Section 75-7239 - [Effective Until 7/1/2026] Kansas information security office; establishment and administration; separate state agency; powers and duties; confidentiality of certain audits conducted by the office(a) There is hereby established within and as a part of the office of information technology services the Kansas information security office. The Kansas information security office shall be administered by the executive CISO and be staffed appropriately to effect the provisions of the Kansas cybersecurity act.(b) For the purpose of preparing the governor's budget report and related legislative measures submitted to the legislature, the Kansas information security office, established in this section, shall be considered a separate state agency and shall be titled for such purpose as the "Kansas information security office." The budget estimates and requests of such office shall be presented as from a state agency separate from the office of information technology services, and such separation shall be maintained in the budget documents and reports prepared by the director of the budget and the governor, or either of them, including all related legislative reports and measures submitted to the legislature.(c) Under direction of the executive CISO, the KISO shall:(1) Administer the Kansas cybersecurity act;(2) develop, implement and monitor strategic and comprehensive information security risk-management programs;(3) facilitate a metrics, logging and reporting framework to measure the efficiency and effectiveness of state information security programs;
(4) provide the executive branch strategic risk guidance for information technology projects, including the evaluation and recommendation of technical controls; (5) coordinate with the United States cybersecurity and infrastructure security agency to perform annual audits of executive branch agencies for compliance with applicable state and federal laws, rules and regulations and executive branch policies and standards . The executive CISO shall make an audit request to such agency annually, regardless of whether or not such agency has the capacity to perform the requested audit;(6) perform audits of executive branch agencies for compliance with applicable state and federal laws, rules and regulations, executive branch policies and standards and policies and standards adopted by the information technology executive council;(7) coordinate the use of external resources involved in information security programs, including, but not limited to, interviewing and negotiating contracts and fees;(8) liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure a strong security posture;(9) assist in the development of plans and procedures to manage and recover business-critical services in the event of a cyberattack or other disaster; (10) coordinate with executive branch agencies to provide cybersecurity staff to such agencies as necessary;(11) ensure a cybersecurity awareness training program is made available to all branches of state government; and(12) perform such other functions and duties as provided by law and as directed by the CISO.(d)(1) If an audit conducted pursuant to subsection (c)(5) results in a failure, the executive CISO shall report such failure to the speaker and minority leader of the house of representatives and the president and minority leader of the senate within 30 days of receiving notice of such failure. Such report shall contain a plan to mitigate any security risks identified in the audit. The executive CISO shall coordinate for an additional audit after the mitigation plan is implemented and report the results of such audit to the speaker and minority leader of the house of representatives and the president and minority leader of the senate.(2) Results of audits conducted pursuant to subsection (c) (5) and the reports described in subsection (d)(1) shall be confidential and shall not be subject to discovery or disclosure pursuant to the open records act, K.S.A. 45-215 et seq., and amendments thereto. (e) There is hereby created in the state treasury the information technology security fund. All expenditures from such fund shall be made in accordance with appropriation acts upon warrants of the director of accounts and reports issued pursuant to vouchers approved by the executive CISO or by a person designated by the executive CISO.Amended by L. 2024, ch. 95,§ 34, eff. 7/1/2024.Amended by L. 2023, ch. 75,§ 14, eff. 7/1/2023.Added by L. 2018, ch. 97,§ 4, eff. 7/1/2018.This section is set out more than once due to postponed, multiple, or conflicting amendments.