Section 75-7238 - [Effective Until 7/1/2026] Executive branch chief information security officer; duties(a) There is hereby established the position of executive branch chief information security officer (CISO). The executive CISO shall be in the unclassified service under the Kansas civil service act, shall be appointed by the governor and shall receive compensation in an amount fixed by the governor.(b) The executive CISO shall: (1) Report to the executive branch chief information technology officer;(2)establish security standards and policies to protect the branch's information technology systems and infrastructure in accordance with subsection (c);
(3) ensure the confidentiality, availability and integrity of the information transacted, stored or processed in the branch's information technology systems and infrastructure;(4) develop a centralized cybersecurity protocol for protecting and managing executive branch information technology assets and infrastructure;(5) detect and respond to security incidents consistent with information security standards and policies;(6) be responsible for the cybersecurity of all executive branch data and information resources;(7) collaborate with the chief information security officers of the other branches of state government to respond to cybersecurity incidents;(8) ensure that the governor and all executive branch employees complete cybersecurity awareness training annually and that if an employee does not complete the required training such employee's access to any state-issued hardware or the state network is revoked; and(9) review all contracts related to information technology entered into by a person or entity within the executive branch to make efforts to reduce the risk of security vulnerabilities within the supply chain or product and ensure each contract contains standard security language.(c) The executive CISO shall develop a cybersecurity program for each executive branch agency that complies with the national institute of standards and technology cybersecurity framework (CSF) 2.0, as in effect on July 1, 2024. The executive CISO shall ensure that such programs achieve a CSF tier of 3.0 prior to July 1, 2028, and a CSF tier of 4.0 prior to July 1, 2030. The agency head of each executive branch agency shall coordinate with the executive CISO to achieve such standards.Amended by L. 2024, ch. 95,§ 32, eff. 7/1/2024.Amended by L. 2023, ch. 75,§ 13, eff. 7/1/2023.Added by L. 2018, ch. 97,§ 3, eff. 7/1/2018.This section is set out more than once due to postponed, multiple, or conflicting amendments.