  • Personal firewall settings,
  • BIOS settings, and other hardware and software security settings.
• Users cannot run new network services (e.g., web server, database server) from their personal computers.
• Users cannot define new users and user groups on their computers or change the rights of existing users. If changes are needed, the opinion and approval of the IT Service Provider must be sought.
• Configuration and security setting changes can only be made by the IT Service Provider and only for the required period.

Access to Networks and Network Services

• User access rights within our company are restricted to their departmental areas.
• Access restrictions are managed with Active Directory.
• Authorization charts for access restrictions are created, continuity is maintained, and they are reviewed after employment-related changes.
• Access to printers and similar facilities over the network is configured by the IT Service Provider.
• When access to applications in other subnets is required over the network, this access is configured by the IT Service Provider.
• Local administrator privileges are removed, except for the "power user/local admin" group.
• Membership in the power user group is valid for the period defined by the administrator.
• For the power user group right, the user first requests it from the administrative supervisor. If the administrative supervisor approves the request, they consult with the Manager.
• If the Manager approves the request, the user opens a ticket with the IT Service Provider through the helpdesk.

Document Access Rights

In response to a task change notification from the Human Resources department, access settings in the current department folder must be removed, and access settings for the new department folder must be configured.

For new personnel, a written (email) request for the folder and folder permission from the human resources department is required. If there is no written request, no access permission change will be processed.

The IT Service Provider is responsible for checking and authorizing all computer users' document access permissions at least once every 12 months and during job changes.

Folder Access Permissions

• Millennium New Shared Folder: Configured to allow entry only for users within the domain infrastructure.
• For folders opened for each department, department users are fully authorized, and access permissions to other department folders are subject to managerial approval.

Device Usage

• Within the scope of user rights, all users' USB ports (external drives) are passive. In case of need, temporary and limited authorization is provided by the IT Service Provider with the approval of the relevant manager.
• If mandatory, usage rights are granted according to the Privilege Management. Responsibility lies with the user.
• Consultants, customers, visitors are not allowed into the corporate network.
• Service providers' device usage is subject to permission and privilege management.
• The "device identification policy" via the domain is active. Logs of each connected device are kept.

RUNITAS INFORMATION TECHNOLOGY INDUSTRY AND TRADE JOINT STOCK COMPANY