CIO handoff first cut. more to follow

This commit is contained in:
Charles N Wyble - admin 2022-02-14 11:28:23 -06:00
parent 55aef3210c
commit 38105a19db
5 changed files with 178 additions and 1 deletions

@ -0,0 +1 @@
Subproject commit 55a8eb34425a70ca79d9ccaf428e625c0866cd39

View File

@ -1 +0,0 @@
# CIO Overview

176
src/CIO/KnelCharter.md Normal file
View File

@ -0,0 +1,176 @@
# Known Element Enterprises LLC (KNEL) Charter
- [Known Element Enterprises LLC (KNEL) Charter](#known-element-enterprises-llc-knel-charter)
- [Purpose of this document](#purpose-of-this-document)
- [KNEL Mission](#knel-mission)
- [Accountability](#accountability)
- [Independence](#independence)
- [Areas of responsibility](#areas-of-responsibility)
- [Scope](#scope)
- [Authority](#authority)
- [Assessment and Advisory Services](#assessment-and-advisory-services)
- [Risk Management Services](#risk-management-services)
## Purpose of this document
The purpose of this document is to outline areas of responsibility and operational interaction within KNEL. The reader should be able to obtain the following information from this document:
- Understanding the Organizational Structure of KNEL
- Understanding the Operational Responsibilities of the various hierarchical layers within the Organizational Structure
- Understanding the Intra-Operational Model of KNEL
- Understanding the Inter-Operational Model of KNEL
## KNEL Mission
Known Element Enterprises LLC (KNEL) supports the TSYS Group mission by fostering the information technology , information security/assurance/assessment and privacy approaches across all component
entities of TSYS Group.
KNEL is a top level component entity of TSYS Group. KNEL has total responsibility for procurement, deployment, architecture operational support and retirement of the entire infrastructure stack
used to provision all IT services across TSYS Group.
Known Element Enterprises seeks to establish a very specific culture that provides consistent, long term, zero variable , predictable , successful and stable outcomes in all tasks/projects and ongoing
service delivery and operations.
KNEL core cultural tenants:
- ruthless execution
- outstanding service delivery that pleasantly surprises and delights all stakeholders every time
- integrity and consistency
- privacy
- collaboration
- documentation , knowledge capture and dissemination
- sustainability
- stewardship
- strong information security/information assurance
This culture underpins KNEL ability to be a good steward of TSYS Group information entrusted to it by its stakeholders.
The goal of KNEL is to implement a framework of safeguards to protect the:
- confidentiality (authorized access)
- integrity
- availability
of TSYS Group information technology resources and information, and to ensure TSYS Group is able to meet statutory and regulatory obligations in a manner that enables and respects individual privacy.
## Accountability
The TSYS Group CIO, CISO , VP of Technical Operations and IT Director (the IT Management Committee) manage KNEL assets and staff and are accountable directly to the TSYS Group Board to:
- Establish the strategic direction of KNEL
- Ensure the continuous enhancement and effectiveness of KNEL to present a proactive approach to information security at TSYS Group
- Promote public information sharing throughout TSYS Group
- To provide a one-stop point of information and accountability for information security and privacy at TSYS Group
- Provide periodic assessments on the adequacy and effectiveness of the TSYS Group processes for controlling its activities and managing its risks in the areas set forth under the mission and scope of work.
- Report significant issues affecting privacy, including recommended process improvements, and provide follow-up on mitigation.
- Provide information on the status and results of campus unit security assessments and Privacy Impact Assessments.
- Coordinate with, and provide oversight of, other privacy compliance, control, and monitoring functions.
## Independence
To provide for the independence of KNEL, the IT Management Committee reports directly to the TSYS Group Board. This ensures fierce independence of the IT organization and allows the Board to remain fully informed in it's role of providing effective and engaged group wide oversight and governance.
In too many organizations, IT is stymied by senior management and it results in situations like the Equifax breach or ransomware.
Also by being an independent LLC under TSYS Group, it's able to function on an equal level with other TSYS Group components.
Like all TSYS Group component entities, it has an independent P&L (following the TSYS Group zero internal cost center model).
That's right, IT can be a profit center!
## Areas of responsibility
- Facilities IT (power/cooling/physical security)
- Enterprise IT (hypervisor/storage/networking/monitoring,alerting/backups)
- Platform IT - Data (database,block,object,file stores)
- Platform IT - Middleware (batch/sync/async task execution, API/microservices, enterprise service bus, intra system/application messaging,e-mail)
- Platform IT - Application Runtime (container runtime, legacy applications, PAAS)
- SRE (TSYS Group application catalog)
## Scope
The scope of Information Security/Assurance/Assessment and Privacy comprises multiple focus areas:
- Policy
- Training/Awareness
- Incident Management and Response
- Consulting
- Assessments
- Risk Management
- Survivability
- KNEL develops policies and guidelines to assist technology and information users to understand their responsibilities.
- Through Training and Awareness initiatives, stakeholders learn secure behaviors that support the protection of TSYS Group, as well as personal, information.
