75-7239. Kansas information security office; establishment and administration; separate state agency; powers and duties; confidentiality of certain audits conducted by the office. (a) There is hereby established within and as a part of the office of information technology services the Kansas information security office. The Kansas information security office shall be administered by the CISO and be staffed appropriately to effect the provisions of the Kansas cybersecurity act.

(b) For the purpose of preparing the governor's budget report and related legislative measures submitted to the legislature, the Kansas information security office, established in this section, shall be considered a separate state agency and shall be titled for such purpose as the "Kansas information security office." The budget estimates and requests of such office shall be presented as from a state agency separate from the office of information technology services, and such separation shall be maintained in the budget documents and reports prepared by the director of the budget and the governor, or either of them, including all related legislative reports and measures submitted to the legislature.

(c) Under direction of the CISO, the KISO shall:

(1) Administer the Kansas cybersecurity act;

(2) assist the executive branch in developing, implementing and monitoring strategic and comprehensive information security risk-management programs;

(3) facilitate executive branch information security governance, including the consistent application of information security programs, plans and procedures;

(4) using standards adopted by the information technology executive council, create and manage a unified and flexible control framework to integrate and normalize requirements resulting from applicable state and federal laws, and rules and regulations;

(5) facilitate a metrics, logging and reporting framework to measure the efficiency and effectiveness of state information security programs;

(6) provide the executive branch strategic risk guidance for information technology projects, including the evaluation and recommendation of technical controls;

(7) assist in the development of executive branch agency cybersecurity programs to ensure compliance with applicable state and federal laws, rules and regulations, executive branch policies and standards and policies and standards adopted by the information technology executive council;

(8) perform audits of executive branch agencies for compliance with applicable state and federal laws, rules and regulations, executive branch policies and standards and policies and standards adopted by the information technology executive council;

(9) coordinate the use of external resources involved in information security programs, including, but not limited to, interviewing and negotiating contracts and fees;

(10) liaise with external agencies, such as law enforcement and other advisory bodies as necessary, to ensure a strong security posture;

(11) assist in the development of plans and procedures to manage and recover business-critical services in the event of a cyberattack or other disaster;

(12) assist executive branch agencies to create a framework for roles and responsibilities relating to information ownership, classification, accountability and protection;

(13) ensure a cybersecurity awareness training program is made available to all branches of state government; and

(14) perform such other functions and duties as provided by law and as directed by the CISO.

(d) Results of audits conducted pursuant to subsection (c)(8) shall be confidential and shall not be subject to discovery or disclosure pursuant to the open records act, K.S.A. 45-215 et seq., and amendments thereto. The provisions of this subsection shall expire on July 1, 2028, unless the legislature reviews and acts to continue such provision pursuant to K.S.A. 45-229, and amendments thereto, prior to July 1, 2028.

History: L. 2018, ch. 97, § 4; L. 2023, ch. 75, § 14; July 1.