Section 75-413 - Employees(a) The secretary of state may appoint such other assistants and clerks as may be authorized by law, but the secretary of state shall be responsible for the proper discharge of the duties of all assistants and clerks, and they shall hold their offices at the will and pleasure of the secretary and shall do and perform such general duties as the secretary may require.(b)(1) The secretary of state shall appoint a chief information security officer who shall be responsible for establishing security standards and policies to protect the office's information technology systems and infrastructure. The chief information security officer shall: (A) Develop a cybersecurity program for the office that complies with the national institute of standards and technology cybersecurity framework (CSF) 2.0, as in effect on July 1, 2024. The chief information security officer shall ensure that such programs achieve a CSF tier of 3.0 prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030;(B) ensure that the secretary of state and all employees complete cybersecurity awareness training annually and that if an employee does not complete the required training, such employee's access to any state-issued hardware or the state network is revoked; and(C)(i)(a) coordinate with the United States cybersecurity and infrastructure security agency to perform annual audits of the office for compliance with applicable state and federal laws, rules and regulations and office policies and standards; and(b) make an audit request to such agency annually, regardless of whether or not such agency has the capacity to perform the requested audit.(ii) Results of audits conducted pursuant to this paragraph shall be confidential and shall not be subject to discovery or disclosure pursuant to the open records act, K.S.A. 45-215 et seq., and amendments thereto.(2) The provisions of this subsection shall expire on July 1, 2026.Amended by L. 2024, ch. 95,§ 12, eff. 7/1/2024.R.S. 1923, 75-413; L. 1967, ch. 434, § 44; July 1.