1. Security of Personal Data

Users who access the system can only access their own information and instantly query their own data from the institutions. The e-Government Gateway does not store any personal information other than the profile information of the citizens. Information that people have shared with the E-Government Gateway will not be shared or given to any third parties, institutions and organizations for any reason whatsoever, unless there is a judicial decision about the user and / or the user is under a legal obligation. With no exceptions, this information will not be disclosed unless there is a legal regulation requires a disclosure of such information .

2. e-Government ve Security

Türksat A.Ş. has ISO 27001 Information Security Management System certificate and is regularly audited. In addition, security and penetration tests are conducted by independent security companies for e-Government Gateway. The necessary precautions are taken in the light of the findings obtained from these test results. All information presented on e-Government Gateway is taken instantaneously from relevant institutions and prepared and presented to our citizens. The e-Government Gateway only authenticates the citizens and shows necessary information to the citizen by receiving information from the systems of the data owner institute over secure communication networks. Every citizen can only access his / her own information. All information presented by the services that can be accessed through the e-Government Gateway is provided by the relevant public institution. Since no information is stored on e-Government Gateway systems and instantly taken from the institutions, the data traffic between institutions and e-Government Gateway systems is protected at the highest possible level. It is not possible for the data to leak out, to be sniffed by someone else, or to be changed during the data communication. In addition, the entire system is monitored on a 7/24 basis and all unusual events are quickly interfered. In some cases, additional security measures may be taken by the e-Government Gateway, apart from the security measures that the Institutions take when presenting their own data or sharing it with other institutions.

3. E-Government Gateway Security Architecture

e-Government Gateway displays the citizen's data retrieved from the systems of data owner institution that the citizen wants to use services of, through secure communication networks by authenticating the citizen who wants to use the service. Every citizen can only access his / her own information. All information contained by the services that can be accessed through the e-Government Gateway is provided by the relevant public institution.
The data traffic between institutions and e-Government Gateway systems is protected at the highest possible level since information on e-Government Gateway systems do not store any data and the data is provided by the relevant public institution instantaneously. It is not possible the data to be leaked out, to be sniffed by someone else, or to be lost integrity during communication.
Security measures are also taken by the e-Government Gatesay apart from the security measures that the institutions take when presenting their own data or sharing with other institutions. TÜRKSAT A.Ş. applies ISO 27001 Information Security Management System (ISMS), ISO 22301 Business Continuity Management System and ISO 20000-1 Information Technology Service Management System in e-Government Gateway operation. Processes within TÜRKSAT are operated within the framework of information security and sub-policies and comply with the principles of these policies. Internal structuring about ISMS is completed, processes are established, efficient operation of the system is regularly checked and implemented, and continuous improvement is being made.

  1. Asset and Risk Management

    All assets related to the e-Government Gate located in the data center are kept in inventory and all assets are owned. In addition, the risk analysis work for these assets is carried out periodically times every year, and the high risk is tried to be kept below the acceptable risk level.

  2. Information Security Organization

    Roles and responsibilities related to e-Government Gateway related software development, system management and information security are defined and roles and responsibilities conflicting with the principle of separation of concerns are assigned to different persons. SSL VPN connection for remote operation of the personnel is activated and remote connections are encrypted. The connection times of the users who connect remotely to the systems are determined and the connection is automatically disconnected after this period.

  3. Security of Human Resources

    Security scans of all personnel working for the e-Government Gateway are carried out and their employment is ensured accordingly. In addition, all staff receive yearly information security awareness training and technical training based on specialization areas. Access rights for employees whose duty is terminated or who are relocated are instantly regulated and assets are returned.

  4. Access Security

    Within e-Government Gate architecture, software development environments, test environment and live environment are separated and controlled access to these environments is provided. Separate access for each individual user is provided by the approval mechanism and is controlled periodically. Authorizations for systems are made according to the minimum authority principle.

  5. Cryptography

    Log records kept by e-Government Gateway are time stamped and with time stamps, their integrity is preserved. Web site access is encrypted with SSL protocol and key management is performed. Passwords are stored by hashing with strong algorithms.