- When security incidents or privacy breaches occur, quick and effective response is crucial to limit damage and quickly restore services. The focus area of Incident Management & Response supports this effort by promoting consistent means to prepare, respond to, recover from, and report incidents.
- KNEL partners and consults with component entities across TSYS Group to assist them in meeting their privacy and information security objectives.
- KNEL conducts information security and privacy assessments in accordance with approved plans and its established policies and procedures.
- Risk Management allows units to determine the risks that exist in their environments and how those risks can be reduced or eliminated.
- Survivability supports the planning for recovery of technology services following an emergency or system disruption.
The scope of information security centers on implementing appropriate technical, operational and management controls to protect confidentiality (authorized access), integrity, and availability of resources.
The information privacy scope of work is to determine whether TSYS Group recognizes the risk associated with collecting and storing protected data and that TSYS Group is aware of and in compliance with applicable policies and laws. This supports:
- The expectation that personally identifiable information collected, processed, or stored by TSYS Group is protected from misuse or unauthorized access;
- Limiting personal data collection to only those data items required for legitimate business purposes;
- Respecting the rights of the data owners as guaranteed by laws, regulations, and contractual obligations;
- Confirming TSYS Group organizations incorporate privacy procedures as an integral part of business system design processes;
- Significant legislative or regulatory privacy issues impacting the organization are recognized and addressed properly.
## Authority
KNEL is authorized to:
- Have access to all functions, records, property, and personnel required for information security and privacy assessments.
- Make specific reports directly to TSYS Group Board and other entities as deemed appropriate.
- Allocate resources, set frequencies, select subjects, determine scopes of work, and apply the techniques required to accomplish information security objectives.
- When conducting risk reviews and assessments, obtain the necessary assistance of personnel in TSYS Group units, as well as specialized services from within or outside the organization.
Responsibilities
KNEL has responsibility to:
- Maintain a professional staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter.
- Develop an information security strategy that presents a high-level plan for achieving information security goals.
- Research best practices and technologies that support information security.
- Establish a quality assurance program by which the Director assures the operation of KNEL activities.
## Assessment and Advisory Services
KNEL conducts information security and privacy assessments in accordance with Board approved plans and its established policies and procedures.
KNEL can also conduct independent information security and privacy impact assessments.
Assessment and Advisory services include:
- Developing a flexible annual plan in consultation with the Board using appropriate risk-based methodology, including risks or control concerns identified by TSYS Group corporate/component leadership.
- Examining and evaluating the adequacy and effectiveness of the systems of internal privacy controls.
- Evaluating and assessing significant new or changing services, processes, operations, and controls coincident with their development and implementation.
- In coordination with the Board assessing compliance with laws, regulations, contract/grant provisions, and internal policies, plans, and procedures.
- Reviewing operations or programs to ascertain whether results are consistent with established objectives.
- Performing consulting services, assurance services, to assist component entities in meeting privacy objectives.
- Evaluating emerging information technology audit/assessment trends and implementing best practices.
## Risk Management Services
The focus area of Risk Management is the key to a successful information security program.
Information security is not exact or all-encompassing. No one can ever eradicate all risk of improper, malicious or capricious use of information and resources. The goal of information security is that in a particular situation, the controls are commensurate with the value of the protected resource and weighed against the cost that would be incurred --financial or otherwise - in the event of unauthorized disclosure, degradation, or loss. The process of balancing risks, costs of protection strategies, and resource value is risk management.
Risk Management Services include:
- Partnering with TSYS Group units to conduct risk reviews that highlight strengths and weaknesses of a unit's information security profile;
- Consulting with TSYS Group units determine how best to minimize risk and protect resources;
- Directing assessments of critical program areas or new services to ensure appropriate security controls are in place;
- Perform network monitoring, intrusion detection/prevention, web scanning, and other security procedures to help secure the infrastructure and in response to malicious activity.
- Evaluating new and emerging security strategies and technologies for use in TSYS Group environment;
- Collaborating with the information security technology team to plan and implement the SANS Top 20 Security Controls.

View File

@ -70,6 +70,7 @@
# Part 10: Functional Area: Chief Information Technology Officer
- [Known Element Enterprises Charter](./CIO/KnelCharter.md)
- [Policies - Business Continuity Plan](./CIO/Policies/BusinessContinuityPlan.md)
- [Policies - Authentication](./CIO/Policies/Authentication.md)
- [Processes - Two Factor Authentication ](./CIO/Processes/2fa.md)