  6. Physical and Environmental Security

    The physical and environmental security of the Data Center where the e-Government Gateway is located is provided by TÜRKSAT Security within the campus in accordance with the Nato Security standards. Campus security is provided by barbed wires, camera and alarm systems, and armed security personnel. In addition, additional security controls such as retina scanning, fingerprint scanning are applied for data center security. In addition, data center access are made only by authorized personnel and monitored.

  7. Operation Security

    1. Tracing

      E-Government Gateway systems are arranged 24/7 and personnel are on duty for this purpose. In case of any emergency, the problem is solved by acting according to the emergency procedure.

    2. Service Management

      Works within the scope of Service Management is carried out according to ISO 20000-1 standard. Service level targets for incident and service requests within the e-Government Gate have been determined. All opened records are tracked within these targets. Unresolved records are worked through after transformed into issue records. The updates and changes to be made in the system are carried out by planning, making risk studies and return plans within the scope of approval mechanisms. Capacity plans related to services are carried out and customer satisfaction and complaints are evaluated.

    3. Backup

      In e-Government Gateway systems, all data are regularly backed up according to their backup sensitivities. All critical hardware (Firewall, Load Balancer, IPS/IDS etc.) are backed up and running with failover mechanism. In addition, critical support systems (climatization, energy, etc.) are also run as backup.

    4. Records Management

      The records of all applications and systems operating in the e-Government Gateway are kept by the central record keeping system and the integrity of the records kept is protected with time stamps.

    5. Security Test and Audits

      The applications and systems in the e-Government Gateway are tested at regular intervals by performing penetration tests and the vulnerabilities that are tested are eliminated immediately. Vulnerabilities are detected both by TÜRKSAT's own expert staff and outsourcing.
      e-Government Gateway is subjected to annual internal audits performed by TÜRKSAT both in managerial sense and technically, and the detected issues are eliminated by regulatory activities.

  8. Network security

    Access to networks with e-Government Gateway is regulated according to the principles of access control policy. On the basis of access management, a complete distinction is made in the e-Government Gateway network. These VLANs are secured with firewall service. It is not allowed for guest users to access TÜRKSAT network and the access rules are defined by the authorized users in order to use the guest network.
    Connections with firewalls, IDS / IPS and DDoS protection devices are provided in a controlled manner within TÜRKSAT.
    DDoS blocking service is being provided in order to ensure protection against Distributed Denial of Service attacks via Internet service provider and prevent the filling of the existing bandwidth at the same time. IPS / IDS (Intrusion Detection and Prevention) service is being provided against cyber attack.

  9. System Supply, Improvement and Maintenance

    System acceptance tests are conducted in the acceptance of the systems provided or developed for the e-Government Gateway, and the system is being accepted after it is found that the systems are not adversely affecting each other. There is no software development activity in the data center.

  10. Supplier Relations

    The relations with the suppliers when a product is supplied for e-Government Gateway are organized within the framework of "TÜRKSAT Supplier Relations Information Security Policy. Confidentiality agreements are signed absolutely with the suppliers and the compensation terms are specified for possible problems that may arise from the suppliers. The supplied products are passed through security check.

  11. Information security violation incident management

    Information security violation incident management is coordinated by TÜRKSAT cyber incident response team and SOME responds to the in violations that can occur in the data center.

  12. Information security of business continuity management

    At the e-Government Gateway, continuity tests are carried out at regular intervals within the scope of business continuity plans of information security. In case of any disaster, the data center personnel are prepared for the operations that need to be done.

  13. Conformity

    Applicable laws and contracts related to the e-Government Gate have been identified and compliance with these conditions has been continuously checked. In addition, efforts to acquire TIER3 certification in the data center are still in progress. Within the scope of data center operation, ISO 27001 and ISO 20000 standards have been complied and operation is being done in this scope.

  14. Software Development Security

    Software developed for e-Government Gateway is developed according to the principles of secure software development cycle. Software developed on the basis of input control, output control, access, message integrity principles is passed through periodic source code security scanning. Each service is subjected to functional and safety tests before release. In addition, in certain periods, all system security tests are passed by the 2nd and 3rd parties.

This page is updated